A user study of policy creation in a flexible access-control system

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A user study of policy creation in a flexible access-control system

Full text

Pdf (377 KB)

Source

Conference on Human Factors in Computing Systems archive
Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems table of contents

Florence, Italy

SESSION: Policy, Telemedicine, and Enterprise table of contents

Pages 543-552

Year of Publication: 2008

ISBN:978-1-60558-011-1

Authors

Lujo Bauer	Carnegie Mellon University, Pittsburgh, PA, USA
Lorrie Faith Cranor	Carnegie Mellon University, Pittsburgh, PA, USA
Robert W. Reeder	Carnegie Mellon University, Pittsburgh, PA, USA
Michael K. Reiter	University of North Carolina, Chapel Hill, NC, USA
Kami Vaniea	Carnegie Mellon University, Pittsburgh, PA, USA

Sponsors

ACM: Association for Computing Machinery
SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 27, Downloads (12 Months): 190, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1357054.1357143 What is a DOI?

ABSTRACT

Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want to implement. We report on a user study in which we derive the ideal access policies desired by a group of users for physical security in an office environment. We compare these ideal policies to the policies the users actually implemented with keys and with a smartphone-based distributed access-control system. We develop a methodology that allows us to show quantitatively that the smartphone system allowed our users to implement their ideal policies more accurately and securely than they could with keys, and we describe where each system fell short.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martín Abadi, On SDSI's linked local name spaces, Journal of Computer Security, v.6 n.1-2, p.3-21, Sept. 1998
	2	Andrew W. Appel , Edward W. Felten, Proof-carrying authentication, Proceedings of the 6th ACM conference on Computer and communications security, p.52-62, November 01-04, 1999, Kent Ridge Digital Labs, Singapore [doi>10.1145/319709.319718]
	3	Lujo Bauer , Lorrie Faith Cranor , Michael K. Reiter , Kami Vaniea, Lessons learned from the deployment of a smartphone-based access-control system, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania [doi>10.1145/1280680.1280689]
	4	L. Bauer, S. Garriss, J. M. McCune, M. K. Reiter, J. Rouse, and P. Rutenbar. Device--enabled authorization in the Grey system. In Proceedings of the 8th Information Security Conference, Sept. 2005.
	5	L. Bauer, S. Garriss, and M. K. Reiter. Efficient proving for practical distributed access-control systems. In Computer Security-ESORICS 2007: 12th European Symposium on Research in Computer Security, Sept. 2007.
	6	Allan Beaufour , Philippe Bonnet, Personal Servers as Digital Keys, Proceedings of the Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04), p.319, March 14-17, 2004
	7	D. F. Ferraiolo, D. M. Gilbert, and N. Lynch. An examination of federal and commercial access control policy needs. In 16th National Computer Security Conference, pages 107--116, 1993.
	8	Apu Kapadia , Geetanjali Sampemane , Roy H. Campbell, KNOW Why your access was denied: regulating feedback for usable security, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030092]
	9	Scott Lederer , I. Hong , K. Dey , A. Landay, Personal privacy through understanding and action: five pitfalls for designers, Personal and Ubiquitous Computing, v.8 n.6, p.440-454, November 2004 [doi>10.1007/s00779-004-0304-9]
	10	Ninghui Li , C. Mitchell, Understanding SPKI/SDSI using first-order logic, International Journal of Information Security, v.5 n.1, p.48-64, January 2006 [doi>10.1007/s10207-005-0073-0]
	11	Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
	12	Roy A. Maxion , Robert W. Reeder, Improving user-interface dependability through mitigation of human error, International Journal of Human-Computer Studies, v.63 n.1-2, p.25-50, July 2005 [doi>10.1016/j.ijhcs.2005.04.009]
	13	Tara Whalen , Diana Smetters , Elizabeth F. Churchill, User experiences with sharing and access control, CHI '06 extended abstracts on Human factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1125451.1125729]
	14	Feng Zhu , Matt W. Mutka , Lionel M. Ni, The Master Key: A Private Authentication Approach for Pervasive Computing Environments, Proceedings of the Fourth Annual IEEE International Conference on Pervasive Computing and Communications, p.212-221, March 13-17, 2006 [doi>10.1109/PERCOM.2006.47]