VisABAC: A Tool for Visualising ABAC Policies

Charles Morisset and David Sanchez

School of Computing, Newcastle University, Newcastle upon Tyne, U.K.

Faculty of Engineering and Environment, Northumbria University, Newcastle upon Tyne, U.K.

Keywords:

Circle Packing, Visualisation, User Study, Attribute-based Access Control.

Abstract:

Authoring and editing access control policy can be a complex and cognitive demanding task, especially when

dealing with a large number of rules and attributes. Visualisation techniques are known to be helpful to

users analysing intricate data, and can, in some contexts, help decreasing the cognitive load. In this paper,

we propose a new tool, VisABAC, which enables the visualisation of attribute based access control policies

using the Circle Packing method. We used a participatory design, following a survey of existing visualisation

methods in access control. VisABAC is designed as a web-page component, developed in Javascript using

the D3.js library, and as such is easily usable without requiring any particular setup. In addition to presenting

VisABAC, we demonstrate its usability by conducting a controlled experiment with 32 participants, asking

them to change some attribute values in order to obtain a given decision for a policy, and measuring the time

taken by participants to conduct these tasks (the faster, the better). We show a small to medium effect size

(d = 0.44), thus indicating that VisABAC is a promising tool for authoring and editing access control policies.

1 INTRODUCTION

An access control policy can be seen a compendium

of authorisations that regulate the use of a particular

set of resources. They are deﬁned by security ad-

ministrators and are processed by a trusted software

module called access control mechanism or reference

monitor (Benantar, 2005).

The ﬁrst access control model is often considered

to be the Access Matrix (Lampson, 1974), where each

row indicates a subject, each column an object, and

each cell the access rights granted to the correspond-

ing subject over the corresponding object. This ap-

proach can be cumbersome for systems requiring a

large number of subjects and objects, and can lead to

policy misconﬁgurations (Bauer et al., 2008). Many

access control models have been introduced

, provid-

ing more suitable methods for designing access con-

trol policies in speciﬁc contexts.

General policy languages have subsequently been

created, including, but not limited to, ExPDT (Sack-

mann and K

ahmer, 2008), EPAL (Ashley et al., 2003)

and the standard XACML (eXtensible Access Con-

trol Markup Language) (Standard, 2005). The lat-

See for instance (Barker, 2009) for an account on the va-

riety of access control models introduced over the past

decades.

est version, XACML 3.0, was released in 2013, and

standardizes Attribute-based Access Control, within

which an access request can be seen as a set of at-

tribute values, an access rule as a decision (e.g., per-

mit or deny) returned when a boolean expression (i.e.,

target and/or condition) holds for a request, and an ac-

cess policy as combining the decisions returned by a

collection of rules using a composition operator (e.g.,

deny-overrides or permit-overrides).

Although XACML is a very general and power-

ful framework, its underlying format is XML, which

makes XACML policies machine readable, but ar-

guably harder to author and edit by hand. The need

for including human factors in security is recognised

as an important problem: in the UK, for instance, 50%

of the worst breaches were caused by “inadvertent hu-

man error” (up from 31% in 2014) (PwC, 2015), and

there has been an increasing effort on usable security

(see, e.g., (Alavi et al., 2014; Lacey, 2009; Trudeau

et al., 2009; Kirlappos and Sasse, 2014)). The need

for regulatory mandates in computer security have

increased the number of policies and its complexity

far beyond human cognitive capacity (Barrett et al.,

2004). Security Administrators cope with such en-

tanglement by obviating irrelevant data, causing inad-

vertently security risks in the process (Vaniea et al.,

2008). Recent privacy breaches along with experi-

ments, such as Trudeau et al. (Trudeau et al., 2009)

Morisset, C. and Sanchez, D.

VisABAC: A Tool for Visualising ABAC Policies.

DOI: 10.5220/0006647401170126

In Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), pages 117-126

ISBN: 978-989-758-282-0

117

corroborates this, showing that users (including ex-

perienced policy engineers) easily oversee details.

There is therefore a clear case to build tools helping

security administrators author and edit access control

policies.

Reducing complexity is an essential stage in any

kind of analysis and it is perfectly possible to simplify

a system without loosing essential functional prop-

erties. Information visualisation (Card et al., 1999)

comprises techniques that allow humans to under-

stand and manipulate huge quantities of abstract data

by simpliﬁcation and it is being actively investigated

by security researchers (Vaniea et al., 2008; Becker

et al., 2014; Stepien et al., ). Languages such as

Mir6 (Heydon et al., 1990) have demonstrated that

it is even possible to specify security visually, albeit

with very limited complexity. In particular, visual-

isation techniques have been proposed in the con-

text of access control (Rosa, 2009; Heydon et al.,

1990), including the tools ALFA

(Axiomatics Lan-

guage for Authorization), which proposes a much

simpliﬁed textual syntax for describing XACML poli-

cies, or VisPE (Nergaard et al., 2015), which proposes

a Sratch-based interface. However, these approaches

tend to enhance the textual representation of the pol-

icy, rather than offer a visualisation of the evaluation

of a policy.

