LCV Dissertation Proposal Presentation

Security in Practice: Examining the
Collaborative Management of Personal Sensitive

Information in Childcares and Medical Centers
Laurian C. Vega
March 8th, 2010

1
Monday, March 8, 2010

What is
Security
✤ Computer Security = Rules,
Passwords, Policies
✤ Social Security = Social Norms

(e.g., Privacy & Trust), Social
Behavior (e.g., whispering)
✤ Security Practice = the use and

negotiation between social and
technical security to manage
the day-to-day practice of
fulfilling security needs
2
Outline
✤ What is Usable Security?

✤ What are the social norms that impact security practice?
✤ Research Questions
✤ Description of guiding framework: Activity Theory
✤ Sensitive Information Rich Places: Childcares & Medical Centers
✤ Pilot Study Work & Findings
✤ Proposed Work
3
Usable Security
✤ Traditional security: encodable

& enforceable rules
✤ Usable Security recognized that
the social side of security has
been ignored
✤ Whitten & Tygar: “Why Johnny
Can’t Encrypt” - security
breaches because of the
interface “users perceive their {insecure}
✤ Adams & Sasse: “Users are not behavior to be caused by a
the enemy” - security is mechanism design to increase
infringing on work practice

security.”
4
Social Side of
Security
✤ Flechais, Reiglesberger, & Sasse:
“Divide and Conquer: The Role of
Trust and Assurance in the Design of
Secure Socio-Technical Systems”
✤ Humans: flexible, have intuition,
and evolve “a computer is secure if you can
✤ Technology: rigid & not adaptable
depend on it and its software to
behave as you expect…
✤ Adams & Blandford:
“Organizational communication and Dependability is therefore
awareness: a novel solution for determined by the degree to
health informatics”
which this socio-technical system
✤ Security is designed for the behaves in a way it’s expected
individual, and not for the
to.”
community
5
Guiding Argument: Joint
Optimization
Sensitive
Personal
Information
6
Optimization
Sensitive
Personal
Information
Social
Mechanisms
6
Optimization
Sensitive
Personal
Information
Social Technical
Mechanisms Mechanisms
6
Optimization
Sensitive
Personal
Information
Social Technical

7
Optimization
Sensitive
Personal
Information
Social Technical

7
Optimization
Sensitive
Personal
Information
8
Optimization
Sensitive
Personal
Information
Technical
Mechanisms
8
Optimization
Sensitive
Personal
Information
Social Technical
8
Social Norms
Impacting
Security
Privacy & Trust
9
Trust
✤ Many decades of research in

relevant areas
✤ Encompasses the idea of a
person or group behaving or
believing in another person,
group, or artifact to be
trustworthy
✤ Personnel trusting each
other, the institution, their

clients, third parties to work
effectively
✤ Economic model of trust
(Handy 1995, Flechais 2005)

10
Models of
Privacy
✤ Models of Privacy
✤ Private v. Public space
(Harper 1992)
✤ Boundaries of Private
Identity (Buylund 2008;
Palen & Dourish, 2003):
Genres of disclosure
✤ Cultures of Secrecy (Dourish
& Anderson)
“Privacy is not simply a way that
✤ Economic Exchange Model
(Dourish & Andreson) information is managed but how
social relations are managed”
11
Privacy &
Contextual Integrity
✤ Nissenbaum: Contextual Integrity

✤ ‘Sensitive’ & ‘Confidential’ =
information that needs to be
private
✤ Privacy Principles:
✤ Protect against government
intrusion
✤ Determining the spectrum of
sensitive, intimate, and
confidential
✤ Determining spaces and
boundaries for privacy
“Privacy is not simply a way that
✤ Failure to account for
appropriateness, distribution, information is managed but how
information flow, and change social relations are managed”
12
Research
Question
✤ How do socio-technical systems that
use sensitive personal information
manage work-practice breakdowns
surrounding the implicit and explicit
rules of process?
✤ What are the implicit and explicit
rules surrounding how medical

practices and childcares handle
sensitive personal information?
✤ What breakdowns happen when the
explicit and implicit rules are not

followed?
✤ How are breakdowns accounted for,
negotiated, and managed in socio-

technical systems where sensitive
personal information exists? 13
Activity Theory
✤ Relationship between ✤ Activity = central unit of

consciousness and activity analysis
✤ Focus on artifacts mediating the ✤ Emphasis on context and

interplay of subject and object cultural/historical background
to create the emergent outcome of the context + artifacts
Tool
Transformation
Subject Object Outcome
Process
14
Activity Theory: Engström
Tool
Transformation
Subject Object Process Outcome
Rules Division of
Community
Labor
15
Activity Theory: Zone of Proximal
Development
✤ External and Internal states
✤ External: artifacts
✤ Internal: concepts, heuristics
✤ Internalization occurs through the

