Usable Access Control

• Main Author: Beckerle, Matthias
• Format: Others
• Language: German; en
• Published: 2014
• Online Access: https://tuprints.ulb.tu-darmstadt.de/3828/1/Diss86.pdf; Beckerle, Matthias <http://tuprints.ulb.tu-darmstadt.de/view/person/Beckerle=3AMatthias=3A=3A.html> (2014): Usable Access Control.Darmstadt, Technische Universität, [Ph.D. Thesis]

The research described in this work can significantly simplify and facilitate the creation and configuration of secure access control rule sets. Access control is used to provide confidential data or information only to authorized entities and deny access otherwise. Access control mechanisms can be configured with access control rule sets that need to be created and maintained by the users or administrators. The research commences by answering the first research question: 1. How can access control be integrated into future products? Basic concepts are presented and integrated into a holistic design. The latter is embedded into a general framework, which was developed by an academia-industry consortium, and in which the author participated. Questions arise regarding usability aspects of access control mechanisms. An analysis of security services in the beginning of this dissertation shows that, especially for access control mechanisms that are managed by casual users, a high level of usability is required because individual preferences of the data owner have to be taken into account. Analysis of how the core security objectives (see Section [sec:Core-Security-Principles]) can be achieved identifies a usability gap regarding the generation and configuration of access control rule sets. Automation is not fully possible because individual preferences of users need to be considered. Related research questions are: 2. What are the requirements for usable access control rule sets? 3. What are formally founded quantifiable measurements for those requirements, and how can these measurements be used to support users in generating of usable access control rule sets? To answer these questions, a systematic analysis of expert opinions and related work was performed. The results of that analysis were grouped into categories and further refined into six informal requirements. The six informal requirements were mathematically formalized and six associated sets with respective linear metrics were derived. These formal tools are used to automatically calculate additional information about the actual access control rule set to support users in generating and optimizing the rule set properly. Two user studies were carried out to validate and evaluate the research and the findings presented in this work. They demonstrate that our metrics help users generate statistically significant better rule sets. The dissertation concludes with an outlook and a vision for further research in usable access control rule set configuration.