Towards Usable Authorization: From the Individual to

2 downloads 0 Views 277KB Size Report
We analyze the breadth of perspectives on .... authorization rules in lists that do not convey their in- ... day-to-day operation of authorization and how stake-.
Noname manuscript No. (will be inserted by the editor)

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security Steffen Bartsch · M. Angela Sasse

Received: date / Accepted: date

Abstract Many organizations struggle with ineffective and/or inefficient access control, but the full range of the problems and their consequences often remain invisible to security decision-makers. Prior research has focused on individuals, e.g. improving the policy-authoring part of authorization, and does not show the full range of problems, their impact on organizations, and the underlying causes. We present a study of 118 individuals’ experiences of authorization measures in a multinational company and their self-reported subsequent behavior. We analyze the breadth of perspectives on authorization, and the interrelations of authorization issues with individuals’ behaviors and organizational goals. Our results indicate that authorization problems significantly impact the productivity and effective security of organizations – e.g. when the procedures for policy changes and the decision-making lead to the circumvention of the measure. We construct a holistic model of authorization problems that covers the diverse perspectives of stakeholders. We apply the model to two concrete authorization contexts in the studied organization and show how different degrees of formality and centralization affect security and productivity differently. Specifically, we recommend to support decision-making, to establish adequate procedures for policy changes, and to monitor non-compliance, such as password-sharing, for indications of authorization problems. We find that the traditional approach of focusing on the individual is insufficient to elicit and adequately address the idenF. Author first address Tel.: +123-45-678910 Fax: +123-45-678910 E-mail: [email protected] S. Author second address

tified problems and argue that the organizational approach is promising to improve the effectiveness and efficiency of security. Keywords Access control · Authorization · Security usability · Security management · Empirical study 1 Introduction Authorization is a core measure in organizations to enforce security policies in information systems1 . While problems with authorization are frequently reported in form of anecdotes, it appears to be difficult for organizations to conduct a comprehensive review of the problems, including their impact on individual employees’ and organizational productivity. One reason is that the problems are only visible to security decision-makers, such as CISOs, as individual cases. Moreover, research on security in Human–Computer Interaction (HCISec) has focused primarily on individual problems. A number of studies have analyzed the usability of authorization and found that crafting authorization policies2 is difficult, both in laboratory experiments [52, 14] and in organizational practice [8, 43, 48]. However, the problems with authorization cannot be reduced to only the individual perspective, such as the usability of management tools and the authoring of policies. Economic models of security, such as the Compliance Budget [9], predict, for example, that when requesting a change in the policy is perceived as too much 1 We refer to authorization as the restriction of activities of a principal in a system – the second step in access control following authentication to establish the identity [28]. 2 We use the term authorization policy for the restrictions or permissions enforced by information systems. Security policies herein denote the management-level definitions of how the organization aims to achieve its security goals [6, 32].

2

effort, employees may rather share their password as a cheaper way of solving the problem. Thus, not only the act of changing the permission is important, but also the procedure to receive it – involving perspectives of at least the one affected by the missing permission, the one deciding on granting the permission, and the one assigning it. We have to consider the interrelation of perspectives and problems to thoroughly understand the problems with authorization and address them fundamentally. The aim of this paper is to foster a broader understanding of usability challenges surrounding existing authorization mechanisms, the interdependence of the problems, and their impact on organizational goals. We show how an organizational approach to HCISec improves the analysis and allows us to identify more fundamental problems. We conducted 118 in-depth interviews on security compliance at a large infrastructure company with a variety of authorization contexts. Based on the interviews, we developed Personas [17] to draw a vivid picture of the interrelation of the daily problems surrounding the use of authorization mechanisms and identify the different perspectives on authorization. We systematically analyze the causalities of the problems to examine how the problems interrelate and how they impact organizational goals. From the interrelations and existing literature, we develop a holistic model of the problems that emphasizes the importance of the decision-making and of the procedures for policy changes besides the prevalent view of problems of individuals with the authoring of policies. We apply the model to two concrete authorization contexts within the organization and show how the design of the procedures and the decision-making affect security and productivity – particularly the degree of formality and centralization of the procedures and decisions. Our contribution is thus twofold: First, we provide a comprehensive analysis of the problems surrounding authorization. Second, we show how the usability lies in the entire security measure and cannot be solved by improving the technical mechanisms alone or by targeting only individual perspectives, but requires an organizational approach from the interrelation of the diverse perspectives on the measure. 2 Literature on authorization problems

Steffen Bartsch, M. Angela Sasse

usable security [52]. Zurko et al. then developed a policy editor for policies similar to RBAC based on usability testing and user-centered design that allowed novice users to produce meaningful results [51]. Rode et al. also studied the challenges in authoring policies [38]. They find that policy authors need to comprehend consequences of the changes and suggest the integration of tasks, monitoring, and configuration. Reeder et al. add to these findings by showing that mistakes in policy authoring can originate from isolated authorization rules in lists that do not convey their interrelation [35]. Vaniea et al. similarly identified the cognitive load of conflict detection as a major challenge [45]. Focusing instead on the mental model of policy authors, Brostoff et al. found that the primary challenges lie in understanding the policy structure and the overall authorization paradigm [14]. To overcome the conceptual mismatches between the authorization model and the mental model of the security engineer, Inglesant et al. employed iterative development of policies using a controlled natural language [23]. These laboratory studies focus exclusively on the individual task of authoring policies and further the usability of this aspect of authorization. However, crafting adequate policies depends to a large extent on the policy author being in a position to judge which permissions to grant. We thus need to consider a broader perspective to fundamentally solve authorization challenges in organizations and incorporate the problems in day-to-day operation of authorization and how stakeholders interact to mitigate them.

2.2 Problems in development The literature is very thin on what problems developers have with the integration of authorization in systems. Zurko and Simon [52] recognized that it can be difficult for developers to implement the authorization controls in applications. Herzog and Shahmehri [22] found that not only policy authors are affected by problematic authorization frameworks, but also the developers who need to integrate the enforcement. In a study of enforcement integration in the Linux kernel, Jaeger et al. [24] showed that in multiple instances, the enforcement was not correctly placed.

2.1 Policy authoring 2.3 Challenges in organizations To a large extent, studies in the area of authorization usability focus on the usability of policy authoring interfaces. Zurko and Simon formulated requirements for a usable policy authoring interface from their study on

A small number of broader studies have analyzed how challenges in authorization actually materialize in organizations, summarized in Table 1. Three of the four

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security Study Sikkel [41]

Study design Subjective: interviews

Focus/scope How users specify policies

Subjective: survey, interviews

Environment Private and public organizations Mediumsized research laboratory

Whalen [48]

Bauer [8]

Subjective: interviews

Diverse organizations

Smetters Objective: [43] historical policy data

Mediumsized corporation

Challenges for policy professionals Usage of authorization features and models

Individuals’ problems from mechanisms

Findings Policies are stated as grants/denials, refined by exceptions, e.g. scopes Users manage policies, but struggle with it; authorization interferes with primary tasks Problems from stakeholder interactions and inadequate models Complex, rarely changed policies, management errors

3

Recommendations Provide expressive model: object grouping, scope, delegation Integrate with workflows, support social controls, visualize policies, and simplify management Support communication of policy authors, improve authorization models Simpler models, patterns, better management tools

Table 1 Prior studies on authorization in organizations

identified studies exclusively focus on the challenges in policy authoring. Sikkel and Stiemerling [41], Bauer et al. [8], and Smetters and Good [43] examine how the expressiveness of authorization models affect policy management and suggest model improvements. In addition, Bauer also analyzes the interactions of policy authors with different roles. In contrast, Whalen not only explores the problems of managing authorization, but also how authorization interferes with the primary tasks of functional users. Less pronounced in literature than the usability problems for policy authors are those for functional users, policy makers, and developers. For functional users, who need to interact with information systems to complete their work tasks, [48] found that authorization often interferes with their work. [25] argues that strict restrictions can have adverse effects and force users to circumvent the authorization measures, for example, by sharing their password with people who need access to additional resources. Policy makers take the decisions on changes to the policy and need to prevent overly restrictive or permissive permissions. The field study of [8] showed that it can be difficult for multiple policy makers and authors to interact. They also found that problems with the state of the documentation can impact the decisionmaking. [42] reported that the complexity of the risk assessment can be high, due to the dynamics in organizations, the number of roles, and the heterogeneous applications involved. These studies still mostly focus on authorization usability issues on an individual level, primarily with respect to policy authoring. The consequences of the identified challenges remain implicit. However, since most problems rarely become visible for management and then only as anecdotal individual cases, the authorization issues are still largely ignored in organizations. One reason is that the scale and the actual impacts on or-

ganizational goals are unknown. To make a case for fundamentally addressing the problems that functional users are faced with every day, the full breadth of authorization challenges needs to be explored with their complex interrelations and, particularly, their impact on organizational goals.

