Lee Wood and Dr. Anthony Vance, Dept. of Information Systems
The purpose of this research was to determine how features of the user interface of an information system could be designed to increase users’ perceptions of accountability within the system, and thereby decrease levels of unauthorized access. One of the most persistent problems of information security is the threat of malicious insiders, or members of an organization who misuse access to information resources. The Verizon 2010 Data Breach Investigations Report disclosed that 48 percent of data breaches were attributable to unauthorized access by organizational insiders (Verizon, 2010). This means that nearly half of data breaches come not from compromised systems, or hackers, but from users within the system who misuse or abuse resources that they have legitimate access to.
Our research was based on the simple hypothesis that if users perceive that they will be held accountable for their actions, they will be more likely to think before they act, and therefore less likely to commit unauthorized access. We based our study on the question: “how can user interface features of an information system be designed to increase perceptions of accountability and thereby reduce unauthorized access?
With this question in mind, we designed a factorial survey that measured the effects of four user interface elements on users’ intentions to commit unauthorized access. The user interface elements were based on four sub-manipulations of accountability: identifiability, evaluationlogging, evaluation-audit, and social presence.
The survey was conducted by first presenting each respondent with a scenario that describes an example of a person committing unauthorized access. The respondent was then shown a user interface screen showing a random combination of our four accountability manipulations. Finally the respondent was asked to consider the user interface, and respond as to how likely they would be to act in a similar way to the person in the scenario. The results of our survey supported our hypothesis that each of these manipulations would reduce intentions to commit unauthorized access.
Surprisingly, the most difficult part of this project was the creation of the survey. User interface displays had to be created and randomized for each of the over 2000 respondents. Multiple scripts, written using the Python programming language, were used to make this possible. The language in the scripts was complicated, and something I hadn’t done before, so getting it all to work was very rewarding.
This project was a great learning experience for me. I had the opportunity not only to learn what research in my field was all about, but also to get a glimpse of what I might be in store for if I choose to pursue a Ph.D. I hope that the results of this project will help to improve the security of future information systems, and I hope to be involved in more projects like this in the future.
- Verizon, 2010 Data Breach Investigations Report, accessed online at: http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf on 9/30/2010.