More Web Proxy on the site http://driver.im/

research-article

Analyzing and Optimizing Access Control Choice Architectures in Online Social Networks

Authors:

Ron Hirschprung,

Hadas Schwartz-Chassidim,

Oded MaimonAuthors Info & Claims

ACM Transactions on Intelligent Systems and Technology (TIST), Volume 8, Issue 4

Article No.: 57, Pages 1 - 22

https://doi.org/10.1145/3046676

Published: 11 May 2017 Publication History

Abstract

The way users manage access to their information and computers has a tremendous effect on the overall security and privacy of individuals and organizations. Usually, access management is conducted using a choice architecture, a behavioral economics concept that describes the way decisions are framed to users. Studies have consistently shown that the design of choice architectures, mainly the selection of default options, has a strong effect on the final decisions users make by nudging them toward certain behaviors. In this article, we propose a method for optimizing access control choice architectures in online social networks. We empirically evaluate the methodology on Facebook, the world's largest online social network, by measuring how well the default options cover the existing user choices and preferences and toward which outcome the choice architecture nudges users. The evaluation includes two parts: (a) collecting access control decisions made by 266 users of Facebook for a period of 3 months; and (b) surveying 533 participants who were asked to express their preferences regarding default options. We demonstrate how optimal defaults can be algorithmically identified from users’ decisions and preferences, and we measure how existing defaults address users’ preferences compared with the optimal ones. We analyze how access control defaults can better serve existing users, and we discuss how our method can be used to establish a common measuring tool when examining the effects of default options.

References

[1]

Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and human behavior in the age of information. Science 347 (6221): 509--514.

[2]

Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2013. Sleights of privacy: Framing, disclosures, and the limits of transparency. In Proceedings of the 9th Symposium on Usable Privacy and Security. ACM, New York, 9.

Digital Library

[3]

Oshrat Ayalon and Eran Toch. 2013. Retrospective privacy: Managing longitudinal privacy in online social networks. In Proceedings of the 9th Symposium on Usable Privacy and Security. ACM, New York, 4.

Digital Library

[4]

Lujo Bauer, Scott Garriss, and Michael K. Reiter. 2005. Distributed proving in access-control system. In Proceedings of the 2005 IEEE Symposium on Security and Privacy. 81--95.

Digital Library

[5]

Messaoud Benantar. 2006. Access Control Systems: Security, Identity Management and Trust Models. Springer Science 8 Business Media.

[6]

Charles Blackorby and David Donaldson. 1977. Utility vs equity: Some plausible quasi-orderings. Journal of Public Economics 7, 3, 365--381.

[7]

Wyatt Buchanan. 2011. Social-networking sites face new privacy battle. Retrieved from http://www.sfgate.com/bayarea/article/Social-networking-sites-face-new-privacy-battle-2371641.php.

[8]

California Bill. 2011. California Bill S.B. 242-Privacy Control Requirements for Social Networks. Retrieved from http://www.leginfo.ca.gov/pub/11-12/bill/sen/sb_0201-0250/sb_242_bill_20110525_amended_sen_v96.html.

[9]

Canada's Justice Laws. 2010. Canada's Anti-Spam Legislation.

[10]

Xiang Cao and Lee Iverson. 2006. Intentional access management: Making access control usable for end-users. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM.

Digital Library

[11]

Deloitte. 2013. 2013 TMT (Technology, Media, and Telecommunications) Global Security Study. Deloitte Touche Tohmatsu Limited (DTTL).

[12]

Ratan Dey, Zubin Jelveh, and Keith Ross. 2012. Facebook users have become much more private: A large-scale study. In Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops). 346--352.

[13]

Tamara Dinev and Paul Hart. 2006. An extended privacy Calculus model for e-Commerce transactions. Information Systems Research 17, 1, 61--80.

Digital Library

[14]

Varun Dutt, Young-Suk Ahn, and Cleotilde Gonzalez. 2013. Cyber situation awareness modeling detection of cyber attacks with instance-based learning theory. Human Factors: The Journal of the Human Factors and Ergonomics Society 55, 3, 605--618.

[15]

EU Directive 1995/46/EC. 1995. Directive 95/46/EC of the European Parliament and of the Council: On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

[16]

EU Directive 2002/58/EC. 2002. Directive 2002/58/EC of the European Parliament and of the Council: On Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.

[17]

EU Directive 2011/83/EU. 2011. Directive 2011/83/EU of the European Parliament and of the Council: On Consumer Rights. Official Journal of the EU.

