More Web Proxy on the site http://driver.im/

research-article

Laissez-faire file sharing: access control designed for individuals at the endpoints

Authors:

Maritza L. Johnson,

Steven M. Bellovin,

Robert W. Reeder,

Stuart E. SchechterAuthors Info & Claims

NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshop

Pages 1 - 10

https://doi.org/10.1145/1719030.1719032

Published: 08 September 2009 Publication History

Abstract

When organizations deploy file systems with access control mechanisms that prevent users from reliably sharing files with others, these users will inevitably find alternative means to share. Alas, these alternatives rarely provide the same level of confidentiality, integrity, or auditability provided by the prescribed file systems. Thus, the imposition of restrictive mechanisms and policies by system designers and administrators may actually reduce the system's security.

We observe that the failure modes of file systems that enforce centrally-imposed access control policies are similar to the failure modes of centrally planned economies: individuals either learn to circumvent these restrictions as matters of necessity or desert the system entirely, subverting the goals behind the central policy.

We formalize requirements for laissez-faire sharing, which parallel the requirements of free market economies, to better address the file sharing needs of information workers. Because individuals are less likely to feel compelled to circumvent systems that meet these laissez-faire requirements, such systems have the potential to increase both productivity and security.

References

[1]

D. Balfanz. Usable access control for the world wide web. In ACSAC: 19th Annual Computer Security Applications Conference, pages 406--415, 2003.

Digital Library

[2]

A. Beautement, R. Coles, J. Griffin, C. Ioannidis, B. Monahan, D. Pym, A. Sasse, and M. Wonham. Modelling the human and technological costs and benefits of USB memory stick security. In The 2008 Workshop on the Economics of Information Security, June 25-28, 2008. http://weis2008.econinfosec.org/papers/Pym.pdf.

[3]

M. Calabresi. Wikipedia for spies: The CIA discovers Web 2.0. Time, 8 April 2009. http://www.time.com/time/nation/article/0,8599,1890084,00.html?imw=Y.

[4]

P.-C. Cheng, P. Rohatgi, C. Keser, P. A. Karger, G. M. Wagner, and A. S. Reninger. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 222--230, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[5]

B. Dalal, L. Nelson, D. Smetters, and N. Good. Ad-hoc guesting: When exceptions are the rule. In UPSEC '08: Usability Psychology and Security, 2008.

Digital Library

[6]

D. F. Ferraiolo, D. M. Gilbert, and N. Lynch. An examination of federal and commercial access control policy needs. In Proceedings of the 16th National Computer Security Conference, pages 107--116, Darby, PA, USA, 1993. DIANE Publishing Company.

[7]

M. P. Gallaher, A. C. O'Connor, and B. Kropp. The economic impact of role-based access control, Mar. 2002. RTI Planning Report 02-1 presented to the NIST.

[8]

F. A. Hayek. The use of knowledge in society. American Economic Review, 35(4):519--530, Sept. 1945. Republished in Individualism and Economic Order.

[9]

A. Kapadia, G. Sampemane, and R. H. Campbell. KNOW why your access was denied: Regulating feedback for usable security. In CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 52--61, New York, NY, USA, 2004. ACM.

Digital Library

[10]

P. Karger. Personal communication, Apr. 2009.

[11]

C. E. Landwehr. Formal models for computer security. ACM Computing Surveys, 13(3):247--278, 1981.

Digital Library

[12]

A. Majchrzak, C. Wagner, and D. Yates. Corporate wiki users: results of a survey. In WikiSym '06: Proceedings of the 2006 international symposium on Wikis, pages 99--104, New York, NY, USA, 2006. ACM.

Digital Library

[13]

K. Mangu-Ward. Wikipedia and beyond, June 2007. http://reason.com/news/show/119689.html.

[14]

Microsoft Corporation. About security features of Windows SharePoint Services 3.0. http://office.microsoft.com/en-us/sharepointtechnology/HA100215781033.aspx.

[15]

M. S. Miller, B. Tulloh, and J. S. Shapiro. The structure of authority: Why security is not a separable concern. In LNCS 3389: Multiparadigm Programming in Mozart/OZ, pages 2--20. Springer Berlin / Heidelberg, Feb. 22, 2005.

Digital Library

[16]

S. Miltchev, J. M. Smith, V. Prevelakis, A. Keromytis, and S. Ioannidis. Decentralized access control in distributed file systems. ACM Comput. Surv., 40(3):1--30, 2008.

Digital Library

[17]

National Commission on Terrorist Attacks Upon the United States. the 9/11 Commission Report. United States Government Printing Office, July 22, 2004.

[18]

Open Security Foundation. DATALOSSdb. http://datalossdb.org/.

[19]

E. I. Organick. The Multics System: An Examinatio of Its Struture. The MIT Press, Cambridge, MA, and London, 1972.

Digital Library

[20]

D. Povey. Optimistic security: A new access control paradigm. In NSPW '99: Proceedings of the 1999 Workshop on New Security Paradigms, pages 40--45, New York, NY, 1999. ACM.

Digital Library

[21]

R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI '08: Proceeding of SIGCHI conference on Human factors in computing systems, pages 1473--1482, NY, NY, USA, 2008. ACM.

Digital Library

[22]

R. W. Reeder and R. A. Maxion. User interface dependability through goal-error prevention. Dependable Systems and Networks, International Conference on, pages 60--69, 2005.

Digital Library

[23]

R. Roberts and J. Wales. Wales on wikipedia, Mar. 9, 2009. Library of Economics and Liberty. http://www.econtalk.org/archives/2009/03/wales_on_wikipe.html.

[24]

J. H. Saltzer. Protection and the control of information sharing in Multics. Commun. ACM, 17(7):388--402, 1974.

Digital Library

[25]

H. Shen and P. Dewan. Access control for collaborative environments. In CSCW '92: Proceedings of the 1992 ACM Conference on Computer-supported Cooperative Work, pages 51--58, NY, NY, USA, 1992. ACM.

Digital Library

[26]

R. S.Sandhu and E. J. Coyne. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.

Digital Library

[27]

Symantec Security Intel Analysis Team. Increase in usb-based malware attacks. https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/220, Nov. 19, 2008.

[28]

D. Tober and I. Hoffman. A Convenient Spy: Wen Ho Lee and the Politics of Nuclear Espionage. Simon & Schuster, New York, 2001.

[29]

S. Voida, K. W. Edwards, M. W. Newman, R. E. Grinter, and N. Ducheneaut. Share and share alike: exploring the user interface affordances of file sharing. In CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 221--230, New York, NY, USA, 2006. ACM.

Digital Library

[30]

D. Weirich and M. A. Sasse. Pretty good persuasion: a first step towards effective password security in the real world. In NSPW '01: Proceedings of the 2001 workshop on New security paradigms, pages 137--143, New York, NY, USA, 2001. ACM.

Digital Library

[31]

T. Whalen, D. Smetters, and E. F. Churchill. User experiences with sharing and access control. In CHI'06: CHI '06 extended abstracts on Human factors in computing systems, pages 1517--1522, New York, NY, USA, 2006. ACM.

Digital Library

[32]

K.-P. Yee. User interaction design for secure systems. In ICICS '02: Proceedings of the 4th International Conference on Information and Communications Security, pages 278--290, London, UK, 2002. Springer-Verlag.

Digital Library

[33]

K.-P. Yee. Aligning security and usability. IEEE Security and Privacy, 2(5):48--55, September 2004.

Digital Library

[34]

M. E. Zurko and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 57--71, Los Alamitos, CA, USA, 1999. IEEE Computer Society Press.

[35]

M. E. Zurko and R. T. Simon. User-centered security. In NSPW '96: Proceedings of the 1996 workshop on New security paradigms, pages 27--33, NY, NY, USA, 1996. ACM.

Digital Library

Cited By

Frazier JWeinstein EIzydorczak IWu YCuadros NSur DMorrison-Smith S(2025)DriveGroups: Using Group Perspective for Usable Data Sharing in Research CollaborationsProceedings of the ACM on Human-Computer Interaction10.1145/37011929:1(1-28)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3701192
Whittaker SMassey C(2020)Mood and personal information management: how we feel influences how we organize our informationPersonal and Ubiquitous Computing10.1007/s00779-020-01412-4Online publication date: 12-Jun-2020
https://doi.org/10.1007/s00779-020-01412-4
Dinneen JJulien C(2019)The ubiquitous digital fileJournal of the Association for Information Science and Technology10.1002/asi.2422271:1(E1-E32)Online publication date: 4-Dec-2019
https://dl.acm.org/doi/10.1002/asi.24222
Show More Cited By

Index Terms

Laissez-faire file sharing: access control designed for individuals at the endpoints
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems

Recommendations

A Secure File Sharing System Based on IPFS and Blockchain
IECC '20: Proceedings of the 2nd International Electronics Communication Conference

