Reducing Unauthorized Access by Insiders Through End-User Design: Making Users Accountable
Proceedings of the 45th Annual Hawaii International Conference on System Sciences (HICSS 2012), Maui, Hawaii, USA, January 4-7, pp. 4623-4632 (best paper nomination)
11 Pages Posted: 30 Jun 2013
Date Written: June 30, 2013
Abstract
A long-time tenet of information security is the principle of least privilege, which requires that systems users be given the minimum amount of access privilege required to complete a task. However, many financial, medical, and customer records systems grant employees broad access for reasons of practical necessity. However, with broad access rights comes potential for system abuse.This paper investigates how features of a system can be designed to make users feel more accountable for their actions in the system and less likely to abuse their access rights. To do so, we developed a factorial survey to determine the effects of system design features relating to three aspects of accountability: (1) identifiability, (2) evaluation, and (3) social presence.The results of the factorial survey show that the accountability design features significantly reduced intention to violate an organization’s access policy.
Keywords: accountability, security, organizational security, least privilege, access, identifiability, evaluation, social presence
Suggested Citation: Suggested Citation