ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Expandable grids for visualizing and authoring computer security policies
Full text PdfPdf (432 KB)
Source
Conference on Human Factors in Computing Systems archive
Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems table of contents
Florence, Italy
SESSION: Visualizations table of contents
Pages 1473-1482  
Year of Publication: 2008
ISBN:978-1-60558-011-1
Authors
Robert W. Reeder  Carnegie Mellon University, Pittsburgh, PA, USA
Lujo Bauer  Carnegie Mellon University, Pittsburgh, PA, USA
Lorrie Faith Cranor  Carnegie Mellon University, Pittsburgh, PA, USA
Michael K. Reiter  University of North Carolina at Chapel Hill, Chapel Hill, NC, USA
Kelli Bacon  Gonzaga University, Spokane, WA, USA
Keisha How  Carnegie Mellon University, Pittsburgh, PA, USA
Heather Strong  Carnegie Mellon University, Pittsburgh, PA, USA
Sponsors
ACM: Association for Computing Machinery
SIGCHI: ACM Special Interest Group on Computer-Human Interaction
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 19,   Downloads (12 Months): 185,   Citation Count: 6
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1357054.1357285
What is a DOI?

ABSTRACT

We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based on a list of rules, each of which can only be viewed or edited in isolation. These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Instead, users are left to figure out these rule interactions themselves. An Expandable Grid is an interactive matrix visualization designed to address the problems that list-of-rules interfaces have in conveying policies to users. This paper describes the Expandable Grid concept, shows a system using an Expandable Grid for setting file permissions in the Microsoft Windows XP operating system, and gives results of a user study involving 36 participants in which the Expandable Grid approach vastly outperformed the native Windows XP file-permissions interface on a broad range of policy-authoring tasks.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Xiang Cao , Lee Iverson, Intentional access management: making access control usable for end-users, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143124]
2
Nathaniel S. Good , Aaron Krekelberg, Usability and privacy: a study of Kazaa P2P file-sharing, Proceedings of the SIGCHI conference on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA  [doi>10.1145/642611.642636]
 
3
John Karat , Clare-Marie Karat , Carolyn Brodie , Jinjuan Feng, Privacy in information technology: designing to enable privacy policy management in organizations, International Journal of Human-Computer Studies, v.63 n.1-2, p.153-174, July 2005  [doi>10.1016/j.ijhcs.2005.04.011]
 
4
B. W. Lampson. Protection. Operating Systems Review, 8(1):18--24, January 1974. Reprint of the original from Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems (Princeton University, March, 1971), 437--443.
 
5
Roy A. Maxion , Robert W. Reeder, Improving user-interface dependability through mitigation of human error, International Journal of Human-Computer Studies, v.63 n.1-2, p.25-50, July 2005  [doi>10.1016/j.ijhcs.2005.04.009]
 
6
M. C. Mont, R. Thyne, and P. Bramhall. Privacy enforcement with HP Select Access for regulatory compliance. Technical Report HPL-2005-10, HP Laboratories Bristol, Bristol, UK, January 2005. Available at http://www.hpl.hp.com/techreports/2005/HPL-2005-10.pdf. Accessed on January 10, 2008.
7
Jennifer Rode , Carolina Johansson , Paul DiGioia , Roberto Silva Filho , Kari Nies , David H. Nguyen , Jie Ren , Paul Dourish , David Redmiles, Seeing further: extending visualization as a basis for usable security, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143138]
 
8
The Open Group Research Institute. Adage system overview. Available at http://www.memesoft.com/adage/SystemSpec.ps. Accessed on September 20, 2006.
 
9
U.S. Senate Sergeant at Arms. Report on the investigation into improper access to the Senate Judiciary Committee's computer system, March 2004. Available at http://judiciary.senate.gov/testimony.cfm?id=1085&wit_id=2514. Accessed on January 10, 2008.
 
10
M. E. Zurko. Adage usability testing results: Formal testing affinity mapping and questionnaire. Available at http://www.memesoft.com/adage/affinity.ps. Accessed on September 20, 2006.
 
11
M. E. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In Proceedings 1999 IEEE Symposium on Security and Privacy, pages 57--71, Los Alamitos, CA, May 1999.

CITED BY  6
Robert W. Reeder , Patrick Gage Kelley , Aleecia M. McDonald , Lorrie Faith Cranor, A user study of the expandable grid applied to P3P privacy policy visualization, Proceedings of the 7th ACM workshop on Privacy in the electronic society, October 27-27, 2008, Alexandria, Virginia, USA
Brandon Salmon , Steven W. Schlosser , Lorrie Faith Cranor , Gregory R. Ganger, Perspective: semantic data management for the home, Proccedings of the 7th conference on File and stroage technologies, p.167-182, February 24-27, 2009, San Francisco, California
Konstantin Beznosov , Philip Inglesant , Jorge Lobo , Rob Reeder , Mary Ellen Zurko, Usability meets access control: challenges and research opportunities, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
D. K. Smetters , Nathan Good, How users use access control, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California
Lujo Bauer , Lorrie Faith Cranor , Robert W. Reeder , Michael K. Reiter , Kami Vaniea, Real life challenges in access-control management, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA
Fahimeh Raja , Kirstie Hawkey , Konstantin Beznosov, Revealing hidden context: improving mental models of personal firewall users, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)


General Terms:
Human Factors, Security


Keywords:
expandable grid, file permissions, privacy, security, visualization

Collaborative Colleagues:
Robert W. Reeder: colleagues
Lujo Bauer: colleagues
Lorrie Faith Cranor: colleagues
Michael K. Reiter: colleagues
Kelli Bacon: colleagues
Keisha How: colleagues
Heather Strong: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player