UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

User-centered design of identity and access management systems Jaferian, Pooya


IT security management (ITSM) technologies are important components of IT security in organizations. But there has been little research on how ITSM technologies should incorporate human and social issues into their design. Identity and Access Management (IAM) systems, as an important category of ITSM, share such a gap with other ITSM technologies. The overreaching goal of this research is to narrow the gap between IAM technologies and social context. In the first phase, we developed a set of usability guidelines, and heuristics for design and usability evaluation of ITSM tools. We gathered recommendations related to ITSM tools from the literature, and categorized them into a set of 19 high-level guidelines that can be used by ITSM tool designers. We then used a methodical approach to create seven heuristics for usability evaluation of ITSM tools and named them ITSM heuristics. With a between-subjects study, we compared the usage of the ITSM and Nielsen's heuristics for evaluation of a commercial IAM system. The results confirmed the effectiveness of ITSM heuristics, as participants who used the ITSM heuristics found more problems categorized as severe than those who used Nielsen's. In the second phase, we conducted a field-study of 19 security practitioners to understand how they do IAM and identify the challenges they face. We used a grounded theory approach to collect and analyze data and developed a model of IAM activities and challenges. Built on the model, we proposed a list of recommendations for improving technology or practice. In the third phase, we narrowed down our focus to a specific IAM related activity, access review. We expanded our understanding of access review by further analysis of the interviews, and by conducting a survey of 49 security practitioners. Then, we used a usability engineering process to design AuthzMap, a novel user-interface for reviewing access policies in organizations. We conducted a user study with 430 participants to compare the use of AuthzMap with two existing access review systems. The results show AuthzMap improved the efficiency in five of the seven tested tasks, and improved accuracy in one of them.

Item Citations and Data


Attribution-NonCommercial-NoDerivs 2.5 Canada