LCV Dissertation Proposal Presentation

8/14/2019 LCV Dissertation Proposal Presentation

http://slidepdf.com/reader/full/lcv-dissertation-proposal-presentation 1/53

March 8th, 2010

Security in Practice: Examining the

Collaborative Management of Personal SensitiveInformation in Childcares and Medical CentersLaurian C. Vega

1

Monday, March 8, 2010



What is

Security ✤ Computer Security = Rules,

Passwords, Policies

✤ Social Security = Social Norms(e.g., Privacy & Trust), SocialBehavior (e.g., whispering)

✤ Security Practice = the use andnegotiation between social andtechnical security to managethe day-to-day practice of fulfilling security needs




Outline

✤ What is Usable Security?

✤ What are the social norms that impact security practice?

✤ Research Questions

✤ Description of guiding framework: Activity Theory

✤ Sensitive Information Rich Places: Childcares & Medical Centers✤ Pilot Study Work & Findings

✤ Proposed Work

3Monday, March 8, 2010



Usable Security

✤ Traditional security: encodable& enforceable rules

✤

Usable Security recognized thatthe social side of security has been ignored

✤ Whitten & Tygar: “Why JohnnyCan’t Encrypt” - security

breaches because of theinterface

✤ Adams & Sasse: “Users are notthe enemy” - security is

infringing on work practice

“users perceive their {insecure}

behavior to be caused by a

mechanism design to increase

security.”Monday, March 8, 2010



Social Side of

Security ✤ Flechais, Reiglesberger, & Sasse:

“Divide and Conquer: The Role of Trust and Assurance in the Design of

Secure Socio-Technical Systems”✤ Humans: flexible, have intuition,

and evolve

✤ Technology: rigid & not adaptable

✤ Adams & Blandford:

“Organizational communication andawareness: a novel solution forhealth informatics”

✤ Security is designed for theindividual, and not for the

community

“a computer is secure if you can

depend on it and its software to

behave as you expect…

Dependability is thereforedetermined by the degree to

which this socio-technical system

behaves in a way it’s expected

to.”




Guiding Argument: Joint

Optimization

Sensitive

Personal

Information





Optimization

Sensitive

Personal

Information

Social

Mechanisms





Optimization

Sensitive

Personal

Information

Technical

Mechanisms

Social

Mechanisms





Optimization

Sensitive

Personal

Information





Optimization

Sensitive

Personal

Information

Technical

Mechanisms





Optimization

Sensitive

Personal

Information

Technical

Mechanisms

Social

Mechanisms




Social NormsImpacting

Security Privacy & Trust




Trust

✤ Many decades of research inrelevant areas

✤ Encompasses the idea of aperson or group behaving or

believing in another person,group, or artifact to betrustworthy✤ Personnel trusting each

other, the institution, theirclients, third parties to work effectively

✤ Economic model of trust

(Handy 1995, Flechais 2005)Monday, March 8, 2010



Models of

Privacy ✤ Models of Privacy

✤ Private v. Public space

(Harper 1992)✤ Boundaries of Private

Identity (Buylund 2008;Palen & Dourish, 2003):Genres of disclosure

✤ Cultures of Secrecy (Dourish& Anderson)

✤ Economic Exchange Model(Dourish & Andreson)

“Privacy is not simply a way that

information is managed but how

social relations are managed”Monday, March 8, 2010



Privacy &Contextual Integrity

✤ Nissenbaum: Contextual Integrity✤ ‘Sensitive’ & ‘Confidential’ =

information that needs to be

private✤ Privacy Principles:

✤ Protect against governmentintrusion

✤ Determining the spectrum of sensitive, intimate, and

confidential✤ Determining spaces and

boundaries for privacy✤ Failure to account for

appropriateness, distribution,

information flow, and change

“Privacy is not simply a way that

information is managed but how

social relations are managed”Monday, March 8, 2010



Research

Question✤ How do socio-technical systems that

use sensitive personal informationmanage work-practice breakdownssurrounding the implicit and explicit

rules of process?✤ What are the implicit and explicit

rules surrounding how medicalpractices and childcares handlesensitive personal information?

✤

What breakdowns happen when theexplicit and implicit rules are notfollowed?

✤ How are breakdowns accounted for,negotiated, and managed in socio-technical systems where sensitive

personal information exists?Monday, March 8, 2010



Activity Theory

✤ Relationship betweenconsciousness and activity

✤ Focus on artifacts mediating theinterplay of subject and objectto create the emergent outcome

✤ Activity = central unit of analysis

✤ Emphasis on context andcultural/historical backgroundof the context + artifacts

Tool

Subject Object Outcome Transformation

Process




Activity Theory: Engström

Tool

Subject Object Outcome TransformationProcess

Rules Community Division of

Labor




Activity Theory: Zone of Proximal

Development✤ External and Internal states

✤

External: artifacts

✤ Internal: concepts, heuristics

✤ Internalization occurs through the

Zone of Proximal Development

✤ Internalization of social normsfor security for laterexternalization through activities




Activity Theory:

Breakdowns✤ Perturbations in the activity

system indicates need for

growth & change✤ Perturbations are caused by

conflicts in activity levels, partsof the activity system, or betweenthe objectives of two activities

✤ Phases of change: coordination -no change; cooperation - minordisruptions in the system; co-construction - breakdowns occurresulting in the system realigning

“Co-construction necessarily involvesintensive learning as new practices

are being devised, which itself

requires learning, and the new

practices are intended to be learned

by others” - Nardi




Infomation

Rich Places✤ Aspects:

✤

Managing other’sinformation

✤ Information in multipleplaces

✤ Numerous people accessing

✤ Information in differentforms




Childcares

✤ 36% of children under age 6 inUnited States participate in

childcare✤ State-licensed - annually and

many times during start-up; setof licensing regulations

✤ House anywhere from 1 - 250children (limits usually onyounger children)

✤ Open ~7AM, Close ~6PM

Statistic provided by: (2005) Percentage of Children Ages 0-6, Not Yet in

Kindergarten by Type of Care Arrangement and Child and Family

Characteristics, 1995, 2001, and 2005. ChildStats.gov




Childcare Information& People

Director

Mother

Bus Driver

Teacher

Father

Head Teacher

Computer

Report

FilePortion of

File

Child

Owner

People

Information

Locations

Licensor

Director’sOffice

Bus

Classroom




Childcare Layout &Space

Childcares have a particular

layout to facilitate daily

routines and safety practices

Front desk of a childcare center. There

is a monitor and picture frame in the

corner. Additional desk and 1-way

mirror from Director’s Office in the

back.




Small &Independent Medical

Practices

✤ (almost) All Americans gothrough US Healthcare System.

✤ In 2005 there were 1,169million visits to physicians’offices & outpatient care athospitals

✤ 3.94 visits per person

✤ State & Nationally regulated &licensed

Statistic provided by: Cutler, D.M. (2008) The American Healthcare System.

Medical Solutions,




HIPAA

✤ Effective in 1996

✤ Outlines (somewhat

ambiguously) US Nationalregulations in regards toprivacy and security of patients’ ‘information’

“The HIPAA Privacy Rule provides federal protections for personal health information held bycovered entities and gives patients an array of rights with respect to that information. At the

same time, the Privacy Rule is balanced so that it permits the disclosure of personal health

information needed for patient care and other important purposes. The Security Rule specifies a

series of administrative, physical, and technical safeguards for covered entities to use to assure

the confidentiality, integrity, and availability of electronic protected health information.” Monday, March 8, 2010



Medical PracticeInformation & People

Director

Patient’s Family

3rd Parties

Insurance

Nurse

Computer

Temporary File

FilePortion of

FilePatient

Owner/Doctor

PeopleInformationLocations

Director’sOffice

Patient’sRooms

Doctor’s

Office




Comparing & Contrasting

Medical Practices Childcare Centers

File Storage

File Forms

New Customer

Daily Participation

Communication Methods

Age of files

Policing Privacy Agency

Method of conveying

explicit policies

File Travel

Large wall-spanning file cabinets Usually only set (3-4) of filing cabinets

Electronic billing patient file; physical file of

medical history; electronic copy of

information in physical file

Physical file in director’s office; sub-file in

teacher room; electronic copy of information in

physical file; possible additional over-flow file

Daily/Weekly Monthly, large enrollment in August and May

Different patients daily Same children daily

Email, inter-office memos, documenting in

files, face-to-face, staff meetings, phone

Email, inter-office memos, documenting in

files, face-to-face, texting, staff meetings,

phone, facebook, back-pack mail

Indefinite Indefinite

U.S. Department of Health & Human

Services through HIPPA

Virginia’s Department of Social Services

through bi-annual licensing; additional

accreditation through NYCEA, and hosing

institution such as Virginia Tech

Signed forms provided when first enrolling

or at start of visit

Ambient information, policy handbook, forms

sent back-pack mail to be returned, enrollment

formsTravels with Patient Central file stays in one location 25Monday, March 8, 2010



Qualitative

Methods✤ Studying the world of the participants

as an active - observer

✤

The research findings are dependent onthe interpretations of the researcher;researcher is the instrument

✤ Research questions are open, andadaptive to upon deeperunderstanding of the research context

✤ Data is captured in notes & richdescriptions, transcriptions, artifacts,memos of interpretation, audiorecordings, etc

✤ Data collection is never complete




Research Problem andOpening Research Questions

Coding &

Data Collection Coding

Memo Writing/Codes/ Tentative Categories

Initial

(1) (2)Focused

(3) Advanced &

Seeking SpecificNew Data

Sorting Memos & Adopting Certain Categories as

Theoretical Concepts

Writing First Draft

(4)Further TheoreticalSampling if Needed

1. Summer Interviews of Childcare and MedicalPractice Directors

2. Fall Observations andFollow-up Interviews

3. Fall Interviews of Parents

4. Proposed Observations

Grounded

Theory

Adapted from: Charmaz, K.,

Constructing Grounded Theory: A

Practical Guide through Qualitative

Analysis. 2006: Sage Publications Ltd.




Pilot Studies

✤ All participants from NewRiver Valley, Virginia

✤ IRB Approved✤ 46 Interviewed Participants:

Childcare & Medical Directors,Parents✤ Interviews = 45 min, audio

recorded, transcribed, coded by 2-3 researchers

✤ 14 Childcare Observations✤ Observations 2-3 hours,

Notes, collected artifacts,coded by 2 researchers




1: Human-Mediated Access Management

✤ Ownership

✤ Place-based Norms

✤ Role-based Norms




Ownership

✤ Center <-----> Client; shiftingideas

✤ Files are stored in center

✤ How much will they copy?What is the process of copying?

✤ Reasons for not providingcopies:

✤ Client wouldn’t understandinformation

✤ Kept information theywouldn’t want the client tosee

“the information in a file

belongs to a patient, butthe file itself belongs to

the doctor… So people

think when they get an

X-ray they’ve bought an

X-ray but no, the

information on the X-ray

belongs to the patient but the actual film itself

belongs to the doctor.”




Place-Based

Norms✤ How information is situated in

the environment represents

social norms of access &management

✤ Official policies that impactwhere it is acceptable to shareinformation

✤ Physical layout of the director’soffice

HIPPA as I understand it wasdeveloped to protect information that

is sent over the internet… Now

HIPPA in my opinion, and I don’tmind if this is recorded, I think it’s a

stupid thing… I wouldn’t go out in thewaiting room and say, you know, “hey

Ms. Jones your syphilis test is

negative,” so to me it’s an ethical thingand not a legal issue… now myunderstanding of HIPPA

interpretations, you’re not evenallowed to say the patient’s name in

the office. But what a load of crap, allthat. If I got an 80 year old lady, shewants a hug. I’m not gonna ignore

her, you know, “205, you’re up!”That’s just, that’s a little ridiculous.




Role-Based

Norms✤ The role of the director was

found to mediate theinformation seeker’s goal in a

way that is flexible, negotiated,and determined in a case-by-case fashion to best balance theneed for information for work with need to keep information

private.✤ Authority

✤ Auditing other’s work

✤ Limiting information sharing

"If I want my kids' middle

names, are they gonna be in hereor in the file?" <points to black

box> … The teacher then says, in

a much softer voice, “can I dig?”




Information

Duplication

✤ Information Redundancy

✤ Information On-hand




Information

Redundancy ✤ Information in multiple forms:

electronic, billing, health

✤ Reasons:

✤ To serve a communitypurpose

✤ To protect information from

being lost✤ To use appropriate

information based oncontextual needs

“The problem is, and someone

wouldn’t think about why it’s so

important, but it’s like theVirginia Tech massacre we had 3

patients who we had to identify

the bodies.”




Information



✤ Reasons:





“…we actually have a series of

backups. We have a local tape

backup and we have an off site backup which actually backs up

over the internet at my house at

night... And then at my home we

actually have two hard drives

and my wife goes to the safety

deposit box and swaps them out

regularly. So if somebody’s mad

enough to burn this office down

and my home down, we’ll stillhave a record in a safe deposit

box.”




Information



✤ Reasons:





“We have an electronic medical

record here – so it’s all eventually

entered in. The information is

taken down by a nurse

interviewer preoperatively on a

pre-op visit.... And then

eventually that all gets put intothe electronic medical record...

but of course we transfer a lot of

that information onto the

anesthesia record which is

entered in real time into the

electronic medical record”




Information

On-hand

✤ Planning is instantiatedthrough multiple copies of information for differentpurposes

✤ Reasons

✤ Need it for work

✤ Just in case (i.e.,emergencies)

✤ Files being too large

“… things have to be kept

confidential and locked, per se, but

the staff still need to be able to have

access to it even if {the director is}

not here ... So, sometimes they will

produce their own emergency

contact form for their classroom…and that way {the manila folder} can

remain locked but people still have

access to the information needed"




Community of

Trust✤ Trust decreases expenditures

for security, and increasesfeelings of shared

responsibility

✤ Representations:colloquialisms, feelings of being part of the family,

displaying child’s artwork

✤ 29% had individual passwords;door locks and keys neverobserved

“… teachers are bound by

confidentiality, it's in their

agreement, it's in our handbook,any violation of confidentiality is

immediate grounds of

termination. We try to use a lot of

trust… more often than not

there's not anything that they

can't see. Um, there are cases of

children that you know we've

had suspicions of abuse or

different information, but wekinda want at the same time for

{the staff} to be privy.”




Proposed Studies

✤ 2 month long observations; approximately 80 hours per location:

✤ 1 childcare

✤ 1 medical practice

✤ Role: Active-participant; semi-volunteer

✤ Goal: Observe the use of explicit and implicit policies & the breakdowns surrounding them

✤ Collect: Daily audio recordings, observation notes, pictures,representative artifacts




Product of Study

✤ Set of problem & near-future scenarios that have been abstracted fromobservation and pilot studies

✤ Goal: comprehensive list of observed breakdowns --> abstracted totypes of breakdowns

✤ Problem Scenarios - will depict problems with the current situationin relation to security

✤ Near-Future Scenarios - will depict the positive and negativeconsequences of implementing solutions to problem scenarios




Conceptual Framework

✤ Scenarios created torepresent different aspectsof the conceptualframework created by Dr.Kafura & Usable SecurityTeam

✤ Depicts aspects of theDesign Space




Sample ProblemScenario

✤ Bus driver’s list of childrenwith contact information isinaccurate; missing child

✤ Reasons for breakdown:

✤ Problems with division of labor - dueling objectives

✤

Lack of policy over updatinginformation

✤ Dueling objectives forsecurity & information on-hand




Sample Near-Future Scenario

✤ Solution - allow mother to updateher own information; informationavailable through interactive

password protected onboarddatabase

✤ Important aspects:

✤ Bus system can only accesscertain information

✤ Division of Labor moredistinguished for driver/director

✤ New policy for accessinginformation in the moment




Timeline

✤ Observations:

✤ One observation prior to

summer✤ One observation in August-

September

✤ Data Aggregation & Analysis:

Summer + Fall✤ Writing: November-April

✤ Research Defense: January

✤ Final Defense: April




Thank you

A special thanks to Tom DeHart, Laura Agnich, Edgardo Vega,Zalia Shams, Monika Akbar, Stacy Branham who helped run,

code, and analyze the data.

Another thanks to Dr. Fancis Quek & Dr. Denis Gracanin from theUsable Security team for their feedback.




Activity Theory: Levels

Activity

Action

Operation

Motive

Goal

Condition




ContextualIntegrity

✤ Appropriateness: Whatinformation is appropriate to

reveal in particular contexts

✤ Distribution: the movement ortransfer of information inparticular contexts

✤ Change & Information Flow:change in norms that guideinformation use




Conceptual Framework

✤ Behavior framing:mediating behaviors

through the ‘place’ -regulating privacy boundaries

✤ Boundary Regulation: theplace where privacy

norms regulate behavior✤ Trust negotiation:

negotiation between twoparties with differentprivacy policies

LCV Dissertation Proposal Presentation

Documents

Transcript of LCV Dissertation Proposal Presentation