Least Privilege across People, Process, and Technology: Endpoint Security Framework

Abstract

ABSTRACT A common target of cyberattacks today is the vulnerable endpoint device, which can be exploited by hackers to gain access into an organization. This paper presents a theoretical framework for addressing endpoint security by leveraging the principle of least privilege across the overlapping domains of people, process, and technology in organizations. The framework emphasizes nine key elements to endpoint security with associated policy statements designed to promote an organizational culture favorable to least privilege thinking. Leveraging an action design research methodology, we integrated the proposed managerial tool in an organization and incorporated feedback from industry professionals to evaluate it and to generate ideas for the development of a commercial endpoint security application. As a contribution, this framework is one of the first scholarly efforts to apply the principle of least privilege to endpoint security which can be valuable to cybersecurity consultants and academics.