More than skin deep: Measuring effects of the underlying model on access-control system usability

Conference on Human Factors in Computing Systems - Proceedings

Volumn , Issue , 2011, Pages 2065-2074

  Reeder, Robert W ^a   Bauer, Lujo ^b   Cranor, Lorrie Faith ^c   Reiter, Michael K ^c   Vaniea, Kami ^b  

^a MICROSOFT   (United States)

^b CARNEGIE MELLON UNIVERSITY   (United States)

^c UNIVERSITY OF NORTH CAROLINA   (United States)

Author keywords

Access control; Human factors; Security

Indexed keywords

CONTROL SYSTEMS; HUMAN ENGINEERING; SEMANTICS; USER INTERFACES; WINDOWS OPERATING SYSTEM;

ACCESS CONTROL SYSTEMS; CONFLICT RESOLUTION; POLICY RULES; RESOLUTION METHODS; RULE CONFLICT; SECURITY; STATISTICALLY SIGNIFICANT DIFFERENCE; SYSTEM USABILITY; SYSTEMS POLICIES; USER STUDY;

ACCESS CONTROL;

EID: 79958090839     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1978942.1979243     Document Type: Conference Paper

References (24)

1. A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):41-46, December 1999.
2. L. Bauer, L. F. Cranor, R. W. Reeder, M. K. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. ACM SIGCHI Conference on Human Factors in Computing Systems, pages 543-552, April 2008.
3. S. Brostoff, M. A. Sasse, D. Chadwick, J. Cunningham, U. Mbanaso, and S. Otenko. 'R-What?' Development of a role-based access control policy-writing tool for e-Scientists. Software Practice & Experience, 35(9):835-856, June 2005. (Pubitemid 40972075)
4. X. Cao and L. Iverson. Intentional access management: Making access control usable for end-users. 2nd Symposium on Usable Privacy and Security, pages 20-31, 2006. (Pubitemid 46966966)
5. D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. 3rd International Joint Conference on Automated Reasoning, Lecture Notes in Computer Science, Vol. 4130, pages 632-646, August 2006. (Pubitemid 44532706)
6. K. Fisler and S. Krishnamurthi. A model of triangulating environments for policy authoring. 15th ACM Symp. on Access Control Models and Technologies, p. 3-12, June 2010.
7. I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications: Confining the wily hacker. 6th USENIX Security Symposium, July 1996.
8. N. S. Good and A. Krekelberg. Usability and privacy: a study of Kazaa P2P file-sharing. ACM SIGCHI Conf. on Human Factors in Computing Systems, pages 137-144, April 2003.
9. P. Inglesant, M. A. Sasse, D. Chadwick, and L. L. Shi. Expressions of expertness: The virtuous circle of natural language for access control policy specification. 2008 Symposium on Usable Privacy and Security, July 2008.
10. S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino. A unified framework for enforcing multiple access control policies. 1997 ACM SIGMOD International Conference on Management of Data, pages 474-485, 1997. (Pubitemid 127456808)
11. M. Johnson, S. M. Bellovin, R. W. Reeder, and S. E. Schechter. Laissez-faire file sharing: Access control designed for individuals at the endpoints. 2009 New Security Paradigms Workshop, pages 1-10, 2009.
12. A. Kapadia, G. Sampemane, and R. H. Campbell. KNOW why your access was denied: Regulating feedback for usable security. 11th ACM Conference on Computer and Communications Security, pages 52-61, 2004. (Pubitemid 40338189)
13. C.-M. Karat, C. Brodie, and J. Karat. Usability design and evaluation for privacy and security solutions. In L. F. Cranor and S. Garfinkel, editors, Security and Usability, chapter 4, pages 47-74. O'Reilly, Sebastopol, CA, 2005.
14. C.-M. Karat, J. Karat, C. Brodie, and J. Feng. Evaluating interfaces for privacy policy rule authoring. ACM SIGCHI Conference on Human Factors in Computing Systems, pages 83-92, 2006. (Pubitemid 44032090)
15. B. W. Lampson. Protection. Operating Systems Review, 8(1):18-24, January 1974.
16. R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies, 63(1-2):25-50, July 2005. (Pubitemid 40753492)
17. R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD thesis, Computer Science Department, Carnegie Mellon University, Pittsburgh, PA, May 2008. Available as technical report number CMU-CS-08-143.
18. R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. ACM SIGCHI Conference on Human Factors in Computing Systems, pages 1473-1482, April 2008.
19. J. Rode, C. Johansson, P. DiGioia, R. S. Filho, K. Nies, D. H. Nguyen, J. Ren, P. Dourish, and D. Redmiles. Seeing further: Extending visualization as a basis for usable security. 2nd Symp. on Usable Privacy and Security, pages 145-155, 2006. (Pubitemid 46970242)
20. B. Shneiderman. Direct manipulation: A step beyond programming languages. Computer, 16(8):57-69, August 1983. (Pubitemid 13590936)
21. U.S. Senate Sergeant at Arms. Report on the investigation into improper access to the Senate Judiciary Committees computer system. Available at http://judiciary.senate.gov/testimony.cfm?id=1085&witid=2514, March 2004.
22. T. Whalen, D. Smetters, and E. F. Churchill. User experiences with sharing and access control. Conference on Human Factors in Computing Systems Extended Abstracts, pages 1517-1522, April 2006.
23. M. E. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. 1999 IEEE Symposium on Security and Privacy, pages 57-71, May 1999.
24. M. E. Zurko and R. T. Simon. User-centered security. Workshop on New Security Paradigms, pages 27-33, Lake Arrowhead, CA, September 1996. Available at http://www.memesoft.com/adage/.