This paper contributes to solving this problem

by proposing a new tool, VisABAC, which provides

a visual interface for the evaluation of an attribute

based access control policies using the Circle Pack-

ing method. More precisely, we provide two main

contributions in this paper:

• We introduce the tool VisABAC, which is a client-

side browser application, and, given an attribute-

based access control policy, provides a textual

representation of that policy (inspired by XACML

3.0 and ALFA), a graphical visualisation using the

Circle Packing method, and an interface allowing

a policy designer to change policy and attribute

values. VisABAC is, to the best of our knowledge,

the ﬁrst visualisation tool to support the XACML

3.0 extended decision set, which includes multiple

indeterminate decisions (indicating missing infor-

mation).

• We conduct a controlled experiment with 32 par-

ticipants, asked to interact with two versions

of VisABAC: the control group would only see

the textual representation, while the tested group

would see both the textual and graphical represen-

tations. Participants were given a series of ques-

tions, each question containing a policy and ask-

https://www.axiomatics.com/pure-xacml.html

ing the participant to modify attribute values in or-

der to obtain a speciﬁc decision. We show that the

tested group was, in average, faster to answer the

questions (with an effect size of d = 0.44 over the

monitored questions), and more likely to interact

with the tool (subjective preferences measured at

the end of the test showed that 76.47% of partici-

pants who tested the visualisation tool manifested

they felt more conﬁdent operating the policy.)

To the best of our knowledge, there is no standard

benchmark for evaluating the efﬁciency and usability

of policy authoring/editing tool, and we believe the

results of the controlled experiments could pave the

way towards establishing such a benchmark. In ad-

dition, VisABAC focuses on the visualisation of the

evaluation of policies, rather than on the structure of

the policy itself, and therefore is complementary to

several existing approaches, described in Section 2.

The rest of this paper is structured as follows:

we ﬁrst introduce in Section 2 the background on

Attribute-Based Access Control, and related work on

the visualisation of access control. We then present

VisABAC in Section 3, the experiment in Section 4,

and the results are discussed in Section 5.

2 BACKGROUND AND RELATED

WORK

In this section, we ﬁrst describe the notion of Attribute

Based Access Control (ABAC) policies, after which

we go through existing approaches, leading to our se-

lection of the Circle Packing method.

2.1 ABAC

As brieﬂy described in the Introduction, ABAC con-

sists in considering an access request as a set of at-

tribute values. Following for instance the approach

adopted for PTaCL (Crampton et al., 2015), we there-

fore consider a set of attribute names A and a set of

attribute values V , such that the set of requests is de-

noted by Q = ℘(A × V ).

We assume here that the sets A and V are known

and ﬁxed, and, in order to model missing information

(which is a key aspect of XACML 3.0), we consider

a request as a function q : A × V → {1,0,⊥}, such

that, given an attribute a and a value v, q(a,v) = 1 in-

dicates that a has the value v in q, q(a,v) = 0 indicates

that a does not have the value v in q, and q(a,v) = ⊥

indicates that we do not know whether a has the value

v in q or not.

An atomic target is deﬁned as a pair (a, v), and a

composite target is deﬁned as a proposition of atomic

ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy

118

Table 1: Evaluation of the healthcare policy example on

some selected values for each atomic target.

Targets Rules Policy

∨t

1 1 1 1 Deny Permit Deny

0 1 1 1 NA Permit Permit

0 0 0 0 NA NA NA

0 ⊥ 0 ⊥ NA Indet(P) Indet(P)

⊥ 1 1 1 Indet(D) Permit Indet(PD)

⊥ 0 0 0 Indet(D) NA Indet(D)

targets. Since, in the controlled experiment presented

in Section 4, we targeted participants with no spe-

ciﬁc knowledge of access control, we only considered

simple conjunction (∧) and disjunction (∨) operators,

corresponding to the XACML AllOf and AnyOf ele-

ments, respectively. We leave the study of more com-

plex logical operators for future work.

Given a request q, the evaluation of an atomic

target t = (a,v) is equal to q(a,v). Here, we inter-

pret 1, 0, and ⊥ as the XACML elements Match,

NoMatch and Indeterminate, respectively. We use a

strong Kleene interpretation for the logical operators,

following the PTaCL and XACML semantics: given a

request q, and two targets t

and t

, the target t = t

∧t

evaluates to 1 if both t

and t

evaluates to 1, to 0 if

either t

or t

evaluates to 0, or to ⊥ otherwise. Simi-

larly, the target t = t

∨t

evaluates to 1 if either t

evaluates to 1, to 0 if both t

and t

evaluates to 0,

or to ⊥ otherwise.

An access rule is deﬁned as a tuple (d,t), where d

is a decision (either Permit or Deny) and t is a target.

Given a request q, a rule (d,t) evaluates to d if t eval-

uates to 1, to NA (Not-Applicable) if t evaluates to 0,

to Indet(P)

if d = Permit and t evaluates to ⊥, or to

Indet(D) if d = Deny and t evaluates to ⊥.

An access policy is a collection of rules,

composed together with a composition opera-

tor. We implemented in VisABAC the six main

XACML operators: permit-overrides (POV), deny-

overrides (DOV), permit-unless-deny (PUD), deny-

unless-permit (DUP), ﬁrst-applicable (FA), only-one-

applicable (OOA). We refer to the main documenta-

tion of XACML or for instance to (Morisset and Zan-

none, 2014) for the full deﬁnitions of these operators.

