A user study of policy creation in a flexible access-control system

Authors:
Lujo Bauer;Lorrie Faith Cranor;Robert W. Reeder;Michael K. Reiter;Kami Vaniea
Affiliations:
Carnegie Mellon University, Pittsburgh, PA, USA;Carnegie Mellon University, Pittsburgh, PA, USA;Carnegie Mellon University, Pittsburgh, PA, USA;University of North Carolina, Chapel Hill, NC, USA;Carnegie Mellon University, Pittsburgh, PA, USA
Venue:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Year:
2008

Citing 13
Cited 12

Proof-carrying authentication

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
On SDSI's linked local name spaces

Journal of Computer Security
Design of a Role-Based Trust-Management Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Personal Servers as Digital Keys

PERCOM '04 Proceedings of the Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04)
KNOW Why your access was denied: regulating feedback for usable security

Proceedings of the 11th ACM conference on Computer and communications security
Personal privacy through understanding and action: five pitfalls for designers

Personal and Ubiquitous Computing
Improving user-interface dependability through mitigation of human error

International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
User experiences with sharing and access control

CHI '06 Extended Abstracts on Human Factors in Computing Systems
Understanding SPKI/SDSI using first-order logic

International Journal of Information Security
The Master Key: A Private Authentication Approach for Pervasive Computing Environments

PERCOM '06 Proceedings of the Fourth Annual IEEE International Conference on Pervasive Computing and Communications
Lessons learned from the deployment of a smartphone-based access-control system

Proceedings of the 3rd symposium on Usable privacy and security
Device-enabled authorization in the grey system

ISC'05 Proceedings of the 8th international conference on Information Security
Efficient proving for practical distributed access-control systems

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

Trusted Privacy Domains --- Challenges for Trusted Computing in Privacy-Protecting Information Sharing

ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Private location-based information retrieval through user collaboration

Computer Communications
Access Control for Home Data Sharing: Attitudes, Needs and Practices

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Optimizing a policy authoring framework for security and privacy policies

Proceedings of the Sixth Symposium on Usable Privacy and Security
The home needs an operating system (and an app store)

Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
Challenges in access right assignment for secure home networks

HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
Nexus authorization logic (NAL): Design rationale and applications

ACM Transactions on Information and System Security (TISSEC)
More than skin deep: measuring effects of the underlying model on access-control system usability

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Home automation in the wild: challenges and opportunities

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Sentential access control

Proceedings of the 50th Annual Southeast Regional Conference
An operating system for the home

NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Relating declarative semantics and usability in access control

Proceedings of the Eighth Symposium on Usable Privacy and Security

Quantified Score

Hi-index	0.01

Visualization

Abstract

Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want to implement. We report on a user study in which we derive the ideal access policies desired by a group of users for physical security in an office environment. We compare these ideal policies to the policies the users actually implemented with keys and with a smartphone-based distributed access-control system. We develop a methodology that allows us to show quantitatively that the smartphone system allowed our users to implement their ideal policies more accurately and securely than they could with keys, and we describe where each system fell short.