There is a great interest in many approaches towards blockchain in providing a solution to record transactions in a decentralized way. However, there are some limitations when storing large files or documents on the blockchain. In order to meet the ...
Access control management in open distributed virtual repositories and the grid
OTM'07: Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II

The management of access control (AC) policies in open distributed systems (ODS), like the Grid, P2P systems, or Virtual Repositories (databases or data grids) can take two extreme approaches. The first extreme approach is a centralized management of ...
VegaFS: file sharing crossing multiple domains

We propose a file system prototype to solve the crossing domain problem, which is a great challenge for full sharing of file resources in grid environments. In our prototype, we adopted the public key in native file systems to detach file systems from ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '09: Proceedings of the 2009 workshop on New security paradigms workshop

September 2009

156 pages

ISBN:9781605588452

DOI:10.1145/1719030

Program Chairs:
Anil Somayaji
Carleton University
,
Richard Ford
Florida Institute of Technology

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

NSF: National Science Foundation
Computer Associates Inc.
Microsoft Research: Microsoft Research
U.S. Department of Homeland Security
U.S. Department of Defense

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

NSPW '09

NSPW '09: 2009 New Security Paradigms Workshop

September 8 - 11, 2009

Oxford, United Kingdom

Acceptance Rates

NSPW '09 Paper Acceptance Rate 12 of 36 submissions, 33%;

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
416
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Frazier JWeinstein EIzydorczak IWu YCuadros NSur DMorrison-Smith S(2025)DriveGroups: Using Group Perspective for Usable Data Sharing in Research CollaborationsProceedings of the ACM on Human-Computer Interaction10.1145/37011929:1(1-28)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3701192
Whittaker SMassey C(2020)Mood and personal information management: how we feel influences how we organize our informationPersonal and Ubiquitous Computing10.1007/s00779-020-01412-4Online publication date: 12-Jun-2020
https://doi.org/10.1007/s00779-020-01412-4
Dinneen JJulien C(2019)The ubiquitous digital fileJournal of the Association for Information Science and Technology10.1002/asi.2422271:1(E1-E32)Online publication date: 4-Dec-2019
https://dl.acm.org/doi/10.1002/asi.24222
Jones W(2015)Building a Better World with our Information: The Future of Personal Information Management, Part 3Synthesis Lectures on Information Concepts, Retrieval, and Services10.2200/S00653ED1V01Y201506ICR0427:4(1-203)Online publication date: 25-Aug-2015
https://doi.org/10.2200/S00653ED1V01Y201506ICR042
Garfinkel SLipford H(2014)Usable Security: History, Themes, and ChallengesSynthesis Lectures on Information Security, Privacy, and Trust10.2200/S00594ED1V01Y201408SPT0115:2(1-124)Online publication date: 20-Sep-2014
https://doi.org/10.2200/S00594ED1V01Y201408SPT011
Pieczul OFoley SRooney VBeznosov KSomayaji ALongstaff TVan Oorschot P(2014)I'm OK, You're OK, the System's OKProceedings of the 2014 New Security Paradigms Workshop10.1145/2683467.2683476(95-104)Online publication date: 15-Sep-2014
https://dl.acm.org/doi/10.1145/2683467.2683476
Poller ATürpe SKinder-Kurlanda KBeznosov KSomayaji ALongstaff TVan Oorschot P(2014)An Asset to Security Modeling?Proceedings of the 2014 New Security Paradigms Workshop10.1145/2683467.2683474(69-82)Online publication date: 15-Sep-2014
https://dl.acm.org/doi/10.1145/2683467.2683474
Bartsch S(2014)Policy override in practiceSecurity and Communication Networks10.1002/sec.5477:1(139-156)Online publication date: 1-Jan-2014
https://dl.acm.org/doi/10.1002/sec.547
Castro PLigman JPistoia MPonzo JThomas GTopkara U(2013)Runtime adaptive multi-factor authentication for mobile devicesIBM Journal of Research and Development10.1147/JRD.2013.228112357:6(8-8)Online publication date: 1-Nov-2013
https://dl.acm.org/doi/10.1147/JRD.2013.2281123
Quay-de la Vallee HWalsh JZimrin WFisler KKrishnamurthi SHosking AEugster PHirschfeld R(2013)Usable security as a static-analysis problemProceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software10.1145/2509578.2509589(1-16)Online publication date: 29-Oct-2013
https://dl.acm.org/doi/10.1145/2509578.2509589
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents