skip to main content
10.1145/2559206.2581364acmconferencesArticle/Chapter ViewAbstractPublication PageschiConference Proceedingsconference-collections
poster

Helping users review and make sense of access policies in organizations

Published: 26 April 2014 Publication History

Abstract

This work addresses the problem of reviewing complex access policies in an organizational context using two studies. In the first study, we explored the access review activity and identified its challenges using semi-structured interviews. Interviews revealed that access review involves challenges such as scale, technical complexity, the frequency of reviews, human errors, and exceptional cases. We also modeled access review in the activity theory framework. The model shows that access review requires an understanding of the activity context including information about the users, their job, and their access rights, and the history of them. We then used activity theory guidelines to design a new user interface named AuthzMap. We conducted a user study with 340 participants to compare the use of AuthzMap with two of the existing commercial systems for access review. The results show that AuthzMap improved the efficiency of access review in 5 of the 7 tested scenarios compared to the existing systems.

Supplementary Material

ZIP File (wip0664-file3.zip)
Zip file containing a PDF of the Accompanying Poster

References

[1]
Cser, A. The forrester wave: Role management and access recertification, q3 2011. Tech. rep., Forrester Research, inc., August 2011.
[2]
Jaferian, P., Hawkey, K., Sotirakopoulos, A., VelezRojas, M., and Beznosov, K. Heuristics for evaluating IT security management tools. To appear in Human Computer Interaction, 2014. DOI= http://dx.doi.org/10.1080/07370024.2013.819198
[3]
Kaptelinin, V., and Nardi, B. Acting with technology: Activity theory and interaction design. MIT Press, 2006.
[4]
Nielsen, J., and Molich, R. Heuristic evaluation of user interfaces. In CHI '90: Proceedings of the SIGCHI conference on Human factors in computing systems, ACM (New York, NY, USA, 1990), 249--256.
[5]
Reeder, R. W., Bauer, L., Cranor, L. F., Reiter, M. K., Bacon, K., How, K., and Strong, H. Expandable grids for visualizing and authoring computer security policies. In Proc. CHI '08, 2008, 1473--1482.

Cited By

View all
  • (2023)Maintain High-Quality Access Control Policies: An Academic and Practice-Driven ApproachData and Applications Security and Privacy XXXVII10.1007/978-3-031-37586-6_14(223-242)Online publication date: 12-Jul-2023
  • (2021)Monitoring Access Reviews by Crowd LabellingTrust, Privacy and Security in Digital Business10.1007/978-3-030-86586-3_1(3-17)Online publication date: 1-Sep-2021
  • (2020)Awareness and Working Knowledge of Secure Design Principles: A User StudyHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-50309-3_1(3-15)Online publication date: 10-Jul-2020

Index Terms

  1. Helping users review and make sense of access policies in organizations

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CHI EA '14: CHI '14 Extended Abstracts on Human Factors in Computing Systems
    April 2014
    2620 pages
    ISBN:9781450324748
    DOI:10.1145/2559206
    Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 26 April 2014

    Check for updates

    Author Tags

    1. access review
    2. activity theory
    3. identity management
    4. it security

    Qualifiers

    • Poster

    Conference

    CHI '14
    Sponsor:
    CHI '14: CHI Conference on Human Factors in Computing Systems
    April 26 - May 1, 2014
    Ontario, Toronto, Canada

    Acceptance Rates

    CHI EA '14 Paper Acceptance Rate 1,000 of 3,200 submissions, 31%;
    Overall Acceptance Rate 6,164 of 23,696 submissions, 26%

    Upcoming Conference

    CHI 2025
    ACM CHI Conference on Human Factors in Computing Systems
    April 26 - May 1, 2025
    Yokohama , Japan

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)Maintain High-Quality Access Control Policies: An Academic and Practice-Driven ApproachData and Applications Security and Privacy XXXVII10.1007/978-3-031-37586-6_14(223-242)Online publication date: 12-Jul-2023
    • (2021)Monitoring Access Reviews by Crowd LabellingTrust, Privacy and Security in Digital Business10.1007/978-3-030-86586-3_1(3-17)Online publication date: 1-Sep-2021
    • (2020)Awareness and Working Knowledge of Secure Design Principles: A User StudyHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-50309-3_1(3-15)Online publication date: 10-Jul-2020

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media