Know why your access was denied: Regulating feedback for usable security

Apu Kapadia, Geetanjali Sampemane, R H Campbell

Research output: Contribution to journalConference articlepeer-review


We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.

Original languageEnglish (US)
Pages (from-to)52-61
Number of pages10
JournalProceedings of the ACM Conference on Computer and Communications Security
StatePublished - 2004
EventProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States
Duration: Oct 25 2004Oct 29 2004


  • Access control
  • Feedback
  • Policy protection
  • Privacy
  • Security
  • Usability

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Know why your access was denied: Regulating feedback for usable security'. Together they form a unique fingerprint.

Cite this