TU Darmstadt / ULB / TUbiblio

Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics

Beckerle, Matthias ; Martucci, Leonardo (2013)
Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics.
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2013
Autor(en): Beckerle, Matthias ; Martucci, Leonardo
Art des Eintrags: Bibliographie
Titel: Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics
Sprache: Deutsch
Publikationsjahr: Juli 2013
Buchtitel: Symposium on Usable Privacy and Security (SOUPS) 2013
Zugehörige Links:
Kurzbeschreibung (Abstract):

Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

Freie Schlagworte: - SST - Area Smart Security and Trust;- SST: CASED:;Access control; Usability; Security; Metrics; Formal logic
ID-Nummer: TUD-CS-2013-0252
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik > Telekooperation
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
20 Fachbereich Informatik
LOEWE
Hinterlegungsdatum: 31 Dez 2016 12:59
Letzte Änderung: 30 Mai 2018 12:53
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen