Know why your access was denied: Regulating feedback for usable security

Apu Kapadia, Geetanjali Sampemane, R H Campbell

Research output: Contribution to journalConference article

Abstract

We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.

Original languageEnglish (US)
Pages (from-to)52-61
Number of pages10
JournalProceedings of the ACM Conference on Computer and Communications Security
StatePublished - Dec 1 2004
EventProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States
Duration: Oct 25 2004Oct 29 2004

Fingerprint

Feedback
Access control
Security systems
Cost functions

Keywords

  • Access control
  • Feedback
  • Policy protection
  • Privacy
  • Security
  • Usability

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Know why your access was denied : Regulating feedback for usable security. / Kapadia, Apu; Sampemane, Geetanjali; Campbell, R H.

In: Proceedings of the ACM Conference on Computer and Communications Security, 01.12.2004, p. 52-61.

Research output: Contribution to journalConference article

@article{1afb6efd82f34dbdb1595ed07f727ebc,
title = "Know why your access was denied: Regulating feedback for usable security",
abstract = "We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.",
keywords = "Access control, Feedback, Policy protection, Privacy, Security, Usability",
author = "Apu Kapadia and Geetanjali Sampemane and Campbell, {R H}",
year = "2004",
month = "12",
day = "1",
language = "English (US)",
pages = "52--61",
journal = "Proceedings of the ACM Conference on Computer and Communications Security",
issn = "1543-7221",
publisher = "Association for Computing Machinery (ACM)",

}

TY - JOUR

T1 - Know why your access was denied

T2 - Regulating feedback for usable security

AU - Kapadia, Apu

AU - Sampemane, Geetanjali

AU - Campbell, R H

PY - 2004/12/1

Y1 - 2004/12/1

N2 - We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.

AB - We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.

KW - Access control

KW - Feedback

KW - Policy protection

KW - Privacy

KW - Security

KW - Usability

UR - http://www.scopus.com/inward/record.url?scp=14844322854&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=14844322854&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:14844322854

SP - 52

EP - 61

JO - Proceedings of the ACM Conference on Computer and Communications Security

JF - Proceedings of the ACM Conference on Computer and Communications Security

SN - 1543-7221

ER -