TU Darmstadt / ULB / TUbiblio

Guiding Decisions on Authorization Policies: A Participatory Approach to Decision Support

Bartsch, Steffen ; Sasse, Angela
eds.: Ossowski, Sascha ; Lecca, Paola (2012)
Guiding Decisions on Authorization Policies: A Participatory Approach to Decision Support.
Trento, Italy
doi: 10.1145/2245276.2232015
Conference or Workshop Item, Bibliographie

Abstract

<span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12.8px; ">Most organizations have access control policies, and many have to change them frequently to get work done. Currently, the way such changes are made often has a significant impact on the organization's security, productivity, and employee satisfaction. Those who have to make the decisions are put on the spot, and depending on their perspective and circumstances, the decision is biased towards business or security interests. A decision support system for access control policies could mitigate these problems, but to be effective, such a system needs a significant amount of information about specific security and business risks and benefits, and collecting this information requires significant investment. In this paper, we present a participatory approach to collecting this information, which not only reduces cost, but increases effectiveness because it ensures that specific local knowledge and downstream risks are represented and visible to decision-makers. We evaluated our systematically developed decision-support prototype in formative evaluations with employees and decision-makers from a variety of backgrounds. We found that, among others, decision support is highly dependent on the organizational context and that the collected factors need to be contextualized for the contributing individuals.</span>

Item Type: Conference or Workshop Item
Erschienen: 2012
Editors: Ossowski, Sascha ; Lecca, Paola
Creators: Bartsch, Steffen ; Sasse, Angela
Type of entry: Bibliographie
Title: Guiding Decisions on Authorization Policies: A Participatory Approach to Decision Support
Language: English
Date: 2012
Publisher: ACM
Book Title: Proceedings of the 27th Annual ACM Symposium on Applied Computing
Series: SAC '12
Event Location: Trento, Italy
DOI: 10.1145/2245276.2232015
Corresponding Links:
Abstract:

<span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12.8px; ">Most organizations have access control policies, and many have to change them frequently to get work done. Currently, the way such changes are made often has a significant impact on the organization's security, productivity, and employee satisfaction. Those who have to make the decisions are put on the spot, and depending on their perspective and circumstances, the decision is biased towards business or security interests. A decision support system for access control policies could mitigate these problems, but to be effective, such a system needs a significant amount of information about specific security and business risks and benefits, and collecting this information requires significant investment. In this paper, we present a participatory approach to collecting this information, which not only reduces cost, but increases effectiveness because it ensures that specific local knowledge and downstream risks are represented and visible to decision-makers. We evaluated our systematically developed decision-support prototype in formative evaluations with employees and decision-makers from a variety of backgrounds. We found that, among others, decision support is highly dependent on the organizational context and that the collected factors need to be contextualized for the contributing individuals.</span>

Uncontrolled Keywords: Security, Usability and Society;Secure Data
Identification Number: TUD-CS-2012-0046
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
20 Department of Computer Science > SECUSO - Security, Usability and Society
20 Department of Computer Science > Theoretical Computer Science - Cryptography and Computer Algebra
Profile Areas > Cybersecurity (CYSEC)
LOEWE > LOEWE-Zentren
20 Department of Computer Science
Profile Areas
LOEWE
Date Deposited: 28 Jul 2016 18:35
Last Modified: 30 May 2018 12:53
PPN:
Corresponding Links:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details