In access-control systems, policy rules conflict when they prescribe different decisions (allow or deny) for the same access. We present the results of a user study that demonstrates the significant impact of conflict-resolution method on policy-authoring usability. In our study of 54 participants, varying the conflict-resolution method yielded statistically significant differences in accuracy in five of the six tasks we tested, including differences in accuracy rates of up to 78%. Our results suggest that a conflict-resolution method favoring rules of smaller scope over rules of larger scope is more usable than the Microsoft Windows operating system's method of favoring deny rules over allow rules. Perhaps more importantly, our results demonstrate that even seemingly small changes to a system's semantics can fundamentally affect the system's usability in ways that are beyond the power of user interfaces to correct.
|Title of host publication||Proceedings of the SIGCHI Conference on Human Factors in Computing Systems|
|Place of Publication||New York, NY, USA|
|Number of pages||10|
|Publication status||Published - 2011|
- access control, home computing, human factors, privacy, security