Research on access control policy configuration Manya and Shuai Outline • Quick overview of some research – Grey – Expandable Grid – SPARCLE – Reactive access control • Discussion of experimental design – Issues – Activity! Grey • Smartphone application for physical access control (CIC doors) via Bluetooth • Based on certificates that can be delegated to others – All certificates – One-time delegation – Group-based L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. SOUPS 2007 Grey: utility analysis • Wanted ground-truth preferences to evaluate system • Interviewed 29 participants about policies trying to create with Grey/keys – Ideal policies: “Who they wanted to provide access to and under what conditions” • Coded actual policies L. Bauer, L. Cranor, R. W. Reeder, M. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. CHI 2008. Grey: utility analysis • Grey matched ideal policies better than keys – Hidden keys – Lack of logging/notification – Difficult to give people keys/track keys – Lack of flexibility with keys L. Bauer, L. Cranor, R. W. Reeder, M. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. CHI 2008. Grey: design principles • Perceived speed and convenience are critical to user satisfaction and acceptance • A single failure can strongly discourage adoption • Users won’t use features they don’t understand • Low overhead for creating and changing policies encourages policy change L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. SOUPS 2007. Expandable grid • Goals: – Viewing policy – Changing policy – Viewing composite value memberships – Detecting and resolving conflicts • Overview of entire policy • Transparent hierarchies R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008. Expandable Grid: usability testing • 36-subject lab study • Expandable grid vs. Windows XP • TA administering server for music department – Basic training on system – Simple and complex policy creation and interpretation tasks • Expandable grid participants did better in terms of accuracy and time R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008. Expandable grid: conflict resolution • Usability of conflict resolution – E.g. People in the class can see my photos but Rebecca can’t • Methods: – Specificity precedence – Deny precedence • Windows – combination • Grid - use specificity precedence if possible R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. CHI 2011. Expandable grid: conflict resolution usability testing • 3 conditions – Windows with Windows method – Grid with Windows method – Grid with tested method • • • • 54-subjects Music department TA lab test Six tasks that tested conflict resolution Based on accuracy rate, tested method better when subject needed to take corrective action R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system usability. CHI 2011. SPARCLE • Policies as natural language sentences – User, action, data, purpose, condition – Must be one sentence, specific order of elements – Ex: Loan officers can use credit history or salary to make loan decisions • Workbench displays results of parsed rule, allows modifications C. Brodie, C-M Karat, J. Karat. “An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Polciy Workbench.” SOUPS 2006. http://domino.research.ibm.com/comm/research_projects.nsf/pages/sparcle.index.html SPARCLE: usability • Syntax highlighting to help with parsing • 17 participants, two conditions (highlighting, control) • Two policy creation tasks • Participants who used highlighting liked it but performed no better K. Vaniea, C.M. Karat, J.B. Gross, J. Karat, and C. Brodie. Evaluating Assistance of Natural Language Policy Authoring. SOUPS 2008. Reactive access control • Users determine access control when resource requested • 24-participant experiencesampling study • Asked for preferences for set of friends/files before/after study Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, Lorrie Faith Cranor. Exploring Reactive Access Control CHI 2011 Reactive access control • User preferences changed over course of week • Varied based on context, social situations, resources • Users liked reactive decisions Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, Lorrie Faith Cranor. Exploring Reactive Access Control CHI 2011 Issues for experimental design • Secondary task • Training often needed/outside expected range • Decision to use users’ content or created tasks – Lab study v. field study – How to simulate risk in lab? – How to measure ground truth preferences • Control case • Other issues? Your task: Help Kami! • Kami created a system that visualizes photo sharing system permissions • Two conditions: – Sidebar: visualization beside photos – Under photo: visualization under photos • Would like to know if either of her visualizations are effective and, if so, which is more effective. In groups of 3-4, please design a study to help her. • Keep in mind: – Access control is a secondary task – we need to test users’ abilities to notice permission errors – Time is an issue (Kami wants to graduate!) Kami’s solution • Task-based lab study • Started with simple tutorial: – Included explanation of permissions and other aspects – Goal was to “bury” permissions in everything else • Pat Jones scenario – Told subjects they were Pat Jones – 3 blocks of 4 emails that asked Pat Jones to do tasks (some related to permissions) – Set up each block with an overview of Pat’s life to provide context for permissions Kami’s solution: example Information: Adventures Despite having a normal desk job you really like to go out and do fun things on the weekends. When it comes to exciting activities like sky diving you will try anything once. You make sure to post photos of all your adventures so your friends can see. However, your mother is one of those people who panics easily and you know if she ever saw a photograph of you diving out of an airplane you would never hear the end of it. So you make sure not to mention some of your more exciting adventures. : Pat Jones <pat@jones.com> : Mom <samantha@jones.com> : Are you ok? Pat, Are you all right? Are you ok? I just sent Aunt Sue a link to Jennifer's Baby pictures and she sent me back this photo of you jumping off a building. A BUILDING! Are you crazy? What were you thinking? Do you realize how dangerous what you are doing is? People die from this! Uncle David already thinks I'm a poor mother, if he sees these photographs I will NEVER hear the end of it. And he is going to be looking as soon as he gets home because I already sent him a link to Jennifer's Baby pictures. What were you thinking? How could you do this to me? Please, please make sure no more of our family see these photographs. Mom Appendix Your task: Help Kami! • • Kami created a new policy configuration system for Gallery (open source photo sharing site) Two test conditions: – – • • Side bar: visualization beside photos Under photo: visualization under photos Which one’s better? Are either of them better than a control? If you want to check it out: http://snappgallery.com/index.php/ (Login: Manya Sleeper) Under photo condition (appears under each photo on mouseover) Sidebar condition (always visible on side of screen)