User behavior in system access terms?

• A. A person, organization entity, or automated process that accesses a system, whether authorized to do so or not.
• B. The system that enforces access control.
• C. A password used to access a system.
• D. A hardware device that stores credentials.

Answer: (A)

In system access terms, the focus is on who is attempting to use resources—the subject. This subject can be a person, an organizational entity, or an automated process that requests access to a system. Their behavior encompasses the actions they take to log in, request permissions, or perform operations, and these actions are what the access control system observes and regulates. The other elements—what enforces the rules, what proves identity, and what stores those proofs—are parts of the mechanism, not the actor: the enforcement point applies the policies, a password or other credential verifies identity, and a hardware token or card stores credentials. Because you’re describing the actor that initiates access and its behavior, the correct concept is the subject that accesses the system.