2.4 Economic perspective It is common to consider the impact that usability problems with security mechanisms have – usually focusing on how users’ mistakes reduce security. In authorization, it has been observed, for example, that entitlements are not adjusted to reflect organizational changes, resulting in over-entitlement and secondary risks, such as more severe consequences in case of a security breach [42]. However, the potential additional security risk created by users making mistakes is only one of several consequences and is often too intangible and abstract to measure and difficult to use as a clear case to argue for changes [47]. In a novel and promising approach, security researchers have in the last years argued increasingly on the basis of economic impact on organizations and individuals [5]. Beautement et al. described the Compliance Budget [9] and Herley analyzed the externalities of security measures [21]. They argue that we need to take a comprehensive perspective of the costs and benefits of security measures, particularly from the individuals’ point of view, demonstrating that users often do behave rationally when not complying with security advice. Their examples include the insecure use of USB sticks and the effects of password policies. This line of research can be applied to authorization as well. As already noted above, authorization has been found to impact the primary tasks of employees [48]. An example of the cost of compliance is the effort expended on following the prescribed procedures to change the policy. More con-

4

venient alternatives to compliance could be found, such as sharing passwords. If the costs of compliance are perceived to be too high and alternatives are perceived as cheaper, even considering potential consequences, users are likely not comply. We use this model to examine usability issues with authorization measures. In a parallel research strand with a focus on the organizational economics, Pallas [33] analyzes motivation and coordination costs for security measures, comparing hierarchical organizations with centrally made decisions with market forms with delegation to local decision-makers. Pallas shows that the extend of coordination and motivation costs depend on the form of organization. Principal–agent theories predict that centrally made decisions often suffer from information asymmetries and interfere with primary tasks. Extending this line of research, we analyze authorization usability challenges for their impact on the organization.

3 Study design To derive insights about the interrelations of the multitude of authorization challenges and their impacts in practice, we studied the security compliance of employees at a large organization, a European, multi-national company. The organization operates systems and maintains information at several levels of criticality and sensitivity, involving, amongst others, market regulation as well as the sensitive personal data of employees and customers.

3.1 Research approach Scholars of social sciences have spent decades on the discussion of the adequacy of different research methods to deliver reliable results [15, 40]. Like for studying authorization in practice, key characteristics of social sciences are the context-dependent, diverse, and complex nature of research. We need to address two points here: first, whether to employ a quantitative or qualitative approach, and, second, what specific method to employ. Regarding the former aspect, Bryman [15] argues that the distinction between quantity and quality is a purely technical one – two different ends of the spectrum of data collection strategies. He sees quantity to rather confirm existing theory, offer “hard, reliable” data, and having a general scope. Conversely, quality is more suited for emergent theory, offers “rich, deep” data for a more specific scope (p. 94). However, the generality of quantity is often “exaggerated” (p. 101) and it often “fails to give appropriate recognition to. . . entities which may not be directly observable” (p.

Steffen Bartsch, M. Angela Sasse

17). Quality allows us to better describe and contextualize findings (p. 61), often used as “reconnaissance” and “initial exploration” (p. 95); the point of qualitative research is not generalizability, but “the cogency of theoretical reasoning” (p. 123). This matches well with the goals of the Authorization Problems Study, which explores a breadth of problems and their interrelation not previously targeted. The second major study-design aspect is the highlevel method. Flyvbjerg [19] strongly argues for casestudy research, despite the conventional wisdom that “a case study cannot provide reliable information about the broader class” (p. 398). However, he argues that “formal generalization is overvalued as source of scientific progress” (p. 395). In complex disciplines with diverse contexts, “there does not. . . exist predictive theory. . . [only] concrete context-dependent knowledge” (p. 392), making case studies well-suited. We also need to be careful not to consider case studies “a sample of one,” since they include a range of people [15, p. 90]. Moreover, context-dependency is vital, since – as in our study – it is often “more important to clarify the deeper causes. . . and its consequences. . . than how frequently [the phenomena] occur” [19, p. 395]. Since this corresponds with the goals of the Authorization Problems Study and since it is generally difficult to conduct studies in information security with large samples [27], we decided to conduct an in-depth case study. 3.2 Interview design and sampling In a study on security compliance, semi-structured indepth interviews were conducted with 118 employees from management and staff in two countries between January and September 2010. The interviewees were recruited via the company newsletter, inviting volunteers to take part in an “IT Security Research Study” on their experience with the security policy for a gift voucher. From the about 400 responses within two days, participants were primarily selected on a “first come, first served” basis, with additional participants from later responses added for gender balance and breadth of work environments. The interviews lasted approximately 45 minutes, 40 being conducted via telephone and 78 face-to-face. The interview questions covered the interviewee background, experiences with the security policy, and how it affects the primary tasks. Since the study covers a single organization and the sampling process induced a potential self-selection bias, the quantity of mentions cannot be considered representative. However, the main goal of the study is not to elicit exact frequencies, but rather to derive a thorough description of the problems and their interrelation. The

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security

diverse backgrounds of the participants (different systems, organizational environments) should allow us to formulate well-grounded hypotheses on the causes of usability problems in authorization. We employ the interviews in this study in two ways: to derive authorization Personas and to establish the interrelation between problems and organizational goals. We detail the respective analysis approach below.

4 Perspectives on authorization For a clearer picture of how problems affect diverse stakeholders and to draw a picture of how the problems of the stakeholders interrelate, we develop Authorization Personas. Subsequently, we consolidate the Personas with literature on authorization to derive perspectives on authorization.

4.1 Authorization Personas Interviewees were affected differently by authorization measures depending on their roles within the organization. A common approach would thus be to identify the roles and relate the personal challenges to the roles. However, roles have the drawback of abstracting detail that is necessary to understand the behavior of a person. As an alternative to roles, usability engineers employ the Persona methodology to preserve concrete characteristics, such as motivations and activities, of typical users [17]. Faily and Flechais successfully used security Personas in security engineering [18]. We followed the approach of Cooper et al. [17] and identified behavioral variables, such as attitudes, motivations, and activities, related to authorization in the interview transcripts. We found 11 categories of behavioral variables with a total of 53 variables. From common combinations of behavior variable assignments, we derived behavioral patterns and formed five Personas, listed in Table 2. We then assigned personal authorization challenges to the individual Personas. Since Personas are originally a design methodology, it is difficult to validate them outside of design endeavors. However, the breadth of the study should provide a good initial hypothesis of the Personas and allow for a vivid picture of how employees are personally affected by authorization. 4.1.1 Functional staff Amber is a business analyst in a technical department of the organization. She uses a number of company IT systems, for example, to share documents with co-workers

5

and access data for analyses. Her main motivation concerning the use of the systems are her personal productivity, but also the general organizational efficiency and effectiveness, in that the necessary tasks are completed. Authorization measures affect her most directly through the operational aspects of restrictive policies that hinder her work or reduce her productivity, for instance, when she cannot access a document that was sent as a link to her. In some cases she is forced to circumvent the authorization measures and, for example, use the password of a co-worker to access data in the system. However, she feels uneasy about not complying with the organization’s security policy that forbids the sharing of passwords. Amber cares about the security of the sensitive data that she is handling, both for the risks that the organization faces, for example, from a disclosure, but also because of the consequences to her personally (concerning her employment) or the consequences for the society in general from the disclosure of critical data. Due to these considerations, she tries to comply with the security policies and requests changes to the existing permissions, but the requests can require a high effort and take a long time to become active, both operational authorization issues. For some systems, it is not clear to her how to request changes or it is known that not all requests succeed. Motivated to keep their documents secure, her team decided to also protect documents in the system with passwords, in addition to the system’s authorization, since it is not always transparent who has access. Emily also works as a business analyst, but has more technical experience. She tries to mitigate the problems with authorization that originate, for example, from too granular permissions or missing functionality in their systems. Because of her interests, she was tasked to develop the SharePoint site for her team. As a result, she also manages the permissions to the site, but lacks clear guidance in the form of a high-level policy to whom she should grant what permissions. She generally does not feel she has the necessary expertise to make these decisions and it is sometimes unclear to her which permissions need to be assigned and how to do this correctly. There are only informal procedures for handling permission requests and she sometimes feels a high emotional pressure to grant permissions, even though she is unsure whether the permissions are appropriate. Brandon is the personal assistant to a manager, who has delegated the decisions on who should receive permissions to him. He has similar attitudes towards information security as Amber, and is particularly affected by the non-transparency of the current policy, since this

6

Steffen Bartsch, M. Angela Sasse Persona/Role Amber

Functional staff Emily

Technicallyinformed staff Brandon

Motivation Personal, organizational, society risks; productivity Recognition, (see Amber)

Activities Share/access data, request changes, circumvent measure Develop, mitigate issues, make decisions

(see Amber)

Make decisions

Personal risks and gains, organizational/society risks, productivity Personal and organizational and society risks, risk awareness

Motivate compliance, make/delegate decisions, review policy

Challenges Restrictive policies, degraded productivity, change lead time and effort, unclear/ineffective/inefficient procedures, non-transparent decisions and policies Non-transparent policies, coarse-grained permissions, lack of usability and functionality, unclear permissions, lack of high-level policy, missing expertise, emotional costs of decisions, informal procedures Non-transparent policies

Pers. assistant Lauren

Functional manager Nicole

Administrator, developer

Administer/develop applications, make decisions, support requests

Retained permissions, non-transparent policy, inadequate model, lack of usability, decision complexity, required expertise, inefficient procedure, inefficient/ineffective reviews Lack of high-level policy, cumbersome permissions, conflict of authority

Table 2 Personas related to authorization measures

makes it difficult to limit the authorized employees to those with a legitimate need. 4.1.2 Functional management Lauren manages 40 employees in the financial department and feels responsible for their compliance to the security policy. She motivates her staff to comply by reminding them of why the data is sensitive, and the consequences of non-compliance, including sanctions. She is motivated by both consideration for her own employment (she values job security and also is rewarded for meeting compliance related performance objectives) and an awareness of the risks to the organization caused by non-compliance with regulations. At the same time, she also cares about the productivity of her staff. As part of her role, Lauren needs to make decisions about authorization policies and review existing permissions on a regular basis. In this function, she is affected by operational authorization issues, such as the inefficiency of the procedures, when, for example, the procedure requires the signature of more senior personnel or from other departments. Generally, she sees the policy-authoring aspects of decision-making as a burden, since the risk-assessment is complex and requires security expertise. Moreover, it requires significant technical expertise to set the permissions due to a lack of usability of the management tool. The authorization model sometimes does not allow the precise setting of permissions or they can only be set in inefficient ways, for instance, requiring her to set numerous permissions for each individual of her staff. Consequently, she delegates some of the decisions to her subordinates. For reviewing existing policies, the lack of transparency of the current policies causes a high effort and even limits her ability to review. Since there are no automatic procedures for role changes, employees will also in many

cases retain their permissions. When delegating functional tasks, Lauren is also affected by the lack of delegation options in the authorization mechanism, forcing her to sometimes share her password. 4.1.3 Technical staff Nicole administrates and develops applications as part of the information system department. Because of her detailed knowledge of the systems, she is often consulted on how policy changes can be achieved in the system, for example, which permissions are necessary, and whether the changes are appropriate. In effect, she takes the decision in many cases, although she is not aware of all relevant high-level policies and is sometimes caught in conflicts of authority, for example, between departments when one is more security or business-focused than the other. Nicole is also affected by cumbersome permissions that make the policy management difficult and inefficient, for example, when permissions need to be set in a number of separate applications to allow an activity.

4.2 From Personas to perspectives Even though neither representational nor comprehensive, the Personas in the previous section demonstrate the breadth of perspectives on authorization in organizations. To structure these perspectives systematically, we relate the roles of the Personas to organizational parts, structures in security management, and literature on authorization management in Table 3. Regarding organizational parts, Mintzberg [31] offers a rich characterization of organizational structures in his Configurations, highlighting how in different forms of organizations different parts exercise power. In literature on

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security Mintzberg (Machine

Authorization Personas Organizational role

NIST Handbook Security mgmt. role

Authorization role

Authorization perspectives Perspective

Users

End user

Functional

Technology provider

Administrator

Policy authoring

Functional manager

Policy setter

Policy making

Technostructure

Functional staff (Amber, Emily) Administrator (Nicole) Functional manager (Lauren, Brandon) –



Security tactics

Strategic Apex Supporting staff

– Developer (Nicole)

Computer security management Senior management Technology provider

– Developer

Security strategy Development

Bureaucracy) Organizational part

Operating core Supporting staff Middle management

Varadharajan

7

Table 3 Roles and perspectives in authorization

authorization, definitions of roles are typically focused on the technical aspects of principals, policy makers, and policy authors [46]. These are also the most common roles and we similarly find those as the Personas. However, these roles primarily cover those individuals affected by authorization and neglect the further individuals who may also heavily influence authorization measures from a higher level of security management, as described, for example, in the NIST Handbook on computer security [32]. Thus, we define the perspectives of individuals on authorization (right-most column in Table 3), additionally including the security management aspects of designing procedures and of how decisions are taken: Functional perspective Staff with the functional perspective have to cope with authorization restrictions in the information systems that they interact with to complete their functional task. As in the case of the Persona Amber, functional staff are affected primarily by authorization restrictions, which can interfere with the productive use of the systems. Functional staff generally strive to optimize their efficiency and may thus be averse to any external factors that impact their efficiency or the established processes. When interferences with the primary tasks occur, functional staff may find other ways to complete their work, circumventing authorization restrictions where possible. In these cases, they may also support the policy making and authoring perspectives in setting adequate policies by proposing required permissions. Policy-authoring perspective The restrictions in information systems need to be configured in a formalized way in technical policies to be interpreted by the system. In structured organizations, such as Machine Bureaucracies [31], we often find the authoring perspective to be held by security administrators from the supporting staff or technology provider, similar to the Persona

of Nicole. In these cases, the authoring of the policy is separated from the decisions on what restrictions to implement. Conversely, depending on the degree of centralization and the technical complexity of managing the policies, technically informed staff, such as Emily, take on this perspective as well. Policy-making perspective The restrictions to implement need to be decided on before their formalization as technical policy by policy authors. These decisions can be taken at different points in an organization. In structured organizations, we will often find the decision to be made by a functional manager from middle management, such as the Persona Lauren. In other cases, the decision makers can also be personal assistants (Brandon) or technically-informed staff (Emily). Security-tactics perspective Depending on the organization, formal processes may need to be established to organize the changes of the policy and the coordination between functional staff, policy makers, and authors. The security-tactics perspective is responsible for defining the necessary procedures. In the Structural Configurations [31], this is a typical task of the Technostructure. The NIST Handbook [32] assigns this perspective to the “computer security management.” Security-strategy perspective In order for policy makers to arrive at adequate decisions on what permissions to grant to whom, strategists need to define the parameters of these decisions, for example, in high-level policies. The NIST Handbook [32] calls for senior management to take a leading role by defining these parameters together with support staff who provide risk management and planning. Development perspective On the systems development side, developers need to consider authorization when they perform development activities to implement and

8

Steffen Bartsch, M. Angela Sasse

maintain the systems. The authorization-specific tasks depend on the development context. For custom-developed software, software developers need to take authorization into account in all the development activities to reliably achieve the enforcement in the system. For commercial off-the-shelf (COTS) software products, authorization development tasks in organizations are more focused on the integration into the existing infrastructure, for example, interfacing with the identity management system and the organization-wide policy provisioning. Concluding remarks Having a clear structure of how different individuals are related to authorization, we can now turn analyze in detail how they affect authorization and how their respective problems interrelate.

5 Authorization problems: Causes and effects The authorization issues raised in the interviews allow us to derive general conclusions on authorization problems, their causalities.

5.1 Analysis of authorization problems To analyze the interview transcripts for the interrelation between problems and organizational goals, we applied a Grounded-Theory approach [1] because of its strength in systematically identifying, categorizing, and relating the concepts brought up by the participants of the study – particularly for broad descriptions of effects of technology and its generalization (p. 153). We focused on the authorization-related segments in the interview transcripts, coding for authorization usability problems and their causes and effects. For internal consistency of the coding, the author, who is unrelated to the organization conducted the coding. Almost twothirds of the interviewees (75 of 118) mentioned authorization problems in one of the organizational information systems, including, amongst others, file sharing, administrative systems, and restrictions to Web access. Since authorization segments are sparsely distributed over the interviews, we coded in a two-stage process. In the first pass, we assigned broad categories of problems, for example, “policy change issue” to this quote: “they may need temporary access. . . and a lot of the IS setup takes so long that a lot of these are workarounds to solve a temporary problem. . . problems tend to bounce around. . . for quite a long while” In the second pass, we then applied open and axial coding to the identified quotes for finer granularity [1]. We established relationships between the codes

through causal coding: We assigned three types of codes to quotes: the issue (the specific challenge, “Change lead time” in the above example) as well as causes (“Multi-level procedure”) and effects of the issue (“Social circumvention: Password sharing”). Employing our analysis tool, described below, the coding allowed us to generate causal diagrams of the authorization challenges. We were particularly interested in relating the problems to organizational goals. According to Schermerhorn et al. [39], organizational goals fall into a three categories: societal goals (how to contribute to society), output goals (who is to benefit from the organization, e.g. shareholders, employees, customers), and system goals that relate to the survival of an organization. Authorization is most directly affected by system goals, including growth, harmony, prestige, productivity, profitability, and innovation. Particular priorities of the system goals depend on societal and output goals, but also vary among departments [29]. When projecting these system goals to authorization measures, we arrive at the following underlying organizational goals that are affected: – Effectiveness of the security measure: The degree to which the authorization measure increases the overall security as intended (profitability, harmony, prestige), – Efficiency of the security measure: The effort expended by employees in operation to achieve effective security (profitability, productivity), – Regulatory compliance: The compliance of the organization with laws and regulatory obligations, for example, from market regulation (survival, profitability), – Functional effectiveness: The ability of employees to complete their primary tasks despite authorization restrictions (productivity, innovation), – Functional efficiency: The effort expended by employees to complete functional tasks, particularly additional efforts caused by authorization measures (productivity, profitability), – Satisfaction: Effects on the motivation of employees, such as frustration, from authorization measures (harmony). We coded 540 quotes in the interview transcripts, associating issues with the system context as well as causes and effects as tuples or triples in a spreadsheet. We explored the data with a challenge analysis tool that derives relationships from the coded quotes and generates diagrams using the Graphviz tool suite3 . An example of the diagrams is shown as part of the findings 3

http://www.graphviz.org/

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security

in Figure 1: causal edges connect causes with challenges, until reaching impacts on organizational goals at the bottom. The example above results in the edge from “Policy change issue” to “Circumvention”. Since our coding is significantly more detailed, we implemented three levels of details. At the most detailed level, all identified issues are shown with their causal and is-a relationships (“Password sharing” is a “Social circumvention”). In a more abstract representation, all is-a relationships are flattened and the edges of the detailed level lifted to their parent nodes. The most abstract form is the one shown in Figure 1 and only displays challenge categories. The different levels of abstraction allow us to both draw high-level conclusions and analyze the interrelations in detail. The darkness of the shade of the nodes in the diagrams refers to the number of mentions in the study. Moreover, the diagrams also convey meaning through their structure, the node connectedness, and their relative position. For example, the central location and high interconnectedness of the problem “Inadequate policy” in Figure 1 points to its relative importance. Problems situated closer to the top of diagrams more indirectly impact organizational goals, but have, as a consequence, a higher knock-on effect (e.g. “Implementation issues” in Figure 1). Beginning at the impacts on organizational goals in the bottom of the diagram and following the causal links backwards, we describe the most severe and frequently mentioned challenges in the following:

5.2 Restrictive policies and over-entitlements As stated for the functional staff persona Amber, the main direct impact of authorization on primary tasks results from its operation through missing permissions due to restrictive policies (40 mentions), often seen as frustrating and affecting productivity, particularly when accessing the Web (26): “all forums are blocked which is a bit of a pain. . . you are looking for sort of technical information. . . and you’ll find an old forum on it and you can’t view it so you kind of get ground to a halt”

9

changes, discussed below. A further reason is the nontransparency of policies (13), which leads, for example, to over-entitlement when stakeholders cannot keep track of who has permissions on folders so that previously required permissions remain. Generally, retained permissions (4) are seen as an important cause for overentitlement, for example, when an employee changes role within the organization.

5.3 Problems with requesting policy changes To correct restrictive policies and, less frequently, overentitlements, functional staff, such as Amber, request changes to the policy as part of the authorization operation. The most frequently mentioned issues are the required effort to request changes (15) and the change lead time (14), that is, the duration from requesting a change until its enactment in the system: “if someone. . . need to get access. . . immediately because it is job critical, then they will use that password in the meantime while they are waiting for theirs to come through.” The result from those issues is that the requester is forced to circumvent the authorization measure. The perception of the lead time and required effort also deters the functional stakeholder from requesting a permission in the first place, for example, when convenient circumvention is possible or the permission is only required temporarily. Similar to these issues are problems of unclear or ineffective procedures (13): “accesses were challenging at the time,. . . knowing who you go to, ask for what and how you know that that’s what you want. . . Shared areas. . . were. . . problematic in identifying where the data was, who needed to approve the access to it” In these cases, the procedures are unknown or known not to help, thus further increasing the perceived effort due to the need to discover the procedure or reducing the perceived effectiveness of pursuing a change of policy.

5.4 Problems with making policy changes In contrast, the opposite extreme in the continuum The second perspective on change procedure challenges between restrictive and lax permissions are over-entitlements. is from policy authoring, from those deciding on and imOver-entitlements (16) affect the organizational secuplementing the changes to the policies. Several of our rity when users have more permissions than necessary identified personas are involved in these activities, infor their work. Interviewees named a number of causes cluding functional managers (Lauren), technically-informed for restrictive policies and over-entitlements. The most functional staff (Emily), personal assistants (Brandon), important ones are related to the policy change proand administrators/developers (Nicole). Here, one issue cedures as well as to the decision-making for policy

10

Steffen Bartsch, M. Angela Sasse

Implementation issues

Policy decision issues

Non-transparent policy

Additional measures

Policy change issues

Inadequate policy

Circumvention

Dissatisfaction

Ineffective security

Policy review issues

Productivity impacts

Regulatory non-compliance

Fig. 1 Categorized authorization challenges

is the informality of procedures (3), leading, for example, to non-authoritative decisions (13): “The responsibility in my group was just given to people that were the most computer-savvy at the time.” The primary challenge for decision-makers is the lack of a high-level policy (5) that defines which permissions should be granted to whom. Determined to take appropriate decisions, decision-makers find it difficult to properly evaluate requests without this kind of guidance: “I don’t know about any policy on who should get access to my SharePoint site. It’s just based on need.” A common consequence is that many decisions are taken without a comprehensive consideration of the consequences of the decisions (17): “did somebody actually sit there and think ‘Do you need this access?’. . . I get a person come and says ‘Hey, somebody told me I need this, can I have it?’ ‘Give me this form and I can give it to you [signed].’ ” In this way, decisions are sometimes overly businessor security-driven, leading to over-entitlement and restrictive policies, respectively. In other cases, decisions are solely based on formalities, for example, neglecting to consider whether the access is actually necessary as long as the formalities, such as a specific training, are fulfilled by the requesting employee. Related to these issues is the problem of conflicts of authority (2), for example, when permissions are bargained between departments:

“one of the owners of the. . . shared drive, I’m one of the others, he was allowing all these other people, saying ‘I need to put so and so on.’ Well, I said ‘Do they have the [certification]? . . . You’ve given them access to all that information.’ ” In other cases, particularly when decisions are decentralized, the emotional costs of denials (2) are relatively high and might even lead to decision-makers taking inappropriate decisions: “there have been a couple of people that have been ‘Well, I’m not doing anything with it,’. . . ‘Why are you so difficult’ Another challenge arises from the implementation of authorization in information systems. In systems with inadequate authorization models (11), such as only offering coarse-grained restrictions, it is difficult to enforce the appropriate restrictions. “So all the things people are working on, everyone has access to. . . that’s the granularity that’s given. . . because of the logistics associated with managing that sort of access.” In some cases, the lack of usability of policy authoring also leads to high effort costs when employing finergrained restrictions, thus preventing precise restrictions. 5.5 Circumvention of authorization The interviewees frequently reported that authorization operation issues, foremost restrictive policies and the perceived effort for policy changes, lead to the circumvention of the system, for example, through sharing passwords with coworkers:

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security

“Sometimes people don’t have access to information that they need to do their job and therefore the passwords are shared within teams. And I flagged that before, but it does happen, because it can take so long, months, to get something through. So it would be, ‘Use somebody else’s account.’ ” Overall, interviewees describe a high level of compliance in the organization, for example, generally feeling uneasy when not complying. Considering the general tendency to comply, the high number of mentions of circumventions related to authorization (58) is alarming. The identified circumventions differ widely in severity with respect to their impact on the organizational goals. Circumventions range from sending documents by email instead of changing the policy to the sharing of passwords to grant access. We grouped the types of circumventions into the following categories: – Workarounds (13): using technical means within the system, for example, using multiple accounts, – Technical circumvention (20): using technical means outside of the system, such as sending documents on physical media, – Social circumvention (25): employing social means to work around authorization measures, such as sharing passwords. We summarized the types of circumventions with examples and potential effects in Table 4 and found that circumventions impact five of the six organizational goals, including the productivity (security and functional efficiency), security effectiveness, regulatory compliance, and employee satisfaction.

5.6 Consolidating problems from literature and our study Prior literature focused primarily on problems related to policy authoring and did not systematically study the relation of authorization problems with their respective causes. Nevertheless, the identified problems in prior literature cover a broad range. In Table 5, we consolidate the problems in literature and those from the Authorization Problems Study in this chapter according to the structure used in the study: Since our focus lies on solving the problems, we group problems by the perspective that is primarily responsible for the problem and can most directly mitigate it, the originating perspective. Another interesting characteristic of the problems is which perspective they affect. For problems that are only present in literature, we analytically

Responsibility for problems and mitigation

Development and integration Strategic security management Tactical security management Operational security management Functional management

11

Affected artifact

Model and implementation Policy decision Change procedure Authorization policy Context and behavior Organizational security, productivity, and regulatory compliance

Fig. 2 Layered interrelations between issues with authoriza-

tion artifacts

assigned originating and affecting perspectives to enable a comparison with the problems from the study. For the problems from our study, we derived both from the identified interrelations of the problems. Most prior literature concerns the model and tool usability, and related problems caused by the development perspective. Problems originating from policy making and authoring are present to a lesser extent. Only a small proportion covers the causes for problems with policy decisions (strategic perspective), procedures (tactical), and how the daily use of authorization mechanisms influence the organization (functional). Table 5 displays the type of evidence that the publications base their arguments on (column “Literature”). While, generally, most publications in the field of authorization are analytical, the table shows that most problems, if reported previously, were identified empirically in field studies or laboratory experiments. As indicated by the column “Mentions in study” in Table 5, most of the consolidated problems were also described by our participants. In addition, our study covers a broader scope, including, for example, problems originating from the change procedures. Due to the broad spread of participants in the organization and no specific focus on administrative or development staff, our study emphasized problems affecting the functional perspective. As a result, the study does not cover three problems in prior literature that are caused by development and no problems affect strategy or tactics.

5.7 A holistic approach Our findings indicate that effectively solving the authorization problems requires addressing several interrelated aspects for the different perspectives. To visualize the layers and their relationships, we can abstract from the found causal relations and structure the problems by the affected artifact as depicted in Figure 2. In the diagram, the issues in upper-layer artifacts foremost af-

12

Steffen Bartsch, M. Angela Sasse

Table 4 Workarounds, technical and social circumventions of authorization measures

Workaround/circumvention Utilize tech. loopholes (6) Increase redundancy (3) Multiple accounts (2) Spare accounts (1) Make doc. public (1) Share through alternative media (12) Use private device (6) Use external system (2) Share passwords (21) Coworkers as proxy (3) Share logged-in account (1)

Example Rename attachment extension Copy a document to a place which can be accessed Switch between accounts for different permissions Teams e.g. prepare a number of accounts for new temps Move document to a public folder to allow access Send document by email or physically on CD, rather than changing the policy Access information not available from work devices from smartphone or home PC Post documents on an organization-external system to grant access to externals Share password instead of waiting for permissions to be changed Turn to coworkers for a task due to lacking permissions Have coworkers complete tasks at a logged-in computer

Affecting persp. D S T M A F O

Effects Functional inefficiencies Inefficient, non-transparent policy Undermines identity scheme, inefficient Potential missing traceability of activities Undermines policy enforcement Loss of control over data; potentially increased risk; redundancy of data Risks from data on devices not governed by organization’s security policy Risks from documents outside of the organization’s security realm Lack of traceability/audibility; breaking security policy Potentially inefficient Lack of traceability/audibility

Originating perspective

Literature

Mentions in study

x x x x x x x x x x

DSM D D DM D D

[3, 7, 8, 41] [14, 22, 23, 37, 48] [4, 12–14, 35–37, 41, 45, 50] [10, 26, 48, 50] [4, 22, 30, 37, 38, 50] [24, 52]

x x x x x x

S STD ST

– [12, 20, 42] –

T T T T T T

– – – – – [4, 8]

14 15 13 2 16 8

O O O O O O Fw

– [4, 41, 43] [42, 43, 45, 49] [48]

17 – 16 52

O O Fw O Fw O

[25]

58

O

– – – –

17 27 40 7

O O O O

Context

Development

Model expressiveness Comprehensibility of paradigm Comprehensibility of policy Non-transparent policy Modification usability Implementation difficulties

x

35 – – 13 2 –

O G G O O O

9 2 9

O O O

S OA O Fs Fp Fs Fp A K

Security strategy

Insufficient decision guidance Decision effort and complexity Policy review usability Security tactics

Change lead-time Change request effort Unclear, lacking, ineffective proc. Procedure circumvention Ineffective procedure execution Inefficient procedure execution

x x x x x x

x x

Policy making and authoring

Non-comprehensive decision Policy complexity Over-entitlement Restrictive policy

x x x x x

M M M M

x

F

x x x x

F F F F

x

S D A A

Functional management

Circumvention Organization

Dissatisfaction Ineffective security Reduced productivity Regulatory non-compliance

MT AM MT AM

SD TS S TS

Table 5 Consolidated authorization problems from literature and our study. Perspectives: D: development, S: strategy, T: tactics, M: policy making, A: policy authoring, F: functional, O: organization. Literature argumentation: F: field study, L: laboratory experiment, A: analytical. Contexts: O: organizational, S: social networks, G: grid, A: application authorization, Fs: file sharing, Fp: file permissions, K:

kernel, Fw: firewall.

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security

13

Table 6 Artifacts in authorization and examples of how problems with them affect other layers

Artifact Model, implementation Policy decision Change procedure Authorization policy Context and behavior

Responsibility Development, integration Strategic sec. management Tactical sec. management Operational sec. mgmt. Functional management

Activity Develop, integrate Make highlevel policy Design process Change policy Influence behavior

Example issue Unusable model or interface Missing high-level policy High change lead time, inefficient procedure Restrictive policy, permissive policy Reduced productivity, circumvention

Primarily affected Policy author Policy author, decisionmaker Functional staff, policy author, decision-maker Functional staff, organization Organization

Example mitigation Improve model or tool usability Provide high-level policy Establish light-weight procedure Grant adequate permissions Increase risk awareness

fect lower layers and ultimately the organizational goals (cf. Table 6).

6.1 Microsoft SharePoint

Prior work on authorization problems primarily focused on policy authoring (cf. Section 2.3), which can be found in the Authorization policy layer. From the interrelations between the given layers, we can expect that such a selective focus will only solve part of the problem. There are indirect effects of higher layers that will reduce the effectiveness of mitigations on individual layers. One of the examples given in Table 6 is the missing guidance for decisions on the Policy decision layer that impacts the adequacy of policy changes. If this problem exists, focusing selectively on the usability of the configuration interface might prove ineffective. Instead, we need to broaden the analysis and mitigation of problems with organizational authorization.

Microsoft SharePoint is used in the organization to share documents within teams and departments as well as organization-wide. Departments and teams develop and operate local SharePoint sites. This includes the management of the authorization policy that grants access to the SharePoint-hosted resources on an employee level. Staff can request access to resources by clicking on a dedicated link when access is denied and thus send an email to resource-specific policy maker, who then decides on the appropriateness of the request. Problems primarily occur due to permissive policies and circumventions of the authorization measures in the system, impacting the effective security and regulatory compliance. For example, staff use email for sharing documents instead of adapting the policy. The reason often are inadequate policies that result from problems with the change procedures and decisions, which are detailed in Table 7. Implementation problems, such as usability problems with the policy management, and the lack of transparency of the policies – preventing effective policy reviews – affect organizational goals as well, but to a lesser degree.

6 Applying the holistic, organizational approach In the previous section, we studied the general causalities of problems surrounding authorization and showed how these interrelate in a holistic model. However, the diverse information systems in the organization have very different characteristics that manifest in the respective authorization context. To show how the holistic model enables a more thorough analysis in an organizational approach, we apply it to specifically compare two authorization contexts in the studied organization. We selected the context of two document-sharing systems – “Shared folders” and Microsoft SharePoint – for a focused, comparative analysis. These systems were both mentioned frequently, but have opposing characteristics, and represent different degrees of formality and of centralization of the change procedures and decisionmaking.

6.2 Shared folders Shared folders represent the traditional way of sharing documents in the organization and are meant to be replaced by the above-discussed SharePoint infrastructure in the long run. Users access a shared network drive from their desktop through the file explorer. Authorization is primarily enforced on a folder level. In contrast to the SharePoint procedures, folder permissions are granted to employees through a centralized process. The policy change procedures were mentioned in the interviews most frequently as challenges that impact, directly or indirectly, on the effectiveness of security, productivity, and regulatory compliance. The pol-

14

Steffen Bartsch, M. Angela Sasse

Table 7 Comparing mentions of problems with decisions and

procedures

Issues Decentralized decisions Required/present expertise Lack of high-level policy Non-comprehensive decision Business-driven decisions Coarse-grained restrictions Lack of usability Change lead time Required change effort Ineffective procedures Availability of authority Informal procedure Inefficient procedure Unclear procedure Conflicts of authority Non-authoritative decision Effects Loss of traceability Over-entitlement Restrictive policy Circumvention Inefficient security Functional efficiency

SharePoint Dec. Proc. 2 5 3 3 1 2 2 2

Shared fold. Dec. Proc.

1 7 4 2 1 1 5 4 1 1

2 2 1 1 5 2 5

23

8 1 8 2 3 29

9

6 13 5 9 59

icy change issues are given in Table 7, notably including the high perceived change effort and change lead time.

6.3 The effects of the differences of contexts Structuring the identified problems according to the holistic model, we can observe a number of differences when examining the problems with change procedures and policy decisions for the two systems. Specifically, procedure issues appear to be more prevalent for Shared folders (cf. Table 7, column “Proc.”). For instance, the change lead time and the required change effort is most relevant for Shared folders. Similarly, there is less mention of circumvention and productivity impacts from hindering work or inefficient procedures for SharePoint sites. While the SharePoint procedure has fewer negative impacts overall, there can be more severe problems with the procedure if, for example, the responsible person does not respond: “Sometimes you don’t get a response for months and you don’t know who to chase. At least with the Shared folders [process] you’ve got the request number and you can ring up about it.”

Overall, the severity index of procedure issues, derived from the sum of mentions, shown in the bottom row of the table, is significantly lower for SharePoint. A second area of effects of the differences between the contexts are the decisions on policy changes. As the severity index in the table indicates, decision problems are significantly more frequent for SharePoint than for Shared folders. Primarily, there is a concern in the case of SharePoint that due to the local decisions and the informal nature of the procedure, the decisions might not in all cases be adequate and the local policy administrators may lack security expertise: “a user who is not trained properly can actually give, access to everything quite easily through a couple of clicks, um, in SharePoint I think it is quite easy to not give access to the right areas. . . because it has quite a confusing way of giving permissions” In contrast, there is only a small number of mentions of decision problems for Shared folders. Overall, the holistic approach enabled a broader analysis of the problems in the two contexts and showed the significance of the entire design of the measure. Particularly, our findings indicate that it is more efficient to have decisions taken and enacted locally than in a centralized procedure. Problems with local changes foremost arise from overly informal procedures and a lack of expertise in decision-making. These results are in line with Pallas’ theory [33], which predicts the trade-off between hierarchical and market forms of coordination for information security in organizations. Particularly, we see the effects of information asymmetries in the lack of expertise of local decision-makers and the high hierarchical coordination costs for centralized decisions.

7 Discussion We analyzed 118 interviews for challenges with authorization measures and their interrelation with organizational goals. The study is only based on interviews in one organization and the subjective data drawn from them so that we must be careful when drawing general conclusions from the number of mentions. However, the organization has very diverse authorization contexts and the rich data set includes a wide variety of stakeholders. Thus, the results offer a detailed description of the problems, make a case for organizations to address them, and should serve as an initial hypothesis for further, quantitative research. Our study confirms prior research regarding how authorization models and policy authoring tools impact the authorization usability. Beyond prior findings, we

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security

identified significant issues with the operation of authorization from the procedures for policy changes and the decision-making part of policy authoring. Moreover, we showed that the authorization issues are deeply interrelated and affect the organizational goals of effective security and productivity. One common consequence of problems with authorization is the circumvention of the security measure. Interestingly, while Adams and Sasse [2] showed how users circumvent security measures due to a lack of security awareness, our participants reported a high number of circumventions to complete their work despite being security-conscious and uncomfortable with breaking the policy. This trade-off between productivity and security risks supports the economic models on security compliance [9, 21]. On an organizational level, we showed that the degree of centralization and formality is a crucial factor in designing authorization measures as predicted by Pallas’ theories on organizational information security [33]. Centralized and formal procedures simplify traceability and sound decisions, but increase hierarchical coordination costs. Conversely, delegated, localized decisions and procedures may reduce overhead and circumventions, and increase productivity, at the cost of information asymmetries. From our results, we recommend the following for the design of authorization measures and beyond:

7.1 Guide and monitor circumventions Participants of our study reported numerous types of circumventions that impacted the effective security, their productivity, and their satisfaction. To mitigate their negative effects, we can address the circumventions: – Foster adequate circumventions: Participants of our study reported that they would have to wait for policies to be changed to complete their task if they did not circumvent the authorization measure. Circumventions are thus not necessarily the inferior option, particularly when considering the impact on productivity. However, the participants also stated that they feel uncomfortable when they need to break a security policy in the process. To improve on this situation and since architectural means cannot entirely prevent circumventions, organizations should rather foster the adequate circumventions, guiding what circumventions are reasonable and in what situations. Formal rules through security policy and informal rules through common understanding in teams must complement architectural measures, as

15

emphasized, for example, by Pallas [33] and Whalen et al. [48]. – Monitor circumventions and additional measures: Our findings on the effects of authorization problems show that circumventions are a good indicator of underlying problems and should be monitored closely to identify optimization potential for existing policies and procedures. Similarly, additional authorization measures, such as passwords on shared documents, can indicate that the available authorization models, policy authoring tools, or change procedures are inadequate.

