Abstract | <span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12.8px; ">Most organizations have access control policies, and many have to change them frequently to get work done. Currently, the way such changes are made often has a significant impact on the organization's security, productivity, and employee satisfaction. Those who have to make the decisions are put on the spot, and depending on their perspective and circumstances, the decision is biased towards business or security interests. A decision support system for access control policies could mitigate these problems, but to be effective, such a system needs a significant amount of information about specific security and business risks and benefits, and collecting this information requires significant investment. In this paper, we present a participatory approach to collecting this information, which not only reduces cost, but increases effectiveness because it ensures that specific local knowledge and downstream risks are represented and visible to decision-makers. We evaluated our systematically developed decision-support prototype in formative evaluations with employees and decision-makers from a variety of backgrounds. We found that, among others, decision support is highly dependent on the organizational context and that the collected factors need to be contextualized for the contributing individuals.</span> |
---|