Deterring Unauthorized Access by Insiders: Raising Perceptions of Accountability in End Users Through User Interface Artifacts
ABSTRACT
A persistent problem of information security is the threat of organizational insiders, an example of which is the unauthorized access of information. A long-standing solution to this problem is the principle of least privilege, which requires that systems users be given the minimum amount of access privilege required to complete a task. However, this solution is partial. While it limits access and therefore the risk of unauthorized access, it does not prevent the abuse of access privileges properly granted. In addition, in many financial, medical, and customer records systems, granularly restricting access privileges is not practical.
This study presents accountability—the expectation that one will be required to answer for one's actions—as an alternative solution to the problem of unauthorized access. We apply accountability theory to the context of system access privileges to predict that four aspects of accountability—identifiability, evaluation, social presence, and justification—will reduce instances of unauthorized access. We develop a factorial survey and experiments to determine the effects of user interface design features relating to these aspects of accountability. The results demonstrate the potential of accountability mechanisms within systems to prevent unauthorized access.