7.2 Establish adequate procedures We found many cases in which the procedures for policy changes caused authorization issues. These issues are part of the operation of authorization, so that this extends the prior work on supporting the communication between stakeholders in policy authoring (see Section 2.3).

– Define and communicate procedures: Procedure ambiguity and informality have serious effects on the effectiveness of change operations and organizational productivity. For instance, participants did not know how to request permission changes. Clearly communicating the procedures to functional stakeholders will also lower the threshold for requesting changes. – Reduce the (perceived) change lead time and change effort: Circumventions were often caused by the duration for the changes to be enacted and the effort to initiate changes. Applying economic models to security usability (see Section 2.4), indicates that we need to reduce the costs of compliance. We thus expect that a reduction of change lead-time and effort and their perception will result in a reduction of circumventions. – Adjust the degree of centralization and formalization: Our observations on the different authorization contexts show that decentralized and informal procedures can be beneficial. This is also supported by economic models of information security management [33]. However, the adequate procedures depend on the context and, for instance, policy makers must have baseline security expertise (see below) and the procedures must remain traceable in many environments.

16

7.3 Support policy decisions Our findings indicate that many authorization challenges originate in the decision-making part of policy authoring: – Provide high-level policies on authorization decisions: Decision-makers stated that they lacked any guidance on what decisions on grant and denials were appropriate. One way to provide support is through high-level policies on how to decide on requests. Similar to the high-level policies on circumvention, these policies need to be adequate for the specific context, actionable, and comprehensible. A related option to support policy makers is to offer dedicated tools that help in the decision-making process. These can collect factors on the sensitivity of the data and potential consequences of unintended disclosures as well as request-specific factors, such as the purpose of the request. From these factors, a comprehensible overview of decision factors may then be generated to increase the awareness for the full breadth of aspects. This follows the similar suggestions on decision support, such as for password policies [34] and security investments [11], and may also include the risk perception of functional staff [16]. – Increase the expertise and awareness of policy makers: Participants further stated that decisions were often biased, for example, from formalities, business or security perspectives. Additional expertise and awareness on consequences from decisions, both on risks from grants and functional impacts from denials, can help to improve the appropriateness of decisions (cf. psychological effects on security decisions [47]). – Improve authorization models and management tools: Participants described how they are impacted by problems with the authorization model and the lack of usability of policy-management tools. These findings support prior work on policy editing and problems in practice (Sections 2.1 and 2.3) that emphasize the necessity of appropriate policy editing tools and authorization models for effective measures.

7.4 Towards holistic research in HCISec The identified problems and derived recommendations for authorization measures, particularly those beyond prior research, cover a broad spread of perspectives of stakeholders on authorization. To elicit problems, such as related to the procedures of requesting permissions or to the decision-making, we needed to explicitly con-

Steffen Bartsch, M. Angela Sasse

sider the entire measure and the interrelation of the perspectives and their problems. Specifically, we took a three-step approach: 1. Identify the perspectives and their interrelation with respect to the measure. We are thus considering the authorization as a boundary object between stakeholders from diverse disciplines [44]; 2. Collect and structure data on problems from the identified perspectives; 3. Analyze the interrelation among the problems and with overarching goals. Beyond the findings specific to authorization, we thus showed that employing a holistic and organizational approach that explicitly considers the diverse perspectives on a security measure and the interrelation of the problems, provides a more complete picture of the problems. We consider the employed method a promising research approach to more fundamentally improve the effectiveness and efficiency of security. Acknowledgements We would like to thank the organiza-

tion, which remains anonymous, for enabling the research, the interviewees for investing their time, and the interviewers for their great work. We are also grateful for the insightful comments by Adam Beautement on earlier versions of this work.

References 1. Adams, A., Lunt, P., Cairns, P.: A qualitative approach to HCI research. Cambridge Univ. Press, Cambridge (2008) 2. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999). DOI 10.1145/322796. 322806 3. Ahern, S., Eckles, D., Good, N.S., King, S., Naaman, M., Nair, R.: Over-exposed?: privacy patterns and considerations in online and mobile photo sharing. In: CHI ’07: Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 357–366. ACM, New York, NY, USA (2007). DOI 10.1145/1240624.1240683 4. Al-Shaer, E.S., Hamed, H.H.: Firewall Policy Advisor for anomaly discovery and rule editing. In: Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on (2003). DOI 10.1109/INM.2003. 1194157 5. Anderson, R.: Why Information Security is Hard-An Economic Perspective. In: ACSAC ’01: Proceedings of the 17th Annual Computer Security Applications Conference, pp. 358–. IEEE Computer Society, Washington, DC, USA (2001) 6. Baskerville, R., Siponen, M.T.: An information security meta-policy for emergent organizations. Logistics Information Management 15(5/6) (2002) 7. Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: A user study of policy creation in a flexible access-control system. In: CHI ’08: Proceeding of the twenty-sixth annual SIGCHI conference on Human

Towards Usable Authorization: From the Individual to the Organizational for Effective and Efficient Security

8.

9.

10.

11.

12.

13.

14.

15. 16.

17. 18.

19. 20.

21.

22.

23.

factors in computing systems, pp. 543–552. ACM, New York, NY, USA (2008). DOI 10.1145/1357054.1357143 Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: Real life challenges in access-control management. In: CHI ’09: Proceedings of the 27th international conference on Human factors in computing systems, pp. 899–908. ACM, New York, NY, USA (2009). DOI 10.1145/1518701.1518838 Beautement, A., Sasse, M.A., Wonham, M.: The Compliance Budget: Managing Security Behaviour in Organisations. In: NSPW ’08: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 47–58. ACM (2008). DOI 10.1145/1595676.1595684 Becker, M.Y., Nanz, S.: The Role of Abduction in Declarative Authorization Policies. In: P. Hudak, D.S. Warren (eds.) Symposium on Practical Aspects of Declarative Languages (PADL 2008), Lecture Notes in Computer Science, vol. 4902, pp. 84–99. Springer (2008) Beresnevichiene, Y., Pym, D., Shiu, S.: Decision support for systems security investment. In: Network Operations and Management Symposium Workshops (NOMS Wksps), pp. 118–125 (2010). DOI 10.1109/NOMSW.2010. 5486590 Bertino, E., Calo, S., Chen, H., Li, N., Li, T., Lobo, J., Molloy, I., Wang, Q.: Some Usability Considerations in Access Control Systems. In: USM ’08: Workshop on Usable IT Security Management (2008) Blakley, B.: The Emperor’s old armor. In: NSPW ’96: Proceedings of the 1996 workshop on New security paradigms, pp. 2–16. ACM, New York, NY, USA (1996) Brostoff, S., Sasse, M.A., Chadwick, D.W., Cunningham, J., Mbanaso, U.M., Otenko, S.: ’R-What?’ Development of a role-based access control policy-writing tool for eScientists. Softw., Pract. Exper. 35(9), 835–856 (2005). DOI 10.1002/spe.691 Bryman, A.: Quantity and quality in social research. Unwin Hyman, London, UK (1988) Coles, R., Hodgkinson, G.P.: A Psychometric Study of Information Technology Risks in the Workplace. Risk Analysis 28(1), 81–93 (2008). DOI 10.1111/j.1539-6924. 2007.00963.x Cooper, A., Reimann, R., Cronin, D.: About face 3: The essentials of interaction design. Wiley (2007) Faily, S., Flechais, I.: Persona Cases: A Technique for grounding Personas. In: CHI ’11: Proceedings of the 2011 annual conference on Human factors in computing systems. ACM, Vancouver, BC, Canada (2011) Flyvbjerg, B.: Five Misunderstandings about Case-Study Research. In: Seale et al. [40] Gallaher, M.P., O’Connor, A.C., Kropp, B.: The Economic Impact of Role-Based Access Control. Planning Report 02-1 for the NIST (2002) Herley, C.: So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In: NSPW ’09: Proceedings of the 2009 workshop on New security paradigms (2010) Herzog, A., Shahmehri, N.: A Usability Study of Security Policy Management. In: Security and Privacy in Dynamic Environments (SEC), vol. 201, pp. 296–306. Springer (2006) Inglesant, P., Sasse, M.A., Chadwick, D., Shi, L.L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: SOUPS ’08: Proceedings of the 4th symposium on Usable privacy and security, pp. 77–88. ACM, New York, NY, USA (2008). DOI 10.1145/1408664.1408675