Zone of Proximal Development
✤ Internalization of social norms

for security for later
externalization through activities

16
Activity Theory:
Breakdowns
✤ Perturbations in the activity
system indicates need for
growth & change “Co-construction necessarily involves
✤ Perturbations are caused by intensive learning as new practices
conflicts in activity levels, parts are being devised, which itself
of the activity system, or between requires learning, and the new
the objectives of two activities
practices are intended to be learned
✤ Phases of change: coordination - by others” - Nardi
no change; cooperation - minor
disruptions in the system; co-
construction - breakdowns occur
resulting in the system realigning

17
Infomation
Rich Places
✤ Aspects:
✤ Managing other’s
information
✤ Information in multiple
places
✤ Numerous people accessing
✤ Information in different
forms

18
Childcares
✤ 36% of children under age 6 in

United States participate in
childcare
✤ State-licensed - annually and
many times during start-up; set
of licensing regulations
✤ House anywhere from 1 - 250
children (limits usually on
younger children) Statistic provided by: (2005) Percentage of Children Ages 0-6, Not Yet in
Kindergarten by Type of Care Arrangement and Child and Family
Characteristics, 1995, 2001, and 2005. ChildStats.gov
✤ Open ~7AM, Close ~6PM

19
Childcare Information
& People People
Information
Locations
Director Computer
Owner Report
Bus Licensor File

Portion of
Mother File
Director’s Father
Office
Child
Classroom Bus Driver
Head Teacher
Teacher

20
Childcare Layout &
Space
Childcares have a particular

layout to facilitate daily
routines and safety practices
Front desk of a childcare center. There

is a monitor and picture frame in the
corner. Additional desk and 1-way
mirror from Director’s Office in the
back.

21
Small &
Independent Medical
Practices
✤ (almost) All Americans go

through US Healthcare System.
✤ In 2005 there were 1,169
million visits to physicians’
offices & outpatient care at
hospitals
✤ 3.94 visits per person
✤ State & Nationally regulated &
Statistic provided by: Cutler, D.M. (2008) The American Healthcare System.
licensed Medical Solutions,

22
HIPAA
✤ Effective in 1996
✤ Outlines (somewhat
ambiguously) US National
regulations in regards to
privacy and security of
patients’ ‘information’
“The HIPAA Privacy Rule provides federal protections for personal health information held by
covered entities and gives patients an array of rights with respect to that information. At the
same time, the Privacy Rule is balanced so that it permits the disclosure of personal health
information needed for patient care and other important purposes. The Security Rule specifies a
series of administrative, physical, and technical safeguards for covered entities to use to assure
the confidentiality, integrity, and availability of electronic protected health information.”

23
Medical Practice
Information & People
Information
People
Locations
Patient’s Director Computer
Rooms
Owner/Doctor File
Director’s Portion of
Patient
Office File
Temporary
Patient’s Family
File
Doctor’s Nurse
Office
3rd Parties
Insurance

24
Comparing & Contrasting
Medical Practices Childcare Centers
File Storage Large wall-spanning file cabinets Usually only set (3-4) of filing cabinets
File Forms Electronic billing patient file; physical file of Physical file in director’s office; sub-file in
medical history; electronic copy of teacher room; electronic copy of information in
information in physical file physical file; possible additional over-flow file
New Customer Daily/Weekly Monthly, large enrollment in August and May
Daily Participation Different patients daily Same children daily
Communication Methods Email, inter-office memos, documenting in Email, inter-office memos, documenting in
files, face-to-face, staff meetings, phone files, face-to-face, texting, staff meetings,
phone, facebook, back-pack mail
Age of files Indefinite Indefinite
Policing Privacy Agency U.S. Department of Health & Human Virginia’s Department of Social Services
Services through HIPPA through bi-annual licensing; additional
accreditation through NYCEA, and hosing
institution such as Virginia Tech
Method of conveying Signed forms provided when first enrolling Ambient information, policy handbook, forms
explicit policies or at start of visit sent back-pack mail to be returned, enrollment
File Travel
Travels with Patient
forms
Central file stays in one location 25
Qualitative
Methods
✤ Studying the world of the participants
as an active - observer
✤ The research findings are dependent on
the interpretations of the researcher;
researcher is the instrument
✤ Research questions are open, and
adaptive to upon deeper
understanding of the research context
✤ Data is captured in notes & rich
descriptions, transcriptions, artifacts,
memos of interpretation, audio
recordings, etc
✤ Data collection is never complete

26
Grounded Writing First Draft
Theory
Sorting Memos & Adopting
1. Summer Interviews of Certain Categories as
Childcare and Medical Theoretical Concepts
Practice Directors
2. Fall Observations and
Follow-up Interviews Memo Writing/Codes/
Tentative Categories
3. Fall Interviews of Parents
(1) (2) (3) (4)
4. Proposed Observations Initial Focused Advanced & Further Theoretical
Seeking Specific Sampling if Needed
New Data
Coding &
Data Collection
Coding
Adapted from: Charmaz, K.,

