How Users Bypass Access Control - And Why: The Impact Of Authorization Problems On Individuals And The Organization
نویسندگان
چکیده
Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not consider the full range of underlying problems, and their impact on organizations. We present a study of 118 individuals’ experiences of authorization measures in a multi-national company, and their self-reported subsequent behavior. Building on recent research that applies economic models to show the impact of lack of usability, we analyze the interrelations of authorization issues with individuals' behaviors and organizational goals. Our results indicate that authorization problems significantly reduce the productivity and effective security of organizations. We analyzed the authorization problems of different stakeholders, and found they are mostly caused by the procedures for policy changes (e.g. long change lead-times) and the decision-making (e.g. inexperienced decision makers); the consequence is the circumvention of access control (e.g. by sharing passwords). As one research contribution, we develop a holistic model of authorization problems. More practically, we recommend to provide guidance for non-compliance, such as password-sharing, and to establish light-weight procedures for policy changes with adequate degrees of centralization and formalization, and support for decision-making.
منابع مشابه
How Users Bypass Access Control and Why : The Impact of Authorization Problems on Individuals and the Organization 24 / 05 / 2012
Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not show the full range of problems, their impact on organizations, and underlying causes. We present a study of 118 individual's e...
متن کاملAuthorization models for secure information sharing: a survey and research agenda
This article presents a survey of authorization models and considers their 'fitness-for-purpose' in facilitating information sharing. Network-supported information sharing is an important technical capability that underpins collaboration in support of dynamic and unpredictable activities such as emergency response, national security, infrastructure protection, supply chain integration and emerg...
متن کاملAccess control in ultra-large-scale systems using a data-centric middleware
The primary characteristic of an Ultra-Large-Scale (ULS) system is ultra-large size on any related dimension. A ULS system is generally considered as a system-of-systems with heterogeneous nodes and autonomous domains. As the size of a system-of-systems grows, and interoperability demand between sub-systems is increased, achieving more scalable and dynamic access control system becomes an im...
متن کاملA combination of semantic and attribute-based access control model for virtual organizations
A Virtual Organization (VO) consists of some real organizations with common interests, which aims to provide inter organizational associations to reach some common goals by sharing their resources with each other. Providing security mechanisms, and especially a suitable access control mechanism, which enforces the defined security policy is a necessary requirement in VOs. Since VO is a complex ...
متن کاملRole Based Access Mechanism in Cloud Computing: Survey
Cloud Computing provides the people the way to share distributed resources and services that belongs to different organization or sites. In cloud computing at present there is no authorization recycling approach. The aim of the paper is to study an authorization recycling approach using with role-based access control, access decisions are based on the roles that individual users have as part of...
متن کامل