KNOW Why your access was denied: regulating feedback for usable security

Authors:
Apu Kapadia;Geetanjali Sampemane;Roy H. Campbell
Affiliations:
University of Illinois at Urbana-Champaign;University of Illinois at Urbana-Champaign;University of Illinois at Urbana-Champaign
Venue:
Proceedings of the 11th ACM conference on Computer and communications security
Year:
2004

Citing 16
Cited 15

Graph-Based Algorithms for Boolean Function Manipulation

IEEE Transactions on Computers
Heuristics to compute variable orderings for efficient manipulation of ordered binary decision diagrams

DAC '91 Proceedings of the 28th ACM/IEEE Design Automation Conference
Who are the variables in your neighborhood

ICCAD '95 Proceedings of the 1995 IEEE/ACM international conference on Computer-aided design
Improving the Variable Ordering of OBDDs Is NP-Complete

IEEE Transactions on Computers
User-centered security

NSPW '96 Proceedings of the 1996 workshop on New security paradigms
A uniform framework for regulating service access and information release on the web

Journal of Computer Security
Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation

ACM Transactions on Information and System Security (TISSEC)
The Interactive Workspaces Project: Experiences with Ubiquitous Computing Rooms

IEEE Pervasive Computing
A Middleware Infrastructure for Active Spaces

IEEE Pervasive Computing
Exponential Lower Bounds on the Size of OBDDs Representing Integer Divistion

ISAAC '97 Proceedings of the 8th International Symposium on Algorithms and Computation
User Interaction Design for Secure Systems

ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Access Control for Active Spaces

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
A Unified Scheme for Resource Protection in Automated Trust Negotiation

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Component-Based Architecture for Secure Data Publication

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
On variable ordering of binary decision diagrams for the application of multi-level logic synthesis

EURO-DAC '91 Proceedings of the conference on European design automation
Learning-assisted automated planning: looking back, taking stock, going forward

AI Magazine

Secure context-sensitive authorization

Pervasive and Mobile Computing
Intentional access management: making access control usable for end-users

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
PolicyMorph: interactive policy transformations for a logical attribute-based access control framework

Proceedings of the 12th ACM symposium on Access control models and technologies
Lessons learned from the deployment of a smartphone-based access-control system

Proceedings of the 3rd symposium on Usable privacy and security
A user study of policy creation in a flexible access-control system

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Interactive access control for autonomic systems: From theory to implementation

ACM Transactions on Autonomous and Adaptive Systems (TAAS)
A decision support system for secure information sharing

Proceedings of the 14th ACM symposium on Access control models and technologies
Advanced Policy Explanations on the Web

Proceedings of the 2006 conference on ECAI 2006: 17th European Conference on Artificial Intelligence August 29 -- September 1, 2006, Riva del Garda, Italy
Laissez-faire file sharing: access control designed for individuals at the endpoints

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
A RT0-based compliance checker model for automated trust negotiation

PAISI'07 Proceedings of the 2007 Pacific Asia conference on Intelligence and security informatics
The role of abduction in declarative authorization policies

PADL'08 Proceedings of the 10th international conference on Practical aspects of declarative languages
Policy framework for security and privacy management

IBM Journal of Research and Development
Cue: a framework for generating meaningful feedback in XACML

Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
An intelligent information sharing control system for dynamic collaborations

Proceedings of the 8th International Conference on Frontiers of Information Technology
More than skin deep: measuring effects of the underlying model on access-control system usability

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.