TU Darmstadt / ULB / TUbiblio

Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics

Beckerle, Matthias and Martucci, Leonardo :
Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics.
Symposium on Usable Privacy and Security (SOUPS) 2013
[Conference or Workshop Item] , (2013)

Abstract

Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

Item Type: Conference or Workshop Item
Erschienen: 2013
Creators: Beckerle, Matthias and Martucci, Leonardo
Title: Formal Definitions for Usable Access Control Rule Sets From Goals to Metrics
Language: German
Abstract:

Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

Title of Book: Symposium on Usable Privacy and Security (SOUPS) 2013
Uncontrolled Keywords: - SST - Area Smart Security and Trust;- SST: CASED:;Access control; Usability; Security; Metrics; Formal logic
Divisions: Department of Computer Science > Telecooperation
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
Department of Computer Science
LOEWE
Date Deposited: 31 Dec 2016 12:59
Identification Number: TUD-CS-2013-0252
Related URLs:
Export:

Optionen (nur für Redakteure)

View Item View Item