Reducing Unauthorized Access by Insiders Through End-User Design: Making Users Accountable

Proceedings of the 45th Annual Hawaii International Conference on System Sciences (HICSS 2012), Maui, Hawaii, USA, January 4-7, pp. 4623-4632 (best paper nomination)

11 Pages Posted: 30 Jun 2013

See all articles by Anthony Vance

Anthony Vance

Brigham Young University - Department of Information Systems

Braden Molyneux

Brigham Young University - Department of Information Systems

Paul Benjamin Lowry

Virginia Tech - Pamplin College of Business

Date Written: June 30, 2013

Abstract

A long-time tenet of information security is the principle of least privilege, which requires that systems users be given the minimum amount of access privilege required to complete a task. However, many financial, medical, and customer records systems grant employees broad access for reasons of practical necessity. However, with broad access rights comes potential for system abuse.This paper investigates how features of a system can be designed to make users feel more accountable for their actions in the system and less likely to abuse their access rights. To do so, we developed a factorial survey to determine the effects of system design features relating to three aspects of accountability: (1) identifiability, (2) evaluation, and (3) social presence.The results of the factorial survey show that the accountability design features significantly reduced intention to violate an organization’s access policy.

Keywords: accountability, security, organizational security, least privilege, access, identifiability, evaluation, social presence

Suggested Citation

Vance, Anthony and Molyneux, Braden and Lowry, Paul Benjamin, Reducing Unauthorized Access by Insiders Through End-User Design: Making Users Accountable (June 30, 2013). Proceedings of the 45th Annual Hawaii International Conference on System Sciences (HICSS 2012), Maui, Hawaii, USA, January 4-7, pp. 4623-4632 (best paper nomination), Available at SSRN: https://ssrn.com/abstract=2287444

Anthony Vance

Brigham Young University - Department of Information Systems ( email )

510 Tanner Building
Marriott School
Provo, UT 84602
United States

Braden Molyneux

Brigham Young University - Department of Information Systems ( email )

510 Tanner Building
Marriott School
Provo, UT 84602
United States

Paul Benjamin Lowry (Contact Author)

Virginia Tech - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
47
Abstract Views
477
PlumX Metrics