posted on 2008-01-01, 00:00authored byLujo Bauer, Lorrie Faith Cranor, Robert W Reeder, Michael K Reiter, Kami Vaniea
Significant effort has been invested in developing expressive
and flexible access-control languages and systems. However,
little has been done to evaluate these systems in practical
situations with real users, and few attempts have been
made to discover and analyze the access-control policies that
users actually want to implement. We report on a user study
in which we derive the ideal access policies desired by a
group of users for physical security in an office environment.
We compare these ideal policies to the policies the users actually
implemented with keys and with a smartphone-based
distributed access-control system. We develop a methodology
that allows us to show quantitatively that the smartphone
system allowed our users to implement their ideal policies
more accurately and securely than they could with keys, and
we describe where each system fell short.