Tech Report CS-09-05

Escape From the Matrix: Lessons from a Case-Study in Access-Control Requirements

Kathi Fisler, WPI and Shriram Krishnamurthi, Brown University

May 2009


The freedom to share information through the Web has made the ability to restrict that sharing critical. Access-control is thus a central and growing part of contemporary Web-based system security. While much research has focused on languages and analyses for access-control policies, relatively little has studied the actual utterances of people defining policies and how these map to formal policy languages. We study this question using a case-study and report several observations. We identify the several consequences these observations have for the design of policy languages, policy analysis tools, and policy authoring environments. They further suggest directions for future social-science research to help bridge the human-computer gap.

(complete text in pdf)