[18]

Batya Friedman, Daniel C. Howe, and Edward Felten. 2002. Informed consent in the Mozilla browser: Implementing value-sensitive design. In Proceedings of the 35th Hawaii International Conference on System Sciences. IEEE. 10.

[19]

Batya Friedman, Peter H. Kahn Jr, Alan Borning, and Alina Huldtgren. 2013. Value sensitive design and information systems. In Early Engagement and New Technologies: Opening up the Laboratory, Springer, Netherlands. 55--95.

[20]

FTC-USA. 2011. Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises. Federal Trade Commission. Accessed November 29. http://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep.

[21]

Ron Hirschprung, Eran Toch, and Oded Maimon. 2015. Simplifying data disclosure configurations in a cloud computing environment. ACM Transactions on Intelligent Systems and Technology 6, 3.

Digital Library

[22]

Eric J. Johnson, Steven Bellman, and Gerald L. Lohse. 2002. Defaults, framing and privacy: Why opting in-opting out. Marketing Letters (Kluwer Academic Publishers) 13, 1, 5--15.

[23]

Eric Johnson and Daniel Goldstein. 2003. Do defaults save lives? Science 302, 1338--1339.

[24]

Daniel Kahneman and Amos Tversky. 1979. Prospect theory: An analysis of decision under risk. Econometrica 47, 2, 263--292.

[25]

Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. 2014. Privacy attitudes of mechanical turk workers and the U.S. public. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’14).

[26]

Patrick Gage Kelley. 2010. Conducting usable privacy and security studies with Amazon's mechanical turk. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’10).

[27]

Bart P. Knijnenburg, Alfred Kobsa, and Hongxia Jin. 2013a. Dimensionality of information disclosure behavior. International Journal of Human-Computer Studies 71 71, 12, 1144--1162.

Digital Library

[28]

Bart P. Knijnenburg, Alfred Kobsa, and Jin Hongxia. 2013b. Preference-based location sharing: Are more privacy options really better? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM.

Digital Library

[29]

Bart Piet Knijnenburg and Alfred Kobsa. 2014. Increasing Sharing Tendency Without Reducing Satisfaction: Finding the Best Privacy-settings User Interface for Social Networks. AIS Electronic Library (AISeL).

[30]

Steven Komarov, Katharina Reinecke, and Krzysztof Z. Gajos. 2013. Crowdsourcing performance evaluations of user interfaces. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM. 207--216.

Digital Library

[31]

Stefan Korff and Rainer Böhme. 2014. Too much choice: End-user privacy decisions in the context of choice proliferation. In Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS’14).

[32]

Hanna Krasnova and Natasha F. Veltri. 2010. Privacy calculus on social networking sites: explorative evidence from Germany and USA. In Proceedings of the 43rd Hawaii International Conference on System Sciences. IEEE.

Digital Library

[33]

Susan Landau. 2014. Highlights from making sense of Snowden, part II What's significant in the NSA revelations. IEEE Security and Privacy 12, 1, 62--64.

[34]

Yabing Liu, Krishna P. Gummadi, Balachander Krishnamurthy, and Alan Mislove. 2011. Analyzing facebook privacy settings: User expectations vs. reality. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference. ACM. 61--70.

Digital Library

[35]

Mary Madden. 2012. Privacy Management on Social Media Sites. Pew Research Center's Internet 8 American Life Project.

[36]

Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. 2012. A study of privacy settings errors in an online social network. In Pervasive Computing and Communications Workshops (PERCOM Workshops). IEEE. 340--345.

[37]

Brigitte C. Madrian and Dennis F. Shea. 2000. The power of suggestion: Inertia in 401(k) participation and savings behavior. National Bureau of Economic Research w7682.

[38]

Winter Mason and Siddharth Suri. 2012. Conducting behavioral research on Amazon's mechanical turk. Behavior Research Methods (Springer) 44, 1, 1--23.

[39]

Craig R. M. McKenzie Michael, J. Liersch, and Stacey R. Finkelstein. 2006. Recommendations implicit in policy defaults. Psychological Science 17, 5, 414--420.

[40]

Matthrew J. Moyer and Mustaque Abamad. 2001. Generalized role-based access control. In Proceedings of the 21^st International Conference on Distributed Computing Systems, 2001. IEEE. 391--398.

[41]

Judith S. Olson, Jonathan Grudin, and Eric Horvitz. 2005. A study of preferences for sharing and privacy. In CHI’05 Extended Abstracts on Human Factors in Computing Systems. ACM. 1985--1988.

