ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
How users use access control
Full text PdfPdf (364 KB)
Source
ACM International Conference Proceeding Series archive
Proceedings of the 5th Symposium on Usable Privacy and Security table of contents
Mountain View, California
SESSION: Tools table of contents
Article No. 15  
Year of Publication: 2009
ISBN:978-1-60558-736-3
Authors
D. K. Smetters  PARC, Palo Alto, CA
Nathan Good  PARC, Palo Alto, CA
Sponsors
: Carnegie Mellon CyLab
: Google
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 27,   Downloads (12 Months): 91,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1572532.1572552
What is a DOI?

ABSTRACT

Existing technologies for file sharing differ widely in the granularity of control they give users over who can access their data; achieving finer-grained control generally requires more user effort. We want to understand what level of control users need over their data, by examining what sorts of access policies users actually create in practice.

We used automated data mining techniques to examine the real-world use of access control features present in standard document sharing systems in a corporate environment as used over a long (> 10 year) time span. We find that while users rarely need to change access policies, the policies they do express are actually quite complex. We also find that users participate in larger numbers of access control and email sharing groups than measured by self-report in previous studies. We hypothesize that much of this complexity might be reduced by considering these policies as examples of simpler access control patterns. From our analysis of what access control features are used and where errors are made, we propose a set of design guidelines for access control systems themselves and the tools used to manage them, intended to increase usability and decrease error.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Shane Ahern , Dean Eckles , Nathaniel S. Good , Simon King , Mor Naaman , Rahul Nair, Over-exposed?: privacy patterns and considerations in online and mobile photo sharing, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA  [doi>10.1145/1240624.1240683]
2
Xiang Cao , Lee Iverson, Intentional access management: making access control usable for end-users, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143124]
 
3
M. Corporation. Best practices for permissions and user rights, January 2005. http://technet.microsoft.com/en-us/library/cc779601.aspx.
 
4
D. Ferraiolo and R. Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554--563, 1992.
 
5
Flickr. http://www.flickr.com.
6
Nathaniel S. Good , Aaron Krekelberg, Usability and privacy: a study of Kazaa P2P file-sharing, Proceedings of the SIGCHI conference on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA  [doi>10.1145/642611.642636]
 
7
H. Krawczyk , M. Bellare , R. Canetti, HMAC: Keyed-Hashing for Message Authentication, RFC Editor, 1997
8
Shyong (Tony) K. Lam , Elizabeth Churchill, The social web: global village or private cliques?, Proceedings of the 2007 conference on Designing for User eXperiences, November 05-07, 2007, Chicago, Illinois  [doi>10.1145/1389908.1389929]
9
Eric Lieberman , Robert C. Miller, Facemail: showing faces of recipients to prevent misdirected email, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania  [doi>10.1145/1280680.1280696]
 
10
Roy A. Maxion , Robert W. Reeder, Improving user-interface dependability through mitigation of human error, International Journal of Human-Computer Studies, v.63 n.1-2, p.25-50, July 2005  [doi>10.1016/j.ijhcs.2005.04.009]
11
Andrew D. Miller , W. Keith Edwards, Give and take: a study of consumer photo-sharing culture and practice, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA  [doi>10.1145/1240624.1240682]
12
Judith S. Olson , Jonathan Grudin , Eric Horvitz, A study of preferences for sharing and privacy, CHI '05 extended abstracts on Human factors in computing systems, April 02-07, 2005, Portland, OR, USA  [doi>10.1145/1056808.1057073]
13
Robert W. Reeder , Lujo Bauer , Lorrie Faith Cranor , Michael K. Reiter , Kelli Bacon , Keisha How , Heather Strong, Expandable grids for visualizing and authoring computer security policies, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy  [doi>10.1145/1357054.1357285]
14
Jennifer Rode , Carolina Johansson , Paul DiGioia , Roberto Silva Filho , Kari Nies , David H. Nguyen , Jie Ren , Paul Dourish , David Redmiles, Seeing further: extending visualization as a basis for usable security, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143138]
 
15
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
16
Stephen Voida , W. Keith Edwards , Mark W. Newman , Rebecca E. Grinter , Nicolas Ducheneaut, Share and share alike: exploring the user interface affordances of file sharing, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124806]
17
Tara Whalen , Diana Smetters , Elizabeth F. Churchill, User experiences with sharing and access control, CHI '06 extended abstracts on Human factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1125451.1125729]
 
18
M. E. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In IEEE Symposium on Security and Privacy, pages 57--71, 1999.
19
Mary Ellen Zurko , Richard T. Simon, User-centered security, Proceedings of the 1996 workshop on New security paradigms, p.27-33, September 17-20, 1996, Lake Arrowhead, California, United States  [doi>10.1145/304851.304859]

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
          Subjects: Human information processing; Human factors


General Terms:
Design, Human Factors, Security


Keywords:
access control, file sharing, usability

Collaborative Colleagues:
D. K. Smetters: colleagues
Nathan Good: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player