Usable Security Team

CHCI Project Proposal

Prepared for: Center for Human-Computer Interaction

Prepared by: Laurian Vega, Ph.D. Candidate

August 11, 2009

Virginia Tech 2202 Kraft Drive Blacksburg, VA 24061 T 540.239.9334 Laurian.vega@gmail.com http://www.laurianvega.com
 Usable Security Team

Usable Security Childcare In-

formation Proposal

Introduction
President Obama has recently called for a complete revamping of the medical system. Within that call to action, there
has been a push to make medical records not only electronic, but usable. However, medical records are a type of
information that is primarily stored in paper form. Securing a piece of paper, one would think, is as simple as locking it in
a filing cabinet. Additionally, determining who has access or had access to the medical information is relatively
conventional given that paper can only be handed from person-to-person. What happens, though, when medical records
become not only electronic but stored online[1]? How many people can access those files? How do you figure out who
has access the files? Who owns the medical record? The patient, the doctor? And, who does the patient trust with their
records? Should a doctor be able to see all of a patient’s records? The grand scope of this research attempts to answer
some of those questions.

In this proposal I have scaled down our project to a small pilot study. We are proposing an area of study that is not life
critical – such as the emergency room, but one that contains medical-like sensitive information. I would like to study how
information is secured and accessed in local childcares. Childcares have many different kinds of people (childcare
workers, auditors, owners, parents – to name a few) and contains information that should not be shared with others. A
study of current practices showing all of the different methods of information access and types of people who share
information would provide insight into how to design information security measures for the personal health record domain
where there are similar stakeholders. Some of the questions we are asking:

• what kinds of information is stored?

• what are the kinds of information different people have access to?

• how is that information accessed?

• what are the current security measures taken?; and,

• what is the kind of audit trail left after someone accesses a piece of critical information?

From this study I anticipate knowing a lot more about how critical information is accessed and secured in real life
situations.

Usable Security Childcare Information Proposal 1

 Usable Security Team

Research to Date
At this point I have finished one half of a two part study that has been approved by the IRB; the IRB approval number is
09-515. In July an REU student and I interviewed twelve childcare directors in the NRV area. From this study we were
able to derive the official policy on how information about the children and their families is stored, secured, accessed, and
located. Now that we know what is the official policy, we would like to further explore what is the actual practice of
information security by interviewing the parents of children in childcares.

While in the childcares we asked if a flyer could be hung to encourage parents to participate in the second half of this
study. From those flyers we have received a call from one parent participant. We have not received more phone calls.
This has shown that our current recruitment methods are not as successful as we had hoped. In talking with Dr. Tatar
about craftier recruitment methods, she believes that a monetary incentive along with fuller coverage in places where
parents are located would greatly improve the chances of voluntary participation.

Plan of Action & Recruitment Methods

Once this budget has been approved I will resubmit IRB with the financial information. I will then put up flyers in coffee
shops, campus buildings, and other Blacksburg and Christiansburg shops while accessing my social network.
Additionally, I will post announcements on listserves like the graduate student listserve and the working mother listserve.

Interviews will be set up for September through November with transcripts being done within a week. The participant will
be paid after the interview has been conducted. A final report of all the interviews will be completed by the end of the
semester.

Procedure
The participants will contact me by phone to to indicate that they would like to participate. A meeting will be set up to
take place at the person's work or home location at a time of their choice.

Upon arrival at the meeting an informed consent will be given, explained, and signed. The participant will then be
instructed that the interview will be audio recorded and that at any time they can choose to not participate. The audio
recording will then be started. They will be asked questions from the interview protocol that has been attached. We
expect the study to last no longer than 30-45 minutes. Copies of pertinent artifacts may be collected. After the interview
is over the participant will be thanked for his/her time and we will leave.

1) An audio recording from an MP3 recorder will be made which transcriptions will be made from. (2) Copies of forms will
be collected and associated with a participants ID number (which will be assigned to the participant after agreeing to
participate in the study). (3) A digital picture may be taken of pertinent artifacts. All of these materials will be digitized and
the originals will be shredded. All original digital documents will be stored on Laurian Vega's personal machine that will be
password protected.

Usable Security Childcare Information Proposal 2

 Usable Security Team

Budget
I am applying for $200.00 to interview twenty people in the fall semester 2009. Each participant would be paid $10.00 for
30 minutes of time.

References
Kaelber, D.C., et al., A Research Agenda for Personal Health Records (PHRs). J Am Med Inform Assoc, 2008: p.
M2547-M2547.

Appendix
Interview Protocol & Questions: Field Study of In-use Information Security and Interfaces within Childcare Facilities
Parents
Section 1: Demographic and Background Information
Goal: To collect background information about the parent and their child or children.
Name: ________________________________________________________________
Gender: M/F
Number of children in a childcare program: _____
Age(s) of child(ren): ____________________________
Childcare Facility in which your children are enrolled in: _____________________
How long has/have your child/children been enrolled in a childcare program: ________
How long has/have your child/children been enrolled in the current childcare program: _____________

Section 2: Information Security

Goal: To look at how information is shared between the childcare providers and to the parents that are enrolling their
children in to such programs.
• In order to enroll your child/children in to childcare, what kind of information did you have to provide about yourself?
• What kind of information did you have to provide about your child/children? Forms? Immunizations?
• Maybe: Was there any particular information that you had to provide to the childcare facility that you felt was
unnecessary or sensitive? How was this information handled? Any differently?
• What kind of information does the childcare facility provide to you about your child/children? (ex: daily reports, webcam
feeds, etc) Daily? Weekly? Yearly?
• Is there any sort of information that you might have gathered about other children that are enrolled in your child’s/
children’s program (e.g. illnesses/conditions, behaviors )?
• Are you aware of who can access your child’s information? Who do you think can access your child’s information?
• Do you know that centers keep your files forever?
• Who do you think is the owner the information in your child’s file?
• If you aren’t comfortable with any policies do you feel you would be able to bring it up and have it be changed?
• How much do you trust your childcare with your child’s information?

Usable Security Childcare Information Proposal 3

 Usable Security Team

• What reassurances have you been given that the information about your child has been protected? Do you know who
has access to information about your child?
• Maybe (intrusive): Has there ever been an incident between your child and another at the childcare (e.g. physical
altercations)?
• If so, what kind of information was given to you about the incident (e.g. name of the other child, what exactly happened
between the two children, etc)?

Usable Security Childcare Information Proposal 4