Digital Nudges for Access Reviews: Guiding Deciders to Revoke Excessive Authorizations

Authors: 

Thomas Baumer, Nexis GmbH; Tobias Reittinger, Universität Regensburg; Sascha Kern, Nexis GmbH; Günther Pernul, Universität Regensburg

Abstract: 

Organizations tend to over-authorize their members, ensuring smooth operations. However, these excessive authorizations offer a substantial attack surface and are the reason regulative authorities demand periodic checks of their authorizations. Thus, organizations conduct time-consuming and costly access reviews to verify these authorizations by human decision-makers. Still, these deciders only marginally revoke authorizations due to the poor usability of access reviews. In this work, we apply digital nudges to guide human deciders during access reviews to tackle this issue and improve security. In detail, we formalize the access review problem, interview experts (n=10) to identify several nudges helpful for access reviews, and conduct a user study (n=102) for the Choice Defaults Nudge. We show significant behavior changes in revoking authorizations. We also achieve time savings and less stress. However, we also found that improving the overall quality requires more advanced means. Finally, we discuss design implications for access reviews with digital nudges.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {298852,
author = {Thomas Baumer and Tobias Reittinger and Sascha Kern and G{\"u}nther Pernul},
title = {Digital Nudges for Access Reviews: Guiding Deciders to Revoke Excessive Authorizations},
booktitle = {Twentieth Symposium on Usable Privacy and Security (SOUPS 2024)},
year = {2024},
isbn = {978-1-939133-42-7},
address = {Philadelphia, PA},
pages = {239--258},
url = {https://www.usenix.org/conference/soups2024/presentation/baumer},
publisher = {USENIX Association},
month = aug
}

Presentation Video