For instance, let us consider a health-care pol-

icy, regulating the access to a medical record, where

intuitively, access is permitted when there is no ex-

plicit disagreement from the patient and when either

the hospital or the concerned surgeon agrees for the

access, and access is denied otherwise. There are

therefore three possible attribute values/atomic tar-

For the sake of compactness, we abbreviate the XACML

Indeterminate extended decisions to Indet.

gets: t

= (patient, disagree), t

= (hospital, agree)

and t

= (surgeon, agrees). We then deﬁne two rules,

= (Deny,t

) and r

= (Permit,t

∨t

), and the pol-

icy p = DOV (r

). The evaluations of these ele-

ments are presented in Table 1. It is worth observing

that this simple policy can in practice evaluate to ev-

ery possible XACML decision, depending on the val-

ues of the atomic targets.

A straight-forward machine readable textual rep-

resentation of this policy is presented below. We use

this format in VisABAC, in addition to the graphical

representation.

R1: Deny if PATIENT_disagrees

R2: Permit if OR(HOSPITAL_agrees,

SURGEON_agrees)

P: DOV(R1,R2)

2.2 Visualisation for Access Control

We now present visualisation techniques, some of

them actively applied into access control, that were

considered in the process of building VisABAC. Al-

though there is a rich literature for visualisation in se-

curity, few approaches deal with Attribute-based Ac-

cess Control, and these approaches tend to work on

the structure of the policy itself, such as VisPE (Ner-

gaard et al., 2015), rather than on policy evaluation.

There is a limited literature studying trees as a

way to visually ﬁnd conﬂicts inside access policies;

this seems surprising since trees are used to create

XACML policies itself and it is the preferred method

for explaining XACML policies in the OASIS spec-

iﬁcation (Rissanen et al., 2009). Rosa (Rosa, 2009)

explore this approach for very light graphs in its

XACML Viz prototype. Pina Ros et al. (Pina Ros

et al., 2012) uses trees (Matching tree and Combin-

ing Tree) to optimise the evaluation of applicable

rules in an access policy engine called XEngine. The

tool is not aimed at visualisation, however, the paper

shows how policies are organised in a tree structure

than can be directly match to a tree representation.

Rao et al. (Rao et al., 2009) propose multi-level grids

to visualise results of multiple types of access con-

trol policy analysis and authoring. Although this ap-

proach is simple to implement, it can be very space

consuming.Semantic Substrates (Card et al., 1999)

use spatial representation to group common attributes

by regions. Pan and Xu (Pan et al., 2013; Pan and

Xu, 2012) propose a visualisation toolkit called “Pol-

icy Visualisation Framework (PVF)” which extends

XACML to support RBAC aiming to provide a clearer

representation than conventional role-permission tree

graphs. They further propose in (Pan and Xu, 2012)

to use treemaps (Johnson and Shneiderman, 1991)

VisABAC: A Tool for Visualising ABAC Policies

119

Figure 1: Tree-maps as a visualisation tool for analysing

conﬂict detection for multi-domain policies (Pan and Xu,

2012).

Figure 2: Circle Packing Diagram (Wang et al., 2006).

Level 0,1 and 2 painted light grey, green and red respec-

tively.

to complement Semantic Substrates instead of adja-

cency matrices to form macro and micro vision re-

spectively. Treemaps visualise hierarchical tree struc-

tures using a root rectangle that contains all nodes of a

given tree. Each subsequent level of the tree structure

divides the above square according to a particular at-

tribute of a node, such as size. They are used in (Pan

and Xu, 2012) to analyse RBAC access control po-

lices when multi-domain information is exchanged

(Figure 1).

Circle Packing (Wang et al., 2006) is very similar

in concept to Treemaps, as it was inspired by them.

As a marked difference, it uses circles instead of rect-

angles which give them a lower space efﬁciency ratio;

however they express more clearly the hierarchy they

represent. Figure 2 shows a very simple Circle Pack-

ing diagram which has three levels. Wang et al. (Wang

et al., 2006) have shown with a ﬁle visualisation tool

(FVT) that it is possible to handle efﬁciently thou-

sands of nodes with this method. However, to the best

of our knowledge, Circle Packing has never been used

in the context of access control.

3 VisABAC

In this section, we ﬁrst explain the process with which

we have designed VisABAC, after which we describe

the tool itself

3.1 Participatory Design

In general, visualisation is not only a set of techniques

but also a process (Meyer, 2011) therefore, in order to

achieve a successful representation, it is important to

work closely with users affected by the shortcomings

of traditional analysis. Hence, we work closely with 5

members of our research group using a participatory

design (Ritter et al., 2014). That expertise targeted

essential usability aspects and the feedback acquired

(heuristic approach (Ritter et al., 2014)) was comple-

mented by heuristic evaluation and informal/formal

evaluation by recruited participants.

Some approaches, such as: graphs, hierarchical

graphs, hypergraphs, Euler diagrams, and binary de-

cision diagrams (BDD), have already been identiﬁed

as too complex to implement, visualise or unsuitable

to be of any practical use (Fisler et al., 2005; Heydon

et al., 1990; Montemayor et al., 2006; Fisler et al.,

2005; Kolovski, 2007). Some candidates, on the other

hand, were particularly promising, including trees and

treemaps, which have been applied previously to se-

curity visualisation. However, some limitations were

found during the participatory process, even after try-

ing to reﬁne those ideas using zoomable treemaps and

collapsible trees:

• In particular, the relationship between screen state

utilisation and navigability has been highlighted

as very important by the participants. Screen util-

isation for collapsible trees, for example, was very

low (more than 50% is background)

but users

easily navigated inside the access control policy;

on the other hand, zoomable treemaps proposed a

full screen state utilisation but users got lost inside

the policy quickly.

• Treemaps made clear that once navigating inside

a policy users easily forgot the evaluation result

of the particular policy they were inspecting, hav-

ing to go a level back again to remember what the

outcome was.

A tradeoff between efﬁciency and usability was

found in circle packing, a visualisation technique crit-

VisABAC is available for demonstration at

http://homepages.cs.ncl.ac.uk/charles.morisset/visabac

A prototype version of VisABAC with collapsible trees

is available alongside the main tool, illustrating the poor

screen utilisation.

ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy

120

(a) Visual Decision Diagram

(b) Decision box

(d) Attribute Values

Figure 3: Figure 3(a) and Figure 3(b) show the evaluation

of the policy P, represented in 3(c), when attributes are set

as 3(d) (ﬁfth row of Table 1). The largest circle (P) is ﬁlled

in with a grey pattern, since it evaluates to Indet(PD), the

circle for R1 is ﬁlled in with a red pattern, since it evaluates

to Indet(D), and the circle for R2 is ﬁlled in green, since it

evaluates to Permit.

icised (Wang et al., 2006) for not being as space ef-

ﬁcient as treemaps but praised for providing a better

hierarchy illusion than those obtained by, for exam-

ple, treemap representations.

3.2 VisABAC Interface

The VisABAC interface is designed as a web page

component and, as such, runs on any web browser.

The interface consists of four main components,

which we now detail, using the visualisation of the

policy described in Section 2.1 as an example (Fig-

ure 3).

The Policy component (Figure 3(c)) is a textual

box, directly editable from the browser, which con-

tains the deﬁnition of the policy following the syntax

described in Section 2.1. This deﬁnition can either

be typed in, loaded from a set of existing samples,

or loaded from a ﬁle. These rules are automatically

parsed into JavaScript Object Notation (JSON), where

the text of each rule is identiﬁed by its name. For in-

stance, the policy described in Section 2.1 would cor-

respond to the object:

policyRules=

{"R1": "Permit if PATIENT_disagrees",

"R2": "Permit if OR(HOSPITAL_agrees,

SURGEON_agrees)"

"P": "DOV(R1,R2)"}

The Attributes component (Figure 3(d)) allows the

user to set the value for each attribute value: true,

false, or unknown. For instance, Figure 3(d) corre-

sponds to a request where we do not know if the pa-

tient disagrees to the access, we know that the hospi-

tal does not agree to the access, and that the surgeon

agrees, which corresponds to the ﬁfth row of Table 1.

The Decision component (Figure 3(b)) lists, for

each rule in the Policy component, the decision ob-

tained for that rule. These decisions are obtained by

iterating through the policyRules object, following

the evaluation rules established in (Crampton et al.,

2015). The evaluation returns an object with the same

structure, but where each rule has been replaced by its

decision. In the case where a rule is not well-formed

(e.g., missing reference, syntax error), it evaluates to

Indeterminate(PD). Note that cycles in rule deﬁni-

tions are not currently detected, and an error would

occur.

Finally, the Visual component (Figure 3(a)) uses

Zoomable Circle Packing to visually explore ac-

cess control policies, using the D3.js library

. The

zoomable aspect is a crucial one, as it allows the

space occupied by the visualisation to remain con-

stant. A circle is either a rule or a composition of

rules grouped by a composition operators. As a con-

sequence, a policy comprised of sub-policies is rep-

resented by circles containing sub-circles in a similar

hierarchy as the given policy. The visual diagram is

dynamic, and is updated when the policy or the at-

tributes are updated and a new evaluation is calcu-

lated. Each circle is deﬁned by two characteristics:

• The colour, which matches the result of the poli-

cy/rule they represent: green is for Permit, red for

Deny, white for NA, patterned-green for Indet(P),

patterned-red for Indet(D), and patterned-grey for

Indet(PD). We have also developed a colour de-

ﬁciency mode, which caters for different types

of colour deﬁciencies. In addition, since these

https://d3js.org

VisABAC: A Tool for Visualising ABAC Policies

121

(a) Policy with 9 atomic rules and 9 binary poli-

cies.

(b) Variation of 4(a) with sub-policies used

multiple times.

Figure 4: Circle packing visualisation of arbitrary complex

policies in VisABAC.

colours are set through a simple CSS (Cascading

Style Sheet), they could be user conﬁgurable.

• The line pattern which matches the operator used.

In particular, we use full lines for Deny-overrides

and dashed lines for Permit-overrides. The lines

for the other operators can be found in the online

help of the tool.

For instance, Figure 3(a) shows that Level 0 (P)

represents the whole policy by the most outer circle

line; Level 1 (R1 and R2) represent the ﬁrst level of

the tree policy with smaller circles inside. A zoom

on the inner circles would display their respective tar-

gets, since they are atomic policies. Figure 4 illus-

trates more complex examples of ABAC policies.

4 EVALUATION

VisABAC, presented in the previous section, is rela-

tively easy to use, since it is deﬁned as an in-browser

application. The input language for policies is rel-

atively straight-forward from an Attribute-based Ac-

cess Control perspective. More importantly, the D3.js

library for Circle Packing is particularly ﬂuid, mak-

ing the tool very responsive. Our participatory de-

sign elicited Circle Packing as the preferred visualisa-

tion technique, compared with other techniques such

as foldable trees or treemaps. However, we are also

interested in understanding whether VisABAC is ef-

fectively usable, i.e, whether its proposed graphical

representation could help users in their tasks.

Nielsen and Levy argue that usability should be

measured according to subjective user preferences

and objective performance measures, since, in some

cases, users have favoured interfaces that are measur-

ably worse for them (Nielsen and Levy, 1994). Sim-

ilarly, MacLean et al. (MacLean et al., 1985) found

that subjects inclined towards a proven slower data

entry method would still prefer it as long as it was not

20% slower than the faster method.

Hence, in addition to a subjective user preference

questionnaire, we want to design an objective perfor-

mance measure for using VisABAC. To the best of our

knowledge, there is no standard benchmark for the us-

ability of tools for access control policies, and there-

fore we deﬁne a new method in this paper. Roughly

speaking, we give the user a ﬁxed policy, a valuation

for the attributes, and ask the user to change this valu-

ation in order for the policy to evaluate to a speciﬁed

decision. Our hypothesis is that the faster the user is

able to do this task, the more they understand the pol-

icy, and thus the better is the tool with which the user

interacts. We now describe this experimental settings,

and we discuss the limitations of our approach in Sec-

tion 6.

4.1 User Interface

We conduct a controlled-group experiment, where

users in different groups see a different user interface.

We deﬁne two different user interfaces (UI):

• The Graphics UI is an extension of the VisABAC

interface, described in Section 3.2, with the addi-

tion of two main elements: the context box, which

introduces the context of the policy, in English;

and the question box, which speciﬁes the expected

decision. The boxes for the policy, the attributes,

ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy

122

the decision box, and the visual decision diagram,

are as described in Figure 3

• The Text UI is similar to the Graphics UI, as the

notable exception that the visual decision diagram

box is missing. However, the user still has access

to the evaluation of the policy with the decision

box.

4.2 Policy Question

The aim of either UI described above is to answer a

question, given a context and a policy. Ideally, we

would like to ask questions related to any aspect of

the editing or maintenance of a policy. However, we

believe that this would introduce too many different

dimensions to control, and we focus instead on ques-

tions related to policy evaluation. We leave for future

work the study of more complex questions. The con-

text is a simple description of the motivation behind

the policy, for instance, for the policy described in

Section 2.1 and Figure 3, the context is:

Releasing medical records in a certain hospi-

tal requires compliance with an access control

policy. The system checks events with state-

ments that return True or False if the forms

have been ﬁlled and validated by the corre-

sponding departments.

The attribute values are initially set so that the policy

evaluates to Indet(PD), and the question is:

Can you change the radio buttons so that PC

evaluates to Deny ?

The user can change any radio button, and then click

on a button Evaluate, which refreshes the different

boxes with the new policy evaluation. There is no

limit on the authorised number of evaluation per ques-

tion, and they can go to the next question by clicking

on the Submit button. They were also instructed they

could go to the next question at any time if they did

not wish to submit an answer for the current question,

and this would be recorded as a wrong answer.

The experiment consists of a total of 32 sub-

questions, grouped in 8 main questions. All sub-

questions within a single main question have the same

context, and only differ on minor details. For in-

stance, a sub-question in the same group than the pol-

icy above use the First-Applicable (FA) operator to

combine R1 and R2 instead of the Deny-Overrides

(DOV). The main questions are denoted from Q1 to

Q8, the sub-questions for the main question Q

are

denoted from Q

a to Q

The full test with both interfaces is available from the front

page of the tool.

4.3 Protocol

Each recruited participant P

goes through the follow-

ing steps:

1. After reading and signing the participant consent

form, P

is randomly assigned to either the Text

group (the control group) or the Graphics group

(the tested group).

2. P

is presented with a short introduction about

ABAC, going through a simple policy example

(similar to that described in Section 2.1). At

this stage, they can use the Text UI on the in-

troduced example (the Graphics UI is only intro-

duced in Step 4 for the Graphics group) and ask

any question. They are also explained what is ex-

pected of them and informed that their time will

be recorded. They are also informed that some

policies are on purpose hard to analyse, and that

we are measuring how the interface helps them,

rather than assessing them. This step takes in av-

erage 10 minutes.

3. Once they feel conﬁdent about using the tool, they

start answering the ﬁrst series of main questions,

Q1 and Q2 (8 sub-questions in total), using the

Text UI, regardless of their assigned group.

