ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Real life challenges in access-control management
Full text PdfPdf (625 KB)
Source
Conference on Human Factors in Computing Systems archive
Proceedings of the 27th international conference on Human factors in computing systems table of contents
Boston, MA, USA
SESSION: Security table of contents
Pages 899-908  
Year of Publication: 2009
ISBN:978-1-60558-246-7
Authors
Lujo Bauer  Carnegie Mellon University, Pittsburgh, PA, USA
Lorrie Faith Cranor  Carnegie Mellon University, Pittsburgh, PA, USA
Robert W. Reeder  Microsoft, Redmond, WA, USA
Michael K. Reiter  University of North Carolina, Chapel Hill, NC, USA
Kami Vaniea  Carnegie Mellon University, Pittsburgh, PA, USA
Sponsors
SIGCHI: ACM Special Interest Group on Computer-Human Interaction
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 46,   Downloads (12 Months): 205,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1518701.1518838
What is a DOI?

ABSTRACT

In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identified three sets of real-world requirements that are either ignored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don't always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Martín Abadi, On SDSI's linked local name spaces, Journal of Computer Security, v.6 n.1-2, p.3-21, Sept. 1998
2
Andrew W. Appel , Edward W. Felten, Proof-carrying authentication, Proceedings of the 6th ACM conference on Computer and communications security, p.52-62, November 01-04, 1999, Kent Ridge Digital Labs, Singapore  [doi>10.1145/319709.319718]
3
Rob Barrett , Eser Kandogan , Paul P. Maglio , Eben M. Haber , Leila A. Takayama , Madhu Prabaker, Field studies of computer system administrators: analysis of system management tools and practices, Proceedings of the 2004 ACM conference on Computer supported cooperative work, November 06-10, 2004, Chicago, Illinois, USA  [doi>10.1145/1031607.1031672]
 
4
L. Bauer, L. Cranor, R. W. Reeder, M. K. Reiter, and
 
5
K. Vaniea. A user study of policy creation in a flexible access-control system. In CHI, 2008.
 
6
Lujo Bauer , Scott Garriss , Michael K. Reiter, Distributed Proving in Access-Control Systems, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.81-95, May 08-11, 2005  [doi>10.1109/SP.2005.9]
 
7
Allan Beaufour , Philippe Bonnet, Personal Servers as Digital Keys, Proceedings of the Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04), p.319, March 14-17, 2004
 
8
Hugh Beyer , Karen Holtzblatt, Contextual design: defining customer-centered systems, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1998
9
David Botta , Rodrigo Werlinger , André Gagné , Konstantin Beznosov , Lee Iverson , Sidney Fels , Brian Fisher, Towards understanding IT security professionals and their tools, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania  [doi>10.1145/1280680.1280693]
10
Carolyn A. Brodie , Clare-Marie Karat , John Karat, An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143123]
 
11
D. Cappelli, A. Desai, A. Moore, T. Shimeall, E. Weaver, and B. Willke. Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers' Information, Systems, or Networks. Technical Report CMU/SEI-2006-TN-041, CERT, Software Engineering Institute at Carnegie Mellon University and Cylab, 2007.
 
12
B. Cleary. Employee role changes and socgen: Good lessons from a bad example, April 2008. http://www.scmagazineus.com/Employee-Role-Changes-and-SocGen-Good-lessons-from-a-badexample/article/108541/.
 
13
Paul Dourish , E. Grinter , Jessica Delgado de la Flor , Melissa Joseph, Security in the wild: user strategies for managing security as an everyday, practical problem, Personal and Ubiquitous Computing, v.8 n.6, p.391-401, November 2004  [doi>10.1007/s00779-004-0308-5]
14
Shirley Gaw , Edward W. Felten , Patricia Fernandez-Kelly, Secrecy, flagging, and paranoia: adoption criteria in encrypted email, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124862]
15
Elaine M. Huang , Khai N. Truong, Breaking the disposable technology paradigm: opportunities for sustainable interaction design for mobile phones, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy  [doi>10.1145/1357054.1357110]
 
16
Ninghui Li , C. Mitchell, Understanding SPKI/SDSI using first-order logic, International Journal of Information Security, v.5 n.1, p.48-64, January 2006  [doi>10.1007/s10207-005-0073-0]
 
17
M. R. Randazzo, M. Keeney, E. Kowalski, D. Cappelli, and A. Moore. Insider thread study: Illicit cyber activity in the banking and finance sector. Technical report, Carnegie Mellon University Software Engineering Institute, 2005.
18
Robert W. Reeder , Lujo Bauer , Lorrie Faith Cranor , Michael K. Reiter , Kelli Bacon , Keisha How , Heather Strong, Expandable grids for visualizing and authoring computer security policies, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy  [doi>10.1145/1357054.1357285]
 
19
J. Saltzer and M. Schroeder. The protection of information in computer systems. IEEE, Proceedings, 63:1278--1308, 1975.
20
Allison Woodruff , Sally Augustin , Brooke Foucault, Sabbath day home automation: "it's like mixing technology and religion", Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA  [doi>10.1145/1240624.1240710]

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection

  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.3 Organizational Impacts


General Terms:
Human Factors, Security


Keywords:
access control, policy creation

Collaborative Colleagues:
Lujo Bauer: colleagues
Lorrie Faith Cranor: colleagues
Robert W. Reeder: colleagues
Michael K. Reiter: colleagues
Kami Vaniea: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player