An Expert Panel Approach on Developing a Unified System Authentication Benchmarking Index

An Expert Panel Approach on Developing a Unified System Authentication Benchmarking Index

Herbert J. Mattord (Coles College of Business, Kennesaw State University, Kennesaw, GA, USA), Yair Levy (Graduate School of Computer and Information Sciences, Nova Southeastern University, Ft. Lauderdale, FL, USA) and Steven Furnell (Centre for Security, Communications and Network Research, Plymouth University, Plymouth, Devon, UK)
DOI: 10.4018/jitn.2013040103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Network-based applications still rely heavily on password-based authentication methods to control access. In a recent study, a benchmarking instrument was used to assess authentication methods used in such systems. The authors’ instrument was built on an extensive literature foundation and was validated with an expert panel assessment. This paper reports on the development of the instrument and the expert panel assessment. The initial draft of the instrument was derived from literature to assess 1) password strength requirements, 2) password usage methods, and 3) password reset requirements. Criteria within the index were evaluated by an expert panel, who also provided opinions on the relative weights of the criteria and measures. The expert panel results were analyzed using Multi-Criteria Decision Analysis (MCDA) techniques. Their results revealed that out of 100% allocation, Password Strength Measure (PSM) was the dominant factor in the aggregated perception of the panel of experts with weight of 43.1%, followed by Password Initialization and Reset Measure (PIRM) with weight of 29.2%, and Password Usage Measure (PUM) with weight of 27.7%. They concluded with discussions on how criteria were assembled, how the panel was conducted, and results from the panel. The results reported include the relative weights of the three measures within the unified system authentication benchmarking index.
Article Preview

Theorethical Background

Access control includes those methods that are specified by systems to govern the identification, authentication, authorization, and accountability of systems users (Firesmith, 2003). An authentication method is one that validates a proposed user’s identity so as to allow a system to discriminate between valid and invalid identities (Clarke et al., 2008; Sandhu & Samarati, 1996). Authorization is the process used by a system to grant specific permissions to use system features based on the authenticated identity of a user (Sandhu et al., 1996). Accountability, sometimes called security auditing, is the means by which a system records its actions for later analysis (Firesmith, 2003). For example, a firewall control, implemented in a hardware appliance, will often record all access attempts and the results of each of those attempts in a system log file. That log file can later be evaluated for auditing purposes.

An authentication method is a technique used by a system to perform authentication of potential users in order to confirm the identity of the user (Whitman & Mattord, 2011). Authentication methods include specifying which and how many authentication factors are used, what values are allowable, and which associated access control procedures are used to control the actions taken by authenticated users (Sandhu & Samarati, 1996). The difference in how users react to specified authentication methods with manifested authentication practices may enable attacks on the system (Furnell, 2007). Attacks against Web-based ISs have been showcased in media reports as widespread and growing (Acohido, 2009; Ramim & Levy, 2006). Moreover, Acohido (2009) noted that the “the vast majority of organizations routinely fail to take simple defensive measures, such as shoring up common Website weaknesses or uniformly enforcing the use of strong passwords” (p. B1). Unfortunately, it is widely known that authentication methods that rely solely on passwords are easily compromised (Furnell & Zekri, 2006). Such compromises may allow misuse of the ISs when they are protected by methods built on specifications of insufficient authentication methods (D’Arcy & Hovav, 2007). The potential for misuse exists when insiders or outsiders exploit insufficient authentication methods or practices to gain unauthorized access to perform unauthorized actions (Furnell & Zekri, 2006).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 10: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing