TU Darmstadt / ULB / TUbiblio

Broadening the Scope of Security Usability from the Individual to the Organizational: Participation and Interaction for Effective, Efficient, and Agile Authorization

Bartsch, Steffen (2012):
Broadening the Scope of Security Usability from the Individual to the Organizational: Participation and Interaction for Effective, Efficient, and Agile Authorization.
Universität Bremen, [Ph.D. Thesis]

Abstract

Restrictions and permissions in information systems – Authorization – can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Problems are not only caused by restrictive permissions, though, but also by permissive ones, for example, from permissions that remain assigned. In this case, the security measure becomes ineffective. Conversely, its effectiveness can also be impacted when staff is forced to circumvent the measure to complete work – typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. If the procedures of the interactions or the activities themselves incur high effort, the authorization measure will be inefficient. Similarly, developers implement the technical authorization mechanisms, and need to interact with other stakeholders to take their problems into account to arrive at usable mechanisms. To unravel this entanglement of problems and their interrelation, this thesis analyzes the diverse contexts in which authorization occurs, limits the scope to organizational environments, and systematically examines the problems that surround the different perspectives on authorization in organizational settings, deriving requirements and open research questions. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts. The Authorization Principles aim to foster the participation and interaction among involved and affected stakeholders, including reducing the burden and making the abstract aspects of authorization understandable by increasing the concreteness. Moreover, the mitigations explicitly aim to integrate approaches from diverse disciplines, going beyond the currently predominant technical approaches, for example, by applying socio-organizational approaches. Particularly, the behavior of individuals in their social setting should be accounted for, and the security awareness and expertise of the involved individuals should be increased. To better cope with the dynamics surrounding authorization, it is also suggested to design the measures for dynamics and generally aim to tailor for the context regarding procedures (formality, centralization) and tools (flexibility, individuals’ expertise). Applying the principles in the practical artifacts and drawing on the respective empirical evaluations, the principles show to be useful in improving authorization measures, even though the degree of usefulness strongly depends on the context of use. The thesis concludes by proposing to apply the principles and its main theme – broadening security usability to the organizational – to other areas of information security: fostering the participation between and integration of perspectives on the security measure, and opening information security research further to interdisciplinarity.

Item Type: Ph.D. Thesis
Erschienen: 2012
Creators: Bartsch, Steffen
Title: Broadening the Scope of Security Usability from the Individual to the Organizational: Participation and Interaction for Effective, Efficient, and Agile Authorization
Language: English
Abstract:

Restrictions and permissions in information systems – Authorization – can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Problems are not only caused by restrictive permissions, though, but also by permissive ones, for example, from permissions that remain assigned. In this case, the security measure becomes ineffective. Conversely, its effectiveness can also be impacted when staff is forced to circumvent the measure to complete work – typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. If the procedures of the interactions or the activities themselves incur high effort, the authorization measure will be inefficient. Similarly, developers implement the technical authorization mechanisms, and need to interact with other stakeholders to take their problems into account to arrive at usable mechanisms. To unravel this entanglement of problems and their interrelation, this thesis analyzes the diverse contexts in which authorization occurs, limits the scope to organizational environments, and systematically examines the problems that surround the different perspectives on authorization in organizational settings, deriving requirements and open research questions. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts. The Authorization Principles aim to foster the participation and interaction among involved and affected stakeholders, including reducing the burden and making the abstract aspects of authorization understandable by increasing the concreteness. Moreover, the mitigations explicitly aim to integrate approaches from diverse disciplines, going beyond the currently predominant technical approaches, for example, by applying socio-organizational approaches. Particularly, the behavior of individuals in their social setting should be accounted for, and the security awareness and expertise of the involved individuals should be increased. To better cope with the dynamics surrounding authorization, it is also suggested to design the measures for dynamics and generally aim to tailor for the context regarding procedures (formality, centralization) and tools (flexibility, individuals’ expertise). Applying the principles in the practical artifacts and drawing on the respective empirical evaluations, the principles show to be useful in improving authorization measures, even though the degree of usefulness strongly depends on the context of use. The thesis concludes by proposing to apply the principles and its main theme – broadening security usability to the organizational – to other areas of information security: fostering the participation between and integration of perspectives on the security measure, and opening information security research further to interdisciplinarity.

Uncontrolled Keywords: Security, Usability and Society;Secure Data
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
20 Department of Computer Science > SECUSO - Security, Usability and Society
Profile Areas > Cybersecurity (CYSEC)
LOEWE > LOEWE-Zentren
20 Department of Computer Science
Profile Areas
LOEWE
Event Location: Bremen, Germany
Date Deposited: 28 Jul 2016 18:35
Identification Number: TUD-CS-2012-0181
Export:

Optionen (nur für Redakteure)

View Item View Item