Digital Library

[42]

Leysia Palen. 1999. Social, individual and technological issues for groupware calendar systems. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI’99). 17--24.

Digital Library

[43]

Shari Lawrence Pfleeger, M. Angela Sasse, and Adrian Furnham. 2014. From weakest link to security hero: Transforming staff security behavior. Homeland Security and Emergency Management 2014 11, 4, 489--510.

[44]

Ramprasad Ravichandran, Michael Benisch, Patrick Gage Kelley, and Norman M. Sadeh. 2009. Capturing social networking privacy preferences. In Privacy Enhancing Technologies. Springer, Berlin. 1--18.

Digital Library

[45]

Joel Ross, Lilly Irani, M. Six Silberman, Andrew Zaldivar, and Bill Tomlinson. 2010. Who are the crowdworkers? Shifting demographics in Mechanical Turk. In Proceedings of the 28th International Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA’10). ACM. 2863--2872.

Digital Library

[46]

Ravi S. Sandhu, Edward J. Coynek, Hal L. Feinsteink, and Charles E. Youmank. 1996. Role-based access control models. Computer (IEEE) 29, 2, 38--47.

Digital Library

[47]

Mario Schaarschmidt, Stefan Ivens, Dirk Homscheid, and Pascal Bilo. 2015. Crowdsourcing for survey research: Where Amazon mechanical turks deviates from conventional survey methods. Informatic. University of Koblenz-Landau.

[48]

Maurice Schweitzer. 1994. Disentangling status quo and omission effects: An experimental analysis. Organizational Behavior and Human Decision Processes 58, 3, 457--476.

[49]

Kumar Sen Amartya. 1970. Collective Choice and Social Welfare. Vol. 11. Elsevier.

[50]

Shlomi Sher and Craig R. M. McKenzie. 2006. Information leakage from logically equivalent frames. Cognition 101, 3, 467--94.

[51]

N. Craig Smith, Daniel G. Goldstein, and Eric J. Johnson. 2013. Choice without awareness: Ethical and policy implications of defaults. Journal of Public Policy and Marketing 32, 2, 159--172.

[52]

Jessica Staddon, Alessandro Acquisti, and Kristen LeFevre. 2013. Self-reported social network behavior: Accuracy predictors and implications for the privacy paradox. In Social Computing (SocialCom). IEEE. 295--302.

Digital Library

[53]

Fred Stutzman, Ralph Gross, and Alessandro Acquisti. 2013. Silent listeners: The evolution of privacy and disclosure on Facebook. Journal of Privacy and Confidentiality 4, 2, 2.

[54]

Frederic Stutzman, Jessica Vitak, Nicole B. Ellison, Rebecca Gray, and Cliff Lampe. 2012. Privacy in interaction: Exploring disclosure and social capital in Facebook. In ICWSM.

[55]

Richard H. Thaler and Cass R. Sunstein. 2008. Nudge: Improving decisions about health, wealth, and happiness. Yale University Press.

[56]

Tran Manh Thang and Van Khanh Nguyen. 2016. Synflood spoof source ddos attack defence based on packet id anomaly detection-PIDAD. In Information Science and Applications (ICISA). Springer Singapore, 739--751.

[57]

Eran Toch, Norman M. Sadeh, and Jason Hong. 2010. Generating default privacy policies for online social networks. In CHI’10 Extended Abstracts on Human Factors in Computing Systems. ACM. 4243--4248.

Digital Library

[58]

William Tolone, Gail-Joon Ahn, Tanusree Pai, and Seng-Phil Hong. 2005. Access control in collaborative systems. ACM Computing Surveys (CSUR) 37, 1, 29--41.

Digital Library

[59]

USA Public Law. 2003. The Can-Spam Act 2003.

[60]

Merrill Warkentin and Robert Willison. 2009. Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18, 2, 101--105.

[61]

Jason Watson, Heather Richter Lipford, and Andrew Besmer. 2015. Mapping user preference to privacy default settings. ACM Transactions on Computer-Human Interaction (TOCHI) 22, 6, 32.

Digital Library

[62]

Avishai Wool. 2004. A quantitative study of firewall configuration errors. Computer 37, 6, 62--67.

