Adding Measures to Task Models for Usability Inspection of the Cloud Access Control Services

  • Bilal NaqviEmail author
  • Ahmed Seffah
  • Christina Braz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11262)


Access control services in the cloud require defining which users, applications, or functions can have access to which data to perform what kinds of operations. There are thus three dimensions: (1) which users can (2) perform which operations (3) on which data. We speak of: (1) principals (i.e., users or roles), (2) privileges, and (3) objects, corresponding to these three dimensions, respectively. The act of accessing gives rights and privileges such as using or releasing data, modifying the access rights or accomplishing certain tasks. Permission to access also requires identity management. Research studies identify the existence of dependency between usability and security, and that there exists a conflict between the two, for which trade-offs are difficult to evaluate and engineer. This paper proposes a novel methodology for assessing the usability of access control services while ensuring that security requirements are met. The proposed methodology assists in integrating the experience of both security and usability experts by using different Human Computer Interaction methods as a way to identify the usability and security problems in access control security services in the cloud, and capture solutions to resolve such problems.


Usable security Usability in cloud access control and identity management Usability of security services, security and usability conflict 


  1. 1.
    Azuma, M.: Software products evaluation system: quality models, metrics and processes—International Standards and Japanese practice. Inf. Softw. Technol. 38(3), 145–154 (1996)CrossRefGoogle Scholar
  2. 2.
    Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets from goals to metrics. In: Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM (2013)Google Scholar
  3. 3.
    Braz, C., Seffah, A., Naqvi, B.: Integrating a Usable Security Protocol into User Authentication Services Design Process. CRC Press, Boca Raton (2018)Google Scholar
  4. 4.
    Card, S.K., Newell, A., Moran, T.P.: The psychology of human-computer interaction (1983)Google Scholar
  5. 5.
    Cranor, L.F., Garfinkel, S.: Security and Usability: Designing Secure Systems that People Can Use. O’Reilly Media Inc., Farnham (2005)Google Scholar
  6. 6.
    Forget, A., Chiasson, S., Biddle, R.: Choose your own authentication. In: Proceedings of the 2015 New Security Paradigms Workshop, pp. 1–15. ACM (2015)Google Scholar
  7. 7.
    Hausawi, Y.M., Allen, W.H.: Usable-security evaluation. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 335–346. Springer, Cham (2015). Scholar
  8. 8.
    Hausawi, Y.M., Allen, W.H., Bahr, G.S.: Choice-based authentication: a usable-security approach. In: Stephanidis, C., Antona, M. (eds.) UAHCI 2014. LNCS, vol. 8513, pp. 114–124. Springer, Cham (2014). Scholar
  9. 9.
    Hayashi, E., Das, S., Amini, S., Hong, J., Oakley, I.: CASA: context-aware scalable authentication. In: Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM (2013)Google Scholar
  10. 10.
    ISO/IEC: ISO/IEC 27000: Information technology – Security techniques – Information security management systems – Overview and vocabulary. International Organization for Standardization (2014)Google Scholar
  11. 11.
    Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity management architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society, Inc. (2007)Google Scholar
  12. 12.
    Kainda, R., Flechais, I., Roscoe, A.: Security and usability: analysis and evaluation. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 275–282. IEEE (2010)Google Scholar
  13. 13.
    Marinos, A., Briscoe, G.: Community cloud computing. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) CloudCom 2009. LNCS, vol. 5931, pp. 472–484. Springer, Heidelberg (2009). Scholar
  14. 14.
    Nayak, S.K., Mohapatra, S., Majhi, B.: An improved mutual authentication framework for cloud computing. Int. J. Comput. Appl. 52, 5 (2012)Google Scholar
  15. 15.
    Nielsen, J.: Security & Human Factors (2000).
  16. 16.
    Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)CrossRefGoogle Scholar
  17. 17.
    Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38(6), 1785–1797 (2012)CrossRefGoogle Scholar
  18. 18.
    Seffah, A., Donyaee, M., Kline, R.B., Padda, H.K.: Usability measurement and metrics: a consolidated model. Softw. Qual. J. 14(2), 159–178 (2006)CrossRefGoogle Scholar
  19. 19.
    Von Solms, B., Von Solms, R.: The 10 deadly sins of information security management. Comput. Secur. 23(5), 371–376 (2004)CrossRefGoogle Scholar
  20. 20.
    Zhao, R., Yue, C.: Toward a secure and usable cloud-based password manager for web browsers. Comput. Secur. 46(10), 32–47 (2014)CrossRefGoogle Scholar
  21. 21.
    Faily, S., Fléchais, I.: Finding and resolving security mis-usability with mis-usability cases. Requirement Eng. 21(2), 209–223 (2016)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Lappeenranta University of Technology, LUTLappeenrantaFinland
  2. 2.Scotia BankTorontoCanada

Personalised recommendations