research-article

Expandable grids for visualizing and authoring computer security policies

Authors:

Heather StrongAuthors Info & Claims

CHI '08: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 1473 - 1482

https://doi.org/10.1145/1357054.1357285

Published: 06 April 2008 Publication History

Get Access

Abstract

We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based on a list of rules, each of which can only be viewed or edited in isolation. These list-of-rules interfaces cause problems for users when multiple rules interact, because the interfaces have no means of conveying the interactions amongst rules to users. Instead, users are left to figure out these rule interactions themselves. An Expandable Grid is an interactive matrix visualization designed to address the problems that list-of-rules interfaces have in conveying policies to users. This paper describes the Expandable Grid concept, shows a system using an Expandable Grid for setting file permissions in the Microsoft Windows XP operating system, and gives results of a user study involving 36 participants in which the Expandable Grid approach vastly outperformed the native Windows XP file-permissions interface on a broad range of policy-authoring tasks.

References

[1]

X. Cao and L. Iverson. Intentional access management: Making access control usable for end-users. In Proc. of the Second Symposium on Usable Privacy and Security (SOUPS 2006), pages 20--31, 2006.

Digital Library

Google Scholar

[2]

N. S. Good and A. Krekelberg. Usability and privacy: a study of Kazaa P2P file-sharing. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems(CHI 2003), pages 137--144, New York, NY, April 2003.

Digital Library

Google Scholar

[3]

J. Karat, C.-M. Karat, C. Brodie, and J. Feng. Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human--Computer Studies, 63(1-2):153--174, July 2005.

Digital Library

Google Scholar

[4]

B. W. Lampson. Protection. Operating Systems Review, 8(1):18--24, January 1974. Reprint of the original from Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems (Princeton University, March, 1971), 437--443.

Digital Library

Google Scholar

[5]

R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies, 63(1-2):25--50, July 2005.

Digital Library

Google Scholar

[6]

M. C. Mont, R. Thyne, and P. Bramhall. Privacy enforcement with HP Select Access for regulatory compliance. Technical Report HPL-2005-10, HP Laboratories Bristol, Bristol, UK, January 2005. Available at http://www.hpl.hp.com/techreports/2005/HPL-2005-10.pdf. Accessed on January 10, 2008.

Google Scholar

[7]

J. Rode, C. Johansson, P. DiGioia, R. S. Filho, K. Nies, D. H. Nguyen, J. Ren, P. Dourish, and D. Redmiles. Seeing further: Extending visualization as a basis for usable security. In Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS 2006), pages 145--155, 2006.

Digital Library

Google Scholar

[8]

The Open Group Research Institute. Adage system overview. Available at http://www.memesoft.com/adage/SystemSpec.ps. Accessed on September 20, 2006.

Google Scholar

[9]

U.S. Senate Sergeant at Arms. Report on the investigation into improper access to the Senate Judiciary Committee's computer system, March 2004. Available at http://judiciary.senate.gov/testimony.cfm?id=1085&wit_id=2514. Accessed on January 10, 2008.

Google Scholar

[10]

M. E. Zurko. Adage usability testing results: Formal testing affinity mapping and questionnaire. Available at http://www.memesoft.com/adage/affinity.ps. Accessed on September 20, 2006.

Google Scholar

[11]

M. E. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In Proceedings 1999 IEEE Symposium on Security and Privacy, pages 57--71, Los Alamitos, CA, May 1999.

Crossref

Google Scholar

Cited By

View all

Baird APanda APearce HPinisetty SRoop P(2024)Scalable Security Enforcement for Cyber Physical SystemsIEEE Access10.1109/ACCESS.2024.335771412(14385-14410)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3357714
Drozd OKirrane S(2023)A Conceptual Consent Request Framework for Mobile DevicesInformation10.3390/info1409051514:9(515)Online publication date: 19-Sep-2023
https://doi.org/10.3390/info14090515
Salgado AHung PFortes R(2023)Six usable privacy heuristicsProceedings of the XXII Brazilian Symposium on Human Factors in Computing Systems10.1145/3638067.3638111(1-11)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3638067.3638111
Show More Cited By