4. After Q2, if P

is in the Text group, they keep

answering Q3 to Q8 (24 sub-questions in total);

If P

is in the Graphics group, they switch to the

Graphics UI, and they are brieﬂy introduced with

the speciﬁcs of the Circle Packing representation;

They then answer Q3 to Q8 using the Graphics

UI.

5. After Q8, P

is debriefed, and explained the pur-

pose of the experiment. According to recom-

mended practices (Nielsen, 1993), a £10 Amazon

voucher is given as compensation for their time.

The entire protocol was designed to take, in av-

erage, between 30 to 45 minutes, including 20 min-

utes of actual assessment. The time to answer each

question was visible to the participant, and although

there was no strict countdown, to avoid adding time

pressure, participants were encouraged to move on to

the next question if they were spending more than 5

minutes on a sub-question (which happened in only

one instance). The experiment took place in the same

ofﬁce and the same computer (a 27” iMac), in order

to control environmental changes. Participants were

asked about colour deﬁciency, but none was indicated

in our experiment.

4.4 Objective Performance Measure

Intuitively, we want to compare the time taken by

users in the two different groups, in order to evalu-

VisABAC: A Tool for Visualising ABAC Policies

123

ate whether the Graphics UI was beneﬁcial. How-

ever, performance measure among different individ-

uals varies according to the capabilities of each one,

and the nature of the experiment makes it hard to en-

sure the distribution of the users in the groups is con-

sistent with user capabilities. As a consequence, a

procedure of normalisation had to be performed in or-

der to compare data.

The selected normalisation value was the inverse

of the number of seconds each participant spent on

solving Q2 (i.e., the total time spent on subquestions

Q2a, Q2b, Q2c and Q2d). We denote this as the nor-

malisation coefﬁcient α

, for each participant P

. Sub-

sequently, the time taken by P

to answer each ques-

tion is normalised by multiplying it by α

. If this value

is lower than 1, this implies the subject performed a

particular question faster than Q

while a larger value

represents the opposite. For instance, if P

took 4 sec-

onds to complete Q2 (α

= 0.25) and 6 seconds to

complete Q3, their normalised time for Q3 is 1.5; If

took 16 seconds to complete Q2 (α

= 0.0625) and

23 seconds to complete Q3, their normalised time for

Q3 is 1.4375. In other words, even though, absolutely

speaking, P

was slower than P

for Q3, they were

comparatively faster.

This choice for the normalisation function comes

from the fact that we have designed different ques-

tions with different levels of difﬁculty, Q7 being the

most difﬁcult. Hence, we expect that all users will

spend more time to answer Q7 than Q2, and we want

to measure this difference, rather than measuring di-

rectly the difference between users. Q2 was selected

as the normalisation value since all participants, re-

gardless of their group, had to do it with the Text

UI, and it was assumed some familiarity was already

gained by the user after performing Q1, since Q1 and

Q2 have a similar complexity level.

4.5 Subjective User Preferences

Subjective Testing was performed on users who were

exposed to the visualisation technique. A relatively

standard questionnaire was presented to collect their

impressions using a Likert scale (Nielsen and Levy,

1994) after ﬁnishing the objective testing.

5 RESULTS

We recruited 32 participants over 4 weeks, mostly

among undergraduate Computer Science students,

with no formal knowledge of ABAC, and randomly

assigned to the groups (16 participants each). The

aim of this study was to assess the impact of circle

Figure 5: Boxplots comparison of normalised times for

questions Q3 to Q8 between the Text and Graphics groups

(lower is better). The body of each box represents the in-

tervals between the ﬁrst (q

) and third quartiles (q

), the

bar represents the mean, the whiskers represent the max-

imal and minimal values between q

+ 1.5(q

− q

) and

− 1.5(q

− q

), ﬂiers represent points outside of this

range.

packing, so we targeted a relatively uniform group in

terms of prior knowledge, rather than experts in Ac-

cess Control. Figure 5 shows the normalised time

average of participants for each question, including

wrong answers (there are 8 wrong answers in each

group). The mean for the Graphics group is lower

(i.e., better) from Q4 to Q8 (comparatively to the time

taken for Q2) compared to the Text group. The mean

of Graphics group is higher for Q3, which could indi-

cate a small learning curve with the Graphics UI.

Altogether, the normalised mean time for partici-

pants in the Text group to answer all questions from

Q3 to Q8 is m

= 10.38 (with a conﬁdence interval of

[7.88,12.88] and a standard deviation of σ

= 5.10).

In comparison, the normalised mean time for partici-

pants in the Graphics group is m

= 8.58 (with a con-

ﬁdence interval of [7.33,9.83] and a standard devia-

tion of σ

= 2.55). This allows us to conclude that

the effect size

is 0.44, which is traditionally seen as

a small to medium effect size (Cohen, 1988). In addi-

tion, the results of the user preferences survey showed

that 82.35% of participants described the presence of

the visualisation as useful; 76.47% of participants felt

more conﬁdent operating the policy with the presence

of the graph and 47.06% agree (35.39% agree to some

extent) that the presence of the graph makes them feel

they understand the policy better. Some questions

were however very conclusive, e.g. if complex men-

tal operations were needed, which could indicate this

question was not well formulated.

