Human factors in access control: analysis and design

The ubiquity of communication technologies has led to the increased need of users to regulate access to their data. Traditional access control systems were mostly developed for military, governmental, and organizational settings. Even more, many of them assumed the presence of a responsible central authority that authors and enforces security policies. This is not true anymore. The development of Internet technologies and high availability of personal devices create new demands from users. In collaborative environments, where a central authority is missing or not completely responsible for user data, the user needs convenient methods to regulate access to their data.

Contemporary research approaches the problem of usable access control systems in different ways. One of the directions is dedicated to behavioral and perceptual aspects: how users perceive the permission management and what they do to achieve their access control goals. Although this approach provides useful observations, the existing research exhibits a number of inconsistencies. Another direction leverages prototype and model development, revealing a different problem: it is hardly possible to make a useful generalization based on individual use cases.

In this thesis we investigate the principles that underlie user perception of access control systems. We start from exploratory study of privacy protection behaviors. Subsequently, moving to a more specific level of access control, we rely on cognitive science and state that the utilization of visual metaphors and categorization might be beneficial for end users. The thesis presents two case studies to test these assumptions. Additionally, we further investigate the mechanism of categorization and design two models for collaborative platforms. The models have been tested for feasibility in simulated environments.

Our results suggest that both metaphors and categorization can be leveraged to improve different aspects of the access control system usability. First, we found out that visual metaphors are capable of implicitly transferring information about an access control system. Second, we established some prominent parallels between categorization in human cognition and the corresponding mechanisms of access control. Lastly, we demonstrated the applicability of categories as the main primitives of user-centric access control models.