Making Systems Users Accountable: Using Accountability to Deter Access Policy Violations

Roode Workshop on IS Security Research, Boston, MA, USA, October 8-9, 2010

Posted: 30 Aug 2010

See all articles by Anthony Vance

Anthony Vance

Brigham Young University - Department of Information Systems

Gove N. Allen

Brigham Young University - Department of Information Systems

Braden Molyneux

Brigham Young University - Department of Information Systems

Paul Benjamin Lowry

Virginia Polytechnic Institute & State University - Pamplin College of Business

Date Written: August 29, 2010

Abstract

A long-time tenet of information security is the principle of least privilege, which requires that systems users be given the minimum amount of access privilege required to complete a task. However, many financial, medical, and customer records systems grant employees broad access for reasons of practical necessity. However, with broad access rights comes potential for system abuse.

This paper shows how accountability theory can be used within systems to deter access policy violations - the accessing of information contrary to explicitly stated policies for how access rights may be used. We conduct a field experiment using a system in actual use to show how two accountability-related effects - identifiability and evaluation - reduce access policy violations. The hypotheses are generally supported, showing the potential of accountability mechanisms to deter abuses of broad access privileges.

Keywords: accountability, identifiability, evaluation, IS security policies, computer abuse

Suggested Citation

Vance, Anthony and Allen, Gove N. and Molyneux, Braden and Lowry, Paul Benjamin, Making Systems Users Accountable: Using Accountability to Deter Access Policy Violations (August 29, 2010). Roode Workshop on IS Security Research, Boston, MA, USA, October 8-9, 2010. Available at SSRN: https://ssrn.com/abstract=1668117

Anthony Vance

Brigham Young University - Department of Information Systems ( email )

510 Tanner Building
Marriott School
Provo, UT 84602
United States

Gove N. Allen

Brigham Young University - Department of Information Systems ( email )

510 Tanner Building
Marriott School
Provo, UT 84602
United States

HOME PAGE: http://www.gove.net

Braden Molyneux

Brigham Young University - Department of Information Systems ( email )

510 Tanner Building
Marriott School
Provo, UT 84602
United States

Paul Benjamin Lowry (Contact Author)

Virginia Polytechnic Institute & State University - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Register to save articles to
your library

Register

Paper statistics

Abstract Views
326
PlumX Metrics