More than skin deep: measuring effects of the underlying model on access-control system usability

Authors:
Robert W. Reeder;Lujo Bauer;Lorrie F. Cranor;Michael K. Reiter;Kami Vaniea
Affiliations:
Microsoft, Redmond, Washington, USA;Carnegie Mellon University, Pittsburgh, Pennsylvania, USA;Carnegie Mellon University, Pittsburgh, Pennsylvania, USA;University of North Carolina, Chapel Hill, Chapel Hill, N. Carolina, USA;Carnegie Mellon University, Pittsburgh, Pennsylvania, USA
Venue:
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Year:
2011

Citing 19
Cited 6

A unified framework for enforcing multiple access control policies

SIGMOD '97 Proceedings of the 1997 ACM SIGMOD international conference on Management of data
User-centered security

NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Users are not the enemy

Communications of the ACM
Usability and privacy: a study of Kazaa P2P file-sharing

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
KNOW Why your access was denied: regulating feedback for usable security

Proceedings of the 11th ACM conference on Computer and communications security
‘R-What?’ Development of a role-based access control policy-writing tool for e-Scientists: Research Articles

Software—Practice & Experience - Grid Security
Improving user-interface dependability through mitigation of human error

International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
Evaluating interfaces for privacy policy rule authoring

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
User experiences with sharing and access control

CHI '06 Extended Abstracts on Human Factors in Computing Systems
Intentional access management: making access control usable for end-users

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Seeing further: extending visualization as a basis for usable security

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
A secure environment for untrusted helper applications confining the Wily Hacker

SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
A user study of policy creation in a flexible access-control system

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Expandable grids for visualizing and authoring computer security policies

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Expressions of expertness: the virtuous circle of natural language for access control policy specification

Proceedings of the 4th symposium on Usable privacy and security
Expandable grids: a user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring

Expandable grids: a user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring
Laissez-faire file sharing: access control designed for individuals at the endpoints

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
A model of triangulating environments for policy authoring

Proceedings of the 15th ACM symposium on Access control models and technologies
Specifying and reasoning about dynamic access-control policies

IJCAR'06 Proceedings of the Third international joint conference on Automated Reasoning

An operating system for the home

NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Relating declarative semantics and usability in access control

Proceedings of the Eighth Symposium on Usable Privacy and Security
Studying access-control usability in the lab: lessons learned from four studies

Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results
Usable object management approaches for online social networks

Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining
Formal definitions for usable access control rule sets from goals to metrics

Proceedings of the Ninth Symposium on Usable Privacy and Security
Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.01

Visualization

Abstract

In access-control systems, policy rules conflict when they prescribe different decisions (allow or deny) for the same access. We present the results of a user study that demonstrates the significant impact of conflict-resolution method on policy-authoring usability. In our study of 54 participants, varying the conflict-resolution method yielded statistically significant differences in accuracy in five of the six tasks we tested, including differences in accuracy rates of up to 78%. Our results suggest that a conflict-resolution method favoring rules of smaller scope over rules of larger scope is more usable than the Microsoft Windows operating system's method of favoring deny rules over allow rules. Perhaps more importantly, our results demonstrate that even seemingly small changes to a system's semantics can fundamentally affect the system's usability in ways that are beyond the power of user interfaces to correct.