Digital Library

Cited By

Kehat RHirschprung RAlkoby S(2024)Enhancing User Acceptance of an AI Agent’s Recommendation in Information-Sharing EnvironmentsApplied Sciences10.3390/app1417787414:17(7874)Online publication date: 4-Sep-2024
https://doi.org/10.3390/app14177874
Prakash AVignesh SRahin Batcha RSaravanan DRamalingam VRagupathi TMeenakshi (2024)Privacy Preservation in Online Social NetworksOnline Social Networks in Business Frameworks10.1002/9781394231126.ch28(625-639)Online publication date: 20-Sep-2024
https://doi.org/10.1002/9781394231126.ch28
Hirschprung RAlkoby S(2022)A Game Theory Approach for Assisting Humans in Online Information-SharingInformation10.3390/info1304018313:4(183)Online publication date: 2-Apr-2022
https://doi.org/10.3390/info13040183
Show More Cited By

Index Terms

Recommendations

Attribute-Aware Relationship-Based Access Control for Online Social Networks
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566

Relationship-based access control ReBAC has been adopted as themost prominent approach for access control in online social networks OSNs, where authorization policies are typically specified in terms of relationships of certain types and/or depth ...
A user-to-user relationship-based access control model for online social networks
DBSec'12: Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy

Users and resources in online social networks (OSNs) are interconnected via various types of relationships. In particular, user-to-user relationships form the basis of the OSN structure, and play a significant role in specifying and enforcing access ...
Trust-Based Access Control in Multi-role Environment of Online Social Networks

In the last decade, online social networks have seen a boom with respect to the use and applications. Many users upload large quantity of data that may risk the data security and access control. Trust-based access control strategy was used initially for ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Intelligent Systems and Technology

ACM Transactions on Intelligent Systems and Technology Volume 8, Issue 4

Special Issue: Cyber Security and Regular Papers

July 2017

288 pages

ISSN:2157-6904

EISSN:2157-6912

DOI:10.1145/3055535

Editor:
Yu Zheng
Microsoft Research, China

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 May 2017

Accepted: 01 January 2017

Revised: 01 December 2016

Received: 01 March 2016

Published in TIST Volume 8, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
401
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)6

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kehat RHirschprung RAlkoby S(2024)Enhancing User Acceptance of an AI Agent’s Recommendation in Information-Sharing EnvironmentsApplied Sciences10.3390/app1417787414:17(7874)Online publication date: 4-Sep-2024
https://doi.org/10.3390/app14177874
Prakash AVignesh SRahin Batcha RSaravanan DRamalingam VRagupathi TMeenakshi (2024)Privacy Preservation in Online Social NetworksOnline Social Networks in Business Frameworks10.1002/9781394231126.ch28(625-639)Online publication date: 20-Sep-2024
https://doi.org/10.1002/9781394231126.ch28
Hirschprung RAlkoby S(2022)A Game Theory Approach for Assisting Humans in Online Information-SharingInformation10.3390/info1304018313:4(183)Online publication date: 2-Apr-2022
https://doi.org/10.3390/info13040183
Żywiołek JTrigo ARosak-Szyrocka JKhan M(2022)Security and Privacy of Customer Data as an Element Creating the Image of the CompanyManagement Systems in Production Engineering10.2478/mspe-2022-001930:2(156-162)Online publication date: 19-May-2022
https://doi.org/10.2478/mspe-2022-0019
Díaz Ferreyra NHecking TAïmeur EHeisel MHoppe H(2022)Community detection for access-control decisions: Analysing the role of homophily and information diffusion in Online Social NetworksOnline Social Networks and Media10.1016/j.osnem.2022.10020329(100203)Online publication date: May-2022
https://doi.org/10.1016/j.osnem.2022.100203
Petrykina YSchwartz-Chassidim HToch E(2021)Nudging users towards online safety using gamified environmentsComputers and Security10.1016/j.cose.2021.102270108:COnline publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102270
Liu YLiu XLiu AXiong NLiu F(2019)A Trust Computing-based Security Routing Scheme for Cyber Physical SystemsACM Transactions on Intelligent Systems and Technology10.1145/332169410:6(1-27)Online publication date: 13-Nov-2019
https://dl.acm.org/doi/10.1145/3321694
Toch EBettini CShmueli ERadaelli LLanzi ARiboni DLepri B(2018)The Privacy Implications of Cyber Security SystemsACM Computing Surveys10.1145/317286951:2(1-27)Online publication date: 20-Feb-2018
https://dl.acm.org/doi/10.1145/3172869
Harel YGal IElovici Y(2017)Cyber Security and the Role of Intelligent Systems in Addressing its ChallengesACM Transactions on Intelligent Systems and Technology10.1145/30577298:4(1-12)Online publication date: 11-May-2017
https://dl.acm.org/doi/10.1145/3057729

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents