More Web Proxy on the site http://driver.im/

research-article

How users use access control

Authors:

D. K. Smetters,

Nathan GoodAuthors Info & Claims

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

Article No.: 15, Pages 1 - 12

https://doi.org/10.1145/1572532.1572552

Published: 15 July 2009 Publication History

Abstract

Existing technologies for file sharing differ widely in the granularity of control they give users over who can access their data; achieving finer-grained control generally requires more user effort. We want to understand what level of control users need over their data, by examining what sorts of access policies users actually create in practice.

We used automated data mining techniques to examine the real-world use of access control features present in standard document sharing systems in a corporate environment as used over a long (> 10 year) time span. We find that while users rarely need to change access policies, the policies they do express are actually quite complex. We also find that users participate in larger numbers of access control and email sharing groups than measured by self-report in previous studies. We hypothesize that much of this complexity might be reduced by considering these policies as examples of simpler access control patterns. From our analysis of what access control features are used and where errors are made, we propose a set of design guidelines for access control systems themselves and the tools used to manage them, intended to increase usability and decrease error.

References

[1]

]]S. Ahern, D. Eckles, N. S. Good, S. King, M. Naaman, and R. Nair. Over-exposed?: privacy patterns and considerations in online and mobile photo sharing. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 357--366, New York, NY, USA, 2007. ACM.

Digital Library

[2]

]]X. Cao and L. Iverson. Intentional access management: making access control usable for end-users. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 20--31, New York, NY, USA, 2006. ACM.

Digital Library

[3]

]]M. Corporation. Best practices for permissions and user rights, January 2005. http://technet.microsoft.com/en-us/library/cc779601.aspx.

[4]

]]D. Ferraiolo and R. Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554--563, 1992.

[5]

]]Flickr. http://www.flickr.com.

[6]

]]N. S. Good and A. Krekelberg. Usability and privacy: a study of kazaa p2p file-sharing. In CHI '03: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 137--144, New York, NY, USA, 2003. ACM Press.

Digital Library

[7]

]]H. Krawczyk, M. Bellare, and R. Canetti. RFC 2104: HMAC: Keyed-hashing for message authentication, Feb. 1997. Status: INFORMATIONAL.

Digital Library

[8]

]]S. T. K. Lam and E. Churchill. The social web: global village or private cliques? In DUX '07: Proceedings of the 2007 conference on Designing for User eXperiences, pages 1--7, New York, NY, USA, 2007. ACM.

Digital Library

[9]

]]E. Lieberman and R. C. Miller. Facemail: showing faces of recipients to prevent misdirected email. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 122--131, New York, NY, USA, 2007. ACM.

Digital Library

[10]

]]R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. Int. J. Hum.-Comput. Stud., 63(1--2):25--50, 2005.

Digital Library

[11]

]]A. D. Miller and W. K. Edwards. Give and take: a study of consumer photo-sharing culture and practice. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 347--356, New York, NY, USA, 2007. ACM.

Digital Library

[12]

]]J. S. Olson, J. Grudin, and E. Horvitz. A study of preferences for sharing and privacy. In CHI '05: CHI '05 extended abstracts on Human factors in computing systems, pages 1985--1988, New York, NY, USA, 2005. ACM.

Digital Library

[13]

]]R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 1473--1482, New York, NY, USA, 2008. ACM.

Digital Library

[14]

]]J. Rode, C. Johansson, P. DiGioia, R. S. Filho, K. Nies, D. H. Nguyen, J. Ren, P. Dourish, and D. Redmiles. Seeing further: extending visualization as a basis for usable security. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 145--155, New York, NY, USA, 2006. ACM Press.

Digital Library

[15]

]]R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.

Digital Library

[16]

]]S. Voida, W. K. Edwards, M. W. Newman, R. E. Grinter, and N. Ducheneaut. Share and share alike: exploring the user interface affordances of file sharing. In CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 221--230, New York, NY, USA, 2006. ACM.

Digital Library

[17]

]]T. Whalen, D. Smetters, and E. F. Churchill. User experiences with sharing and access control. In CHI '06: CHI '06 extended abstracts on Human factors in computing systems, pages 1517--1522, New York, NY, USA, 2006. ACM.

Digital Library

[18]

]]M. E. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In IEEE Symposium on Security and Privacy, pages 57--71, 1999.

[19]

]]M. E. Zurko and R. T. Simon. User-centered security. In C. Meadows, editor, New Security Paradigms Workshop. ACM, 1996.

Digital Library

Cited By

Obrezkov D(2024)Cognition Behind Access Control: A Usability Comparison of Rule- and Category-Based MechanismsICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_26(367-380)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_26
Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Kern SBaumer TFuchs LPernul G(2023)Maintain High-Quality Access Control Policies: An Academic and Practice-Driven ApproachData and Applications Security and Privacy XXXVII10.1007/978-3-031-37586-6_14(223-242)Online publication date: 12-Jul-2023
https://doi.org/10.1007/978-3-031-37586-6_14
Show More Cited By

Index Terms

How users use access control

Recommendations

Towards Attribute-Centric Access Control: an ABAC versus RBAC argument

Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...
Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application security

The most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

July 2009

205 pages

ISBN:9781605587363

DOI:10.1145/1572532

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2009 Copyright held by the author/owner.

Sponsors

Carnegie Mellon CyLab
Google Inc.

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOUPS '09

Sponsor:

SOUPS '09: Symposium on Usable Privacy and Security

July 15 - 17, 2009

California, Mountain View, USA

Acceptance Rates

SOUPS '09 Paper Acceptance Rate 15 of 49 submissions, 31%;

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

40
Total Citations
View Citations
831
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)6

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Obrezkov D(2024)Cognition Behind Access Control: A Usability Comparison of Rule- and Category-Based MechanismsICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_26(367-380)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_26
Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Kern SBaumer TFuchs LPernul G(2023)Maintain High-Quality Access Control Policies: An Academic and Practice-Driven ApproachData and Applications Security and Privacy XXXVII10.1007/978-3-031-37586-6_14(223-242)Online publication date: 12-Jul-2023
https://doi.org/10.1007/978-3-031-37586-6_14
Kapoor SSun MWang MJazwinska KWatkins E(2022)Weaving Privacy and PowerProceedings of the ACM on Human-Computer Interaction10.1145/35555746:CSCW2(1-33)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3555574
Andalibi VLear EKim DCamp L(2022)On the Analysis of MUD-Files’ Interactions, Conflicts, and Configuration Requirements Before DeploymentThe Fifth International Conference on Safety and Security with IoT10.1007/978-3-030-94285-4_9(137-157)Online publication date: 8-Jan-2022
https://doi.org/10.1007/978-3-030-94285-4_9
Andalibi VDev JKim DLear ECamp L(2021)Making Access Control Easy in IoTHuman Aspects of Information Security and Assurance10.1007/978-3-030-81111-2_11(127-137)Online publication date: 8-Jul-2021
https://doi.org/10.1007/978-3-030-81111-2_11
Voronkov AMartucci LLindskog S(2020)Measuring the Usability of Firewall Rule SetsIEEE Access10.1109/ACCESS.2020.29710938(27106-27121)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2971093
Mare SGirvin LRoesner FKohno TWolman AZhong L(2019)Consumer Smart HomesProceedings of the 20th International Workshop on Mobile Computing Systems and Applications10.1145/3301293.3302371(117-122)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3301293.3302371
Kappes GHatzieleftheriou AAnastasiadis S(2019)Multitenant Access Control for Cloud-Aware Distributed FilesystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.271583916:6(1070-1085)Online publication date: 1-Nov-2019
https://doi.org/10.1109/TDSC.2017.2715839
Jayakody JPerera APerera G(2019)Web-application Security Evaluation as a Service with Cloud Native Environment Support2019 International Conference on Advancements in Computing (ICAC)10.1109/ICAC49085.2019.9103414(357-362)Online publication date: Dec-2019
https://doi.org/10.1109/ICAC49085.2019.9103414
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents