Making Systems Users Accountable: Using Accountability to Deter Access Policy Violations
Roode Workshop on IS Security Research, Boston, MA, USA, October 8-9, 2010
Posted: 30 Aug 2010
Date Written: August 29, 2010
A long-time tenet of information security is the principle of least privilege, which requires that systems users be given the minimum amount of access privilege required to complete a task. However, many financial, medical, and customer records systems grant employees broad access for reasons of practical necessity. However, with broad access rights comes potential for system abuse.
This paper shows how accountability theory can be used within systems to deter access policy violations - the accessing of information contrary to explicitly stated policies for how access rights may be used. We conduct a field experiment using a system in actual use to show how two accountability-related effects - identifiability and evaluation - reduce access policy violations. The hypotheses are generally supported, showing the potential of accountability mechanisms to deter abuses of broad access privileges.
Keywords: accountability, identifiability, evaluation, IS security policies, computer abuse
Suggested Citation: Suggested Citation