Cohen’s effect is computed as (m

− m

) divided by

(σ

+ σ

)/2

ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy

124

6 CONCLUSIONS

VisABAC: A Usable Tool. VisABAC presents a

way to visually overview an access control pol-

icy, where composition operations seems to be ade-

quately represented and details are disclosed on de-

mand thanks to the zooming and progressive disclo-

sure of tags. VisABAC also provides interactivity to

the user and increments the exploring of the policy in

a graphical manner. The response was overall posi-

tive, both during the participatory design and with the

subjective user preferences survey. Most users liked

the concept very much, found it intuitive and easy to

use, although they remarked that some training could

have decrease their response time. Furthermore, the

experiment showed a small to medium effect size, al-

lowing to conclude that VisABAC improves the han-

dling of attribute-based access control policies for a

population with no formal training. Of course, at this

stage, it is not yet clear whether VisABAC can pro-

vide a signiﬁcant contribution to access control ex-

perts, but we believe the tool as presented here and

our results pave the way towards an experiment at a

larger scale.

Comparison with Other Visualisation Techniques.

Although the experiment focuses only on the cir-

cle packing technique, it is worth recalling that Vis-

ABAC was designed using a participatory design,

where other techniques were rejected as less effec-

tive compared to circle packing. Furthermore, most

approaches described in Section 2 do not focus on

attribute-based access control, which is now con-

sidered to be standard. We believe that a wide-

ranging comparison of different visualisation tech-

niques would require a strong benchmark and a clear

methodology, and we designed our approach to be a

ﬁrst step in that direction.

Extensions. Since VisABAC is designed as a web-

page component, using HTML (for the basic inter-

face), JSON (for the encoding of the policies), and

Javascript (for the evaluation of policies and the vi-

sualisation elements), additional visualisation tech-

niques can be added. The collapsible tree approach

(see Section 2.2) has received some positive response

during the participatory design phase of VisABAC

(policies tend to be naturally seen as trees). If the

space occupation issue could be ﬁxed, they could be

an interesting candidate to integrate into VisABAC. In

particular, navigating large networks with hierarchies

and zooming has been explored in authors such as

Eick and Wills (Eick and Wills, 1993) with thorough

discussion about node placement algorithms. In ad-

dition, we could also embed the visualisation frame-

work into a more capable tool that could parse di-

rectly XACML policies, making it possible to com-

pare real XACML cases against their visualisation

(and not synthetic ones), and include authoring tools

such as VisPE (Nergaard et al., 2015). This would fa-

cilitate the deployment of VisABAC for realistic ex-

periments with ﬁeld experts.

ACKNOWLEDGEMENTS

This work was partially sponsored by the Research

Institute in Cyber Security (RISCS) in collaboration

with the National Cyber Security Centre (NCSC). The

authors would also like to thank Nick Holliman from

Newcastle University for very useful discussions on

visualisation techniques.

REFERENCES

Alavi, R., Islam, S., and Mouratidis, H. (2014). HAS

2014. pages 297–305, Cham. Springer International

Publishing.

Ashley, P., Hada, S., Karjoth, G., Powers, C., and Schunter,

M. (2003). Enterprise privacy authorization language

(epal). IBM Research.

Barker, S. (2009). The next 700 access control models or a

unifying meta-model? In SACMAT, pages 187–196.

ACM.

Barrett, R., Kandogan, E., Maglio, P. P., Haber, E. M.,

Takayama, L. A., and Prabaker, M. (2004). Field

studies of computer system administrators: Analysis

of system management tools and practices. In Pro-

ceedings of the 2004 ACM Conference on Computer

Supported Cooperative Work, CSCW ’04, pages 388–

395.

Bauer, L., Garriss, S., and Reiter, M. K. (2008). Detect-

ing and resolving policy misconﬁgurations in access-

control systems. In SACMAT, pages 185–194. ACM.

Becker, J., Heddier, M.,

Oks

uz, A., and Knackstedt, R.

(2014). The effect of providing visualizations in pri-

vacy policies on trust in data privacy and security. In

2014 47th Hawaii International Conference on Sys-

tem Sciences, pages 3224–3233.

Benantar, M. (2005). Access Control Systems: Secu-

rity, Identity Management and Trust Models. Access

Control Systems: Security, Identity Management and

Trust Models. Springer US.

Card, S. K., Mackinlay, J. D., and Shneiderman, B., editors

(1999). Readings in Information Visualization: Using

Vision to Think. Morgan Kaufmann Publishers Inc.,

San Francisco, CA, USA.

VisABAC: A Tool for Visualising ABAC Policies

125

Cohen, J. (1988). Statistical power analysis for the behav-

ioral sciences lawrence earlbaum associates. Hills-

dale, NJ, pages 20–26.

Crampton, J., Morisset, C., and Zannone, N. (2015).

On missing attributes in access control: Non-

deterministic and probabilistic attribute retrieval. In

SACMAT, pages 99–109. ACM.

Eick, S. G. and Wills, G. J. (1993). Navigating large net-

works with hierarchies. In IEEE Conference on Visu-

alization, 1993., pages 204–210.

Fisler, K., Krishnamurthi, S., Meyerovich, L. A., and

Tschantz, M. C. (2005). Veriﬁcation and change-

impact analysis of access-control policies. In Pro-

ceedings of the 27th International Conference on Soft-

ware Engineering, ICSE ’05, pages 196–205, New

York, NY, USA. ACM.

Heydon, A., Maimone, M. W., Tygar, J. D., Wing, J. M., and

Zaremski, A. M. (1990). Miro: visual speciﬁcation of

security. IEEE Transactions on Software Engineering,

16(10):1185–1197.

Johnson, B. and Shneiderman, B. (1991). Tree-maps: A

space-ﬁlling approach to the visualization of hierar-

chical information structures. In Proceedings of the

2nd Conference on Visualization ’91, pages 284–291,

Los Alamitos, CA, USA. IEEE.

Kirlappos, I. and Sasse, M. A. (2014). HAS 2014, chap-

ter What Usable Security Really Means: Trusting and

Engaging Users, pages 69–78. Springer.

Kolovski, V. (2007). Logic-based access control policy

speciﬁcation and management. Technical report, De-

partment of Computer Science, University of Mary-

land, College Park.

Lacey, D. (2009). Managing the Human Factor in Infor-

mation Security: How to Win over Staff and Inﬂuence

Business Managers. Wiley Publishing.

Lampson, B. W. (1974). Protection. Operating Systems

Review, 8(1):18–24.

MacLean, A., Barnard, P., and Wilson, M. (1985). Eval-

uating the human interface of a data entry system:

user choice and performance measures yield different

tradeoff functions. People and computers: Designing

the interface, 5:45–61.

Meyer, M. (2011). Information visualization for scientiﬁc

discovery.

Montemayor, J., Freeman, A., Gersh, J., Llanso, T., and Pa-

trone, D. (2006). Information visualization for rule-

based resource access control. In Proc. of Int. Sympo-

sium on Usable Privacy and Security (SOUPS), pages

24–0.

Morisset, C. and Zannone, N. (2014). Reduction of access

control decisions. In SACMAT, pages 53–62. ACM.

Nergaard, H., Ulltveit-Moe, N., and Gjøsæter, T. (2015).

ViSPE: A Graphical Policy Editor for XACML, pages

107–121. Springer International Publishing, Cham.

Nielsen, J. (1993). Usability Engineering. Morgan Kauf-

mann Publishers Inc., San Francisco, CA, USA.

Nielsen, J. and Levy, J. (1994). Measuring usability: Prefer-

ence vs. performance. Commun. ACM, 37(4):66–75.

Pan, L., Liu, N., and Zi, X. (2013). Visualization frame-

work for inter-domain access control policy integra-

tion. China Communications, 10(3):67–75.

Pan, L. and Xu, Q. (2012). Visualization analysis of multi-

domain access control policy integration based on

tree-maps and semantic substrates. Intelligent Infor-

mation Management, 4(5):188–193.

Pina Ros, S., Lischka, M., and G

omez M

armol, F. (2012).

Graph-based xacml evaluation. In Proceedings of the

17th ACM Symposium on Access Control Models and

Technologies, SACMAT ’12, pages 83–92, New York,

NY, USA. ACM.

PwC (2015). 2015 information security breaches survey.

Technical report, HM Government and PwC Consult-

ing and Infosecurity Europe.

Rao, P., Ghinita, G., Bertino, E., and Lobo, J. (2009). Vi-

sualization for access control policy analysis results

using multi-level grids. In IEEE International Sym-

posium on Policies for Distributed Systems and Net-

works, 2009., pages 25–28.

Rissanen, E., Lockhart, H., and Moses, T. (2009). Xacml

v3. 0 administration and delegation proﬁle version 1.0.

Committee Draft, 1.

Ritter, F. E., Baxter, G. D., and Churchill, E. F. (2014).

Foundations for Designing User-Centered Systems.

Springer, Springer London Heidelberg New York Dor-

drecht.

Rosa, W. D. (2009). Toward visualizing potential policy

conﬂicts in extensible access control markup language

(xacml). Theses and dissertations, University of New

Orleans, New Orleans.

Sackmann, S. and K

ahmer, M. (2008). Expdt: Ein policy-

basierter ansatz zur automatisierung von compliance.

Wirtschaftsinformatik, 50(5):366–374.

Standard, O. (2005). extensible access control markup lan-

guage (xacml) version 2.0.

Stepien, B., Matwin, S., and Felty, A. Strategies for reduc-

ing risks of inconsistencies in access control policies.

Trudeau, S., Sinclair, S., and Smith, S. W. (2009). The ef-

fects of introspection on creating privacy policy. In

WPES ’09: Proceedings of the 8th ACM workshop

on Privacy in the electronic society, pages 1–10, New

York, NY, USA. ACM.

Vaniea, K., Ni, Q., Cranor, L., and Bertino, E. (2008). Ac-

cess control policy analysis and visualization tools for

security professionals. In SOUPS Workshop (USM).

Wang, W., Wang, H., Dai, G., and Wang, H. (2006). Visu-

alization of large hierarchical data by circle packing.

In Proceedings of the SIGCHI Conference on Human

Factors in Computing Systems, CHI ’06, pages 517–

520, New York, NY, USA. ACM.

ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy

126