Index Terms

Expandable grids for visualizing and authoring computer security policies
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

A user study of the expandable grid applied to P3P privacy policy visualization
WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic society

Displaying website privacy policies to consumers in ways they understand is an important part of gaining consumers' trust and informed consent, yet most website privacy policies today are presented in confusing, legalistic natural language. Moreover, ...
Expandable grids: a user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring
Usability challenges in security and privacy policy-authoring interfaces
INTERACT'07: Proceedings of the 11th IFIP TC 13 international conference on Human-computer interaction - Volume Part II

Policies, sets of rules that govern permission to access resources, have long been used in computer security and online privacy management; however, the usability of authoring methods has received limited treatment from usability experts. With the rise ...

Comments

Information & Contributors

Information

Published In

CHI '08: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2008

1870 pages

ISBN:9781605580111

DOI:10.1145/1357054

General Chairs:
Mary Czerwinski
Microsoft Research, USA
,
Arnie Lund
Microsoft, USA
,
Program Chair:
Desney Tan
Microsoft Research, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 April 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '08

Sponsor:

CHI '08: CHI Conference on Human Factors in Computing Systems

April 5 - 10, 2008

Florence, Italy

Acceptance Rates

CHI '08 Paper Acceptance Rate 157 of 714 submissions, 22%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

97
Total Citations
View Citations
1,008
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)2

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Baird APanda APearce HPinisetty SRoop P(2024)Scalable Security Enforcement for Cyber Physical SystemsIEEE Access10.1109/ACCESS.2024.335771412(14385-14410)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3357714
Drozd OKirrane S(2023)A Conceptual Consent Request Framework for Mobile DevicesInformation10.3390/info1409051514:9(515)Online publication date: 19-Sep-2023
https://doi.org/10.3390/info14090515
Salgado AHung PFortes R(2023)Six usable privacy heuristicsProceedings of the XXII Brazilian Symposium on Human Factors in Computing Systems10.1145/3638067.3638111(1-11)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3638067.3638111
Panda ABaird APinisetty SRoop P(2023)Incremental Security Enforcement for Cyber-Physical SystemsIEEE Access10.1109/ACCESS.2023.324612111(18475-18498)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3246121
Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Hung PCanada DMeade MAckerman M(2022)Data Checkers: A Grid-Based UI for Managing Patient-Generated Data Sharing to Support Collaborative Self-CareFrontiers in Computer Science10.3389/fcomp.2021.6397483Online publication date: 11-Jan-2022
https://doi.org/10.3389/fcomp.2021.639748
Linsner SSteinbrink EKuntke FFranken JReuter C(2022)Supporting users in data disclosure scenarios in agriculture through transparencyBehaviour & Information Technology10.1080/0144929X.2022.206807041:10(2151-2173)Online publication date: 10-May-2022
https://doi.org/10.1080/0144929X.2022.2068070
Hung PAckerman M(2022)Helping People to Control Their Everyday Data for Care: A Scenario-Based StudyPervasive Computing Technologies for Healthcare10.1007/978-3-030-99194-4_18(272-301)Online publication date: 23-Mar-2022
https://doi.org/10.1007/978-3-030-99194-4_18
Andalibi VLear EKim DCamp L(2022)On the Analysis of MUD-Files’ Interactions, Conflicts, and Configuration Requirements Before DeploymentThe Fifth International Conference on Safety and Security with IoT10.1007/978-3-030-94285-4_9(137-157)Online publication date: 8-Jan-2022
https://doi.org/10.1007/978-3-030-94285-4_9
Zhang BGill PMihai NTripunitara M(2022)Granularity and Usability in Authorization PoliciesEmerging Information Security and Applications10.1007/978-3-030-93956-4_5(68-86)Online publication date: 12-Jan-2022
https://doi.org/10.1007/978-3-030-93956-4_5
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A user study of the expandable grid applied to P3P privacy policy visualization

Expandable grids: a user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring

Usability challenges in security and privacy policy-authoring interfaces