Article Preview
TopTheorethical Background
Access control includes those methods that are specified by systems to govern the identification, authentication, authorization, and accountability of systems users (Firesmith, 2003). An authentication method is one that validates a proposed user’s identity so as to allow a system to discriminate between valid and invalid identities (Clarke et al., 2008; Sandhu & Samarati, 1996). Authorization is the process used by a system to grant specific permissions to use system features based on the authenticated identity of a user (Sandhu et al., 1996). Accountability, sometimes called security auditing, is the means by which a system records its actions for later analysis (Firesmith, 2003). For example, a firewall control, implemented in a hardware appliance, will often record all access attempts and the results of each of those attempts in a system log file. That log file can later be evaluated for auditing purposes.
An authentication method is a technique used by a system to perform authentication of potential users in order to confirm the identity of the user (Whitman & Mattord, 2011). Authentication methods include specifying which and how many authentication factors are used, what values are allowable, and which associated access control procedures are used to control the actions taken by authenticated users (Sandhu & Samarati, 1996). The difference in how users react to specified authentication methods with manifested authentication practices may enable attacks on the system (Furnell, 2007). Attacks against Web-based ISs have been showcased in media reports as widespread and growing (Acohido, 2009; Ramim & Levy, 2006). Moreover, Acohido (2009) noted that the “the vast majority of organizations routinely fail to take simple defensive measures, such as shoring up common Website weaknesses or uniformly enforcing the use of strong passwords” (p. B1). Unfortunately, it is widely known that authentication methods that rely solely on passwords are easily compromised (Furnell & Zekri, 2006). Such compromises may allow misuse of the ISs when they are protected by methods built on specifications of insufficient authentication methods (D’Arcy & Hovav, 2007). The potential for misuse exists when insiders or outsiders exploit insufficient authentication methods or practices to gain unauthorized access to perform unauthorized actions (Furnell & Zekri, 2006).