Constructing Grounded Theory: A
Practical Guide through Qualitative
Research Problem and Analysis. 2006: Sage Publications Ltd.
Opening Research Questions

27
Pilot Studies
✤ All participants from New

River Valley, Virginia
✤ IRB Approved
✤ 46 Interviewed Participants:
Childcare & Medical Directors,
Parents
✤ Interviews = 45 min, audio
recorded, transcribed, coded

by 2-3 researchers
✤ 14 Childcare Observations
✤ Observations 2-3 hours,
Notes, collected artifacts,

coded by 2 researchers

28
1: Human-Mediated
Access Management
✤ Ownership
✤ Place-based Norms
✤ Role-based Norms

29
Ownership “the information in a file
belongs to a patient, but
the file itself belongs to
✤ Center <-----> Client; shifting
ideas the doctor… So people
✤ Files are stored in center think when they get an
✤ How much will they copy? X-ray they’ve bought an
What is the process of copying? X-ray but no, the
✤ Reasons for not providing information on the X-ray
copies:
belongs to the patient
✤ Client wouldn’t understand
information but the actual film itself
✤ Kept information they belongs to the doctor.”
wouldn’t want the client to
see

30
Place-Based HIPPA as I understand it was
developed to protect information that
Norms is sent over the internet… Now
HIPPA in my opinion, and I don’t
mind if this is recorded, I think it’s a
stupid thing… I wouldn’t go out in the
waiting room and say, you know, “hey
✤ How information is situated in
Ms. Jones your syphilis test is
the environment represents negative,” so to me it’s an ethical thing
social norms of access & and not a legal issue… now my
management understanding of HIPPA
interpretations, you’re not even
✤ Official policies that impact allowed to say the patient’s name in
where it is acceptable to share the office. But what a load of crap, all
information that. If I got an 80 year old lady, she
wants a hug. I’m not gonna ignore
✤ Physical layout of the director’s her, you know, “205, you’re up!”
office That’s just, that’s a little ridiculous.

31
Role-Based
Norms
✤ The role of the director was
found to mediate the
information seeker’s goal in a
way that is flexible, negotiated,
and determined in a case-by-
case fashion to best balance the
need for information for work
with need to keep information "If I want my kids' middle
private. names, are they gonna be in here
✤ Authority or in the file?" <points to black
box> … The teacher then says, in
✤ Auditing other’s work
a much softer voice, “can I dig?”
✤ Limiting information sharing

32
Information
Duplication
✤ Information Redundancy
✤ Information On-hand

33
Information
Redundancy
✤ Information in multiple forms:
electronic, billing, health
✤ Reasons:
✤ To serve a community
purpose “The problem is, and someone
✤ To protect information from wouldn’t think about why it’s so
being lost important, but it’s like the
Virginia Tech massacre we had 3
✤ To use appropriate
patients who we had to identify
information based on
contextual needs the bodies.”

34
Information “…we actually have a series of
Redundancy backups. We have a local tape
backup and we have an off site
backup which actually backs up
over the internet at my house at
✤ Information in multiple forms: night... And then at my home we
electronic, billing, health
actually have two hard drives
✤ Reasons: and my wife goes to the safety
✤ To serve a community deposit box and swaps them out
purpose regularly. So if somebody’s mad
✤ To protect information from enough to burn this office down
being lost and my home down, we’ll still
have a record in a safe deposit
✤ To use appropriate
box.”
contextual needs

35
Information
“We have an electronic medical
Redundancy record here – so it’s all eventually
entered in. The information is
taken down by a nurse
✤ Information in multiple forms: interviewer preoperatively on a
electronic, billing, health pre-op visit.... And then
eventually that all gets put into
✤ Reasons:
the electronic medical record...
✤ To serve a community but of course we transfer a lot of
purpose
that information onto the
✤ To protect information from anesthesia record which is
being lost entered in real time into the
✤ To use appropriate electronic medical record”
contextual needs

36
Information
On-hand
✤ Planning is instantiated “… things have to be kept

through multiple copies of confidential and locked, per se, but
information for different the staff still need to be able to have
purposes access to it even if {the director is}
✤ Reasons not here ... So, sometimes they will
produce their own emergency
✤ Need it for work
contact form for their classroom…
✤ Just in case (i.e., and that way {the manila folder} can
emergencies)
remain locked but people still have
✤ Files being too large access to the information needed"

37
Community of “… teachers are bound by
Trust confidentiality, it's in their
agreement, it's in our handbook,
any violation of confidentiality is
✤ Trust decreases expenditures immediate grounds of
for security, and increases termination. We try to use a lot of
feelings of shared trust… more often than not
responsibility there's not anything that they
can't see. Um, there are cases of
✤ Representations:
children that you know we've
colloquialisms, feelings of
had suspicions of abuse or
being part of the family,
displaying child’s artwork different information, but we
kinda want at the same time for
✤ 29% had individual passwords; {the staff} to be privy.”
door locks and keys never
observed

38
Proposed Studies
✤ 2 month long observations; approximately 80 hours per location:
✤ 1 childcare
✤ 1 medical practice
✤ Role: Active-participant; semi-volunteer
✤ Goal: Observe the use of explicit and implicit policies & the
breakdowns surrounding them
✤ Collect: Daily audio recordings, observation notes, pictures,

representative artifacts

39
Product of Study
✤ Set of problem & near-future scenarios that have been abstracted from
observation and pilot studies
✤ Goal: comprehensive list of observed breakdowns --> abstracted to

types of breakdowns
✤ Problem Scenarios - will depict problems with the current situation

in relation to security
✤ Near-Future Scenarios - will depict the positive and negative

consequences of implementing solutions to problem scenarios

40
Conceptual Framework
✤ Scenarios created to
represent different aspects
of the conceptual
framework created by Dr.
Kafura & Usable Security
Team
✤ Depicts aspects of the

Design Space

41
Sample Problem
Scenario
✤ Bus driver’s list of children
with contact information is
inaccurate; missing child
✤ Reasons for breakdown:
✤ Problems with division of
labor - dueling objectives
✤ Lack of policy over updating
information
✤ Dueling objectives for
security & information on-
hand

42
Sample Near-
Future Scenario
✤ Solution - allow mother to update
her own information; information
available through interactive
password protected onboard
database
✤ Important aspects:
✤ Bus system can only access
certain information
✤ Division of Labor more
distinguished for driver/
director
✤ New policy for accessing
information in the moment

43
Timeline
✤ Observations:
✤ One observation prior to
summer
✤ One observation in August-
September
✤ Data Aggregation & Analysis:
Summer + Fall
✤ Writing: November-April
✤ Research Defense: January
✤ Final Defense: April

44
Thank you
A special thanks to Tom DeHart, Laura Agnich, Edgardo Vega,

Zalia Shams, Monika Akbar, Stacy Branham who helped run,
code, and analyze the data.
Another thanks to Dr. Fancis Quek & Dr. Denis Gracanin from the
Usable Security team for their feedback.

45
Activity Theory: Levels
Activity Motive
Action Goal
Operation Condition

46
Contextual
Integrity
✤ Appropriateness: What
information is appropriate to
reveal in particular contexts
✤ Distribution: the movement or

transfer of information in
particular contexts
✤ Change & Information Flow:

change in norms that guide
information use

Conceptual Framework
✤ Behavior framing:
mediating behaviors
through the ‘place’ -
regulating privacy
boundaries
✤ Boundary Regulation: the
place where privacy
norms regulate behavior
✤ Trust negotiation:
negotiation between two
parties with different
privacy policies

48

LCV Dissertation Proposal Presentation

Uploaded by

Copyright:

Available Formats

You might also like

LCV Dissertation Proposal Presentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LCV Dissertation Proposal Presentation

Uploaded by

Copyright:

Available Formats

Security in Practice: Examining the

Collaborative Management of Personal Sensitive

March 8th, 2010

Monday, March 8, 2010

✤ Social Security = Social Norms

✤ Security Practice = the use and

✤ What is Usable Security?

✤ Traditional security: encodable

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

✤ Many decades of research in

other, the institution, their

Monday, March 8, 2010

✤ Nissenbaum: Contextual Integrity

rules surrounding how medical

explicit and implicit rules are not

negotiated, and managed in socio-

✤ Relationship between ✤ Activity = central unit of

✤ Focus on artifacts mediating the ✤ Emphasis on context and

✤ Internal: concepts, heuristics

✤ Internalization occurs through the

✤ Internalization of social norms

Monday, March 8, 2010

Monday, March 8, 2010

✤ Numerous people accessing

Monday, March 8, 2010

✤ 36% of children under age 6 in

Monday, March 8, 2010

Bus Licensor File

Classroom Bus Driver

Monday, March 8, 2010

Childcares have a particular

Front desk of a childcare center. There

Monday, March 8, 2010

✤ (almost) All Americans go

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

New Customer Daily/Weekly Monthly, large enrollment in August and May

Daily Participation Different patients daily Same children daily

Age of files Indefinite Indefinite

Monday, March 8, 2010

Adapted from: Charmaz, K.,

Monday, March 8, 2010

✤ All participants from New

recorded, transcribed, coded

Notes, collected artifacts,

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

Monday, March 8, 2010

✤ Planning is instantiated “… things have to be kept

Monday, March 8, 2010