17

24. Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the Linux security modules framework. ACM Trans. Inf. Syst. Secur. 7(2), 175–205 (2004). DOI 10.1145/996943.996944 25. Johnson, M., Bellovin, S., Reeder, R., Schechter, S.: Laissez-faire file sharing: access control designed for individuals at the endpoints. In: New Security Paradigms Workshop 2009, pp. 1–10 (2009). DOI 10.1145/1719030. 1719032 26. Kapadia, A., Sampemane, G., Campbell, R.H.: KNOW Why your access was denied: regulating feedback for usable security. In: CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security, pp. 52–61. ACM, New York, NY, USA (2004) 27. Kotulic, A.G., Clark, J.G.: Why there aren’t more information security research studies. Information & Management 41(5), 597–607 (2004). DOI 10.1016/j.im.2003.08. 001 28. Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: theory and practice. ACM Trans. Comput. Syst. 10, 265–310 (1992). DOI 10.1145/138873.138874 29. Lawrence, P.R., Lorsch, J.W.: Organization and environment. Managing differentiation and integration. Irwin, Homewood (1969) 30. Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies 63(1-2), 25–50 (2005). DOI 10.1016/j.ijhcs.2005.04.009 31. Mintzberg, H.: Structure in 5’s: A Synthesis of the Research on Organization Design. Management Science 26(3) (1980) 32. NIST: Special Publication 800-12: An Introduction to Computer Security – The NIST Handbook. Tech. rep., National Institute of Standards and Technology (1995). URL http://csrc.nist.gov/publications/ nistpubs/800-12/800-12-html/index.html

33. Pallas, F.: Information Security Inside Organizations – A Positive Model and Some Normative Arguments Based on New Institutional Economics. Ph.D. thesis, TU Berlin (2009) 34. Parkin, S., van Moorsel, A., Inglesant, P., Sasse, M.A.: A stealth approach to usable security: helping IT security managers to identify workable security solutions. In: NSPW ’10: Proceedings of the 2010 workshop on New security paradigms, pp. 33–50. ACM, New York, NY, USA (2010). DOI 10.1145/1900546.1900553 35. Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Bacon, K., How, K., Strong, H.: Expandable grids for visualizing and authoring computer security policies. In: CHI ’08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pp. 1473–1482. ACM, New York, NY, USA (2008). DOI 10.1145/1357054.1357285 36. Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Vaniea, K.: More than skin deep: measuring effects of the underlying model on access-control system usability. In: CHI ’11: Proceedings of the 2011 annual conference on Human factors in computing systems, pp. 2065–2074. ACM, New York, NY, USA (2011). DOI 10.1145/1978942.1979243 37. Reeder, R.W., Karat, C.M., Karat, J., Brodie, C.: Usability Challenges in Security and Privacy Policy-Authoring Interfaces. In: M.C.C. Baranauskas, P.A. Palanque, J. Abascal, S.D.J. Barbosa (eds.) INTERACT (2), Lecture Notes in Computer Science, vol. 4663, pp. 141–155. Springer (2007)

18 38. Rode, J., Johansson, C., DiGioia, P., Filho, R.S., Nies, K., Nguyen, D.H., Ren, J., Dourish, P., Redmiles, D.: Seeing further: extending visualization as a basis for usable security. In: SOUPS ’06: Proceedings of the second symposium on Usable privacy and security, pp. 145–155. ACM, New York, NY, USA (2006). DOI 10.1145/1143120.1143138 39. Schermerhorn, J.R., Hunt, J.G., Osborn, R.N.: Organizational Behavior, 10th ed. edn. Wiley (2008) 40. Seale, C., Gobo, G., Gubrium, J.F., Silverman, D. (eds.): Qualitative Research Practice. SAGE, London, UK (2007) 41. Sikkel, K., Stiemerling, O.: User-Oriented Authorization in Collaborative Environments. In: COOP ’98 (1998) 42. Sinclair, S., Smith, S.W., Trudeau, S., Johnson, M.E., Portera, A.: Information Risk in Financial Institutions: Field Study and Research Roadmap. In: Proceedings for the 3rd International Workshop on Enterprise Applications and Services in the Finance Industry, pp. 165–180 (2008). DOI 10.1007/978-3-540-78550-7 11 43. Smetters, D.K., Good, N.: How users use access control. In: SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–12. ACM, New York, NY, USA (2009). DOI 10.1145/1572532.1572552 44. Star, S.L., Griesemer, J.R.: Institutional Ecology, ‘Translations’ and Boundary Objects: Amateurs and Professionals in Berkeley’s Museum of Vertebrate Zoology, 1907-39. Social Studies of Science 19(3) (1989). DOI 10.1177/030631289019003001 45. Vaniea, K., Cranor, L.F., Ni, Q., Bertino, E.: Access Control Policy Analysis and Visualization Tools for Security Professionals. In: USM ’08: Workshop on Usable IT Security Management (2008) 46. Varadharajan, V., Crall, C., Pato, J.: Issues in the design of secure authorization service for distributed applications. In: Global Telecommunications Conference (GLOBECOM 98). IEEE Computer Society (1998). DOI 10.1109/GLOCOM.1998.776857 47. West, R.: The psychology of security. Commun. ACM 51, 34–40 (2008). DOI 10.1145/1330311.1330320 48. Whalen, T., Smetters, D.K., Churchill, E.F.: User experiences with sharing and access control. In: CHI ’06 extended abstracts on Human factors in computing systems, pp. 1517–1522. ACM, New York, NY, USA (2006). DOI 10.1145/1125451.1125729 49. Wool, A.: A quantitative study of firewall configuration errors. Computer 37(6), 62–67 (2004). DOI 10.1109/MC. 2004.2 50. Yee, K.P.: Guidelines and Strategies for Secure Interaction Design. In: L.F. Cranor, S. Garfinkel (eds.) Security and usability: designing secure systems that people can use. O’Reilly (2005) 51. Zurko, M.E., Simon, R., Sanfilippo, T.: A User-Centered, Modular Authorization Service Built on an RBAC Foundation. In: S&P ’99: Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, USA (1999). DOI 10.1109/SECPRI. 1999.766718 52. Zurko, M.E., Simon, R.T.: User-centered security. In: NSPW ’96: Proceedings of the 1996 workshop on New security paradigms, pp. 27–33. ACM, New York, NY, USA (1996). DOI 10.1145/304851.304859

Steffen Bartsch, M. Angela Sasse