TU Darmstadt / ULB / TUbiblio

How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization

Bartsch, Steffen ; Sasse, Angela (2012)
How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization.
Report, Bibliographie

Kurzbeschreibung (Abstract)

Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not show the full range of problems, their impact on organizations, and underlying causes. We present a study of 118 individual's experiences of authorization measures in a multi-national company and their self-reported subsequent behavior. We follow the recent advances in applying economic models to security usability and analyze the interrelations of authorization issues with individuals' behaviors and organizational goals. Our results indicate that authorization problems significantly impact the productivity and effective security of organizations. From the data, we derive authorization Personas and their daily problems, which are to a large extent caused by the procedures for policy changes and the decision-making, and lead to the circumvention of the measure. As one research contribution, we develop a holistic model of authorization problems. More practically, we recommend to monitor non-compliance, such as password-sharing, for indications of authorization problems, and to establish light-weight procedures for policy changes with adequate degrees of centralization and formalization, and support for decision-making.

Typ des Eintrags: Report
Erschienen: 2012
Autor(en): Bartsch, Steffen ; Sasse, Angela
Art des Eintrags: Bibliographie
Titel: How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization
Sprache: Englisch
Publikationsjahr: Mai 2012
(Heft-)Nummer: RN/12/06
Veranstaltungsort: London, UK
Kurzbeschreibung (Abstract):

Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not show the full range of problems, their impact on organizations, and underlying causes. We present a study of 118 individual's experiences of authorization measures in a multi-national company and their self-reported subsequent behavior. We follow the recent advances in applying economic models to security usability and analyze the interrelations of authorization issues with individuals' behaviors and organizational goals. Our results indicate that authorization problems significantly impact the productivity and effective security of organizations. From the data, we derive authorization Personas and their daily problems, which are to a large extent caused by the procedures for policy changes and the decision-making, and lead to the circumvention of the measure. As one research contribution, we develop a holistic model of authorization problems. More practically, we recommend to monitor non-compliance, such as password-sharing, for indications of authorization problems, and to establish light-weight procedures for policy changes with adequate degrees of centralization and formalization, and support for decision-making.

Freie Schlagworte: Security, Usability and Society;Secure Data
ID-Nummer: TUD-CS-2012-0179
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Theoretische Informatik - Kryptographie und Computeralgebra
20 Fachbereich Informatik > SECUSO - Security, Usability and Society
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
Hinterlegungsdatum: 28 Jul 2016 18:35
Letzte Änderung: 03 Jun 2018 21:30
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen