Usable Security in Practice: Collaborative

Management of Electronic & Physical Personal

Information
Laurian C. Vega
Virginia Tech

Sunday, October 17, 2010 1

 Computer
Science &
Security

Sunday, October 17, 2010 2

In the ACM Portal there are 33,619 references with the word “Security” in the title or abstract.

While I’m not here to summarize decades of work, I am here to talk about one aspect of
security that hasn’t been covered at all until recently. Security literature, when not proposing
a deceptive new algorithm, has been known to put forth the position that humans are the
weak link in the security chain. Well recent work has pushed back on that notion. That it isn’t
that people aren’t secure, it is that the software that isn’t usable that is the problem. It is an
issue that passwords are too complex, and that security systems are not modeled after user
mental models.

You can read more about this issue in this foundational work, called “Users are not the...

My work is an important extension beyond the work of usable security. In my work I look past
single individuals looking at computers and instead look at how communities manage
security and privacy in the work setting.
 Computer
Science &
Security
Adams, A. and M.A.
Sasse, Users Are Not
the Enemy, in
Communications of
the ACM. 1999. p.
40-46.

Sunday, October 17, 2010 2

In the ACM Portal there are 33,619 references with the word “Security” in the title or abstract.

While I’m not here to summarize decades of work, I am here to talk about one aspect of
security that hasn’t been covered at all until recently. Security literature, when not proposing
a deceptive new algorithm, has been known to put forth the position that humans are the
weak link in the security chain. Well recent work has pushed back on that notion. That it isn’t
that people aren’t secure, it is that the software that isn’t usable that is the problem. It is an
issue that passwords are too complex, and that security systems are not modeled after user
mental models.

You can read more about this issue in this foundational work, called “Users are not the...

My work is an important extension beyond the work of usable security. In my work I look past
single individuals looking at computers and instead look at how communities manage
security and privacy in the work setting.
 Medical
Informatics &
Adoption of
Electronic
Records

Sunday, October 17, 2010 3

Similar to the rise of studying how to make technology more usable there has been an
increase in a push to use electronic records. This push, while not limited to, is ever prevalent
in the medical industry where doctors are carrying tables, iphones, and nurses and office
staff are working with electronic medical records.

When considering electronic records, though, there can be a focus on looking at issues that
affect adoption, instead of what how the issues related to their use can affect the work that
people are doing. To see these issues we have to go beyond asking questions such as
adoption rates, or how usable these systems are, or what are the workflows that people do,
but to understand how technologies that are embedded into people’s environments are tools
that embody values. It is in understanding the work that people do, that we can then design
technologies that support them.

You can learn more about this issue in the work of Berner, Detmer, and Simborg, on “Will the
Wave Finally Break”

These two motivations are what drives my work to understand communities that are allegedly
transitioning from paper to electronic records, and, specifically, how these issues are
affecting the security of sensitive personal information. To do this I study two locations where
these issues are embodied.
 Medical
Informatics &
Adoption of
Electronic
Records
Berner, E.S., D.E. Detmer &
D. Simborg, Will the Wave
Finally Break? A Brief View
of the Adoption of
Electronic Medical Records
in the United States. J Am
Med Inform Assoc, 2005.
12(1): p. 3-7.

Sunday, October 17, 2010 3

Similar to the rise of studying how to make technology more usable there has been an
increase in a push to use electronic records. This push, while not limited to, is ever prevalent
in the medical industry where doctors are carrying tables, iphones, and nurses and office
staff are working with electronic medical records.

When considering electronic records, though, there can be a focus on looking at issues that
affect adoption, instead of what how the issues related to their use can affect the work that
people are doing. To see these issues we have to go beyond asking questions such as
adoption rates, or how usable these systems are, or what are the workflows that people do,
but to understand how technologies that are embedded into people’s environments are tools
that embody values. It is in understanding the work that people do, that we can then design
technologies that support them.

You can learn more about this issue in the work of Berner, Detmer, and Simborg, on “Will the
Wave Finally Break”

These two motivations are what drives my work to understand communities that are allegedly
transitioning from paper to electronic records, and, specifically, how these issues are
affecting the security of sensitive personal information. To do this I study two locations where
these issues are embodied.
 Childcare Centers
Sunday, October 17, 2010 4

The first location I study is childcare centers, where one in three children in America spend
their day. These places need to balance the daily care of the child, with maintaining and using
the private information of child and parent
 Physician’s Offices
Sunday, October 17, 2010 5

And I study physician’s offices. 99% of americans see a doctor between three and four times a
year, with 1.5 million physicians in the united states alone
 Research
Question
How do socio-technical systems that
use sensitive personal information
manage work-practice breakdowns
surrounding the implicit and explicit
rules of process?
•What are the implicit and explicit
rules surrounding how medical
p racti ces a n d c h i l d c a r e s h a n d l e
sensitive personal information?
•What breakdowns happen when the
explicit and implicit rules are not
followed?
•How are breakdowns accounted for,
negotiated, and managed in socio-
technical systems where sensitive
personal information exists?

Sunday, October 17, 2010 6

 Method
Location: Southwest-Virginia
•Rural
IRB Approved

51 Interviewed Participants:
• 13 Childcare Directors
• 18 Medical Directors
• 21 Parents
121 hours of observations
• 4 Childcares & 4 Physician’s
offices
•Notes, collected artifacts,
pictures

Sunday, October 17, 2010 7

Cover methods of protecting participant identity

 Method
•Studying the world of the
participants as an active - observer
•The research findings are dependent
on the interpretations of the
researcher; researcher is the
instrument
•Research questions are open, and
adaptive to upon deeper
understanding of the research context
•Data is captured in notes & rich
descriptions, transcriptions, artifacts,
memos of interpretation, audio
recordings, etc
•Data collection is never complete

Sunday, October 17, 2010 8

The questions I am asking need to derive the motivations behind why certain information is
private; why certain policies were created; why certain policies are not working. These are
questions that cannot be answered quantitatively

To analyze the data we used a phenomenological approach of identifying and understanding

the themes that impacted the issues of security and privacy. Phenomenology can be used as a
method of trying to understand the subjective experience of people within their particular
context. It has been used to understand topics of awareness [11], and in the more classical
philosophical works of Heidegger [22] and Schutz [31]. The goal of phenomenology is to
describe the experiences and reality of a group of people. This method is appropriate for our
work because of the focus on the lived experience of security and privacy. It was selected
over discourse analysis and grounded theory because these methods can focus on language
and process, which was not the goal of our study. Data was analyzed by creating a set of
themes, clustering the data into sets of meanings, establishing agreement between the
researchers, and then examining the resulting body of data related to the themes.
 Dissertation Outcomes
Initial steps in focusing on
communities of security

A set of scenarios depicting

abstracted breakdowns and
technology implications

A list of derived explicit

and explicit rules
surrounding the
management of sensitive

Sunday, October 17, 2010 9

I’m now going to talk about two norms that are relevant for security that the analysis of
participant interviews helped elicit.
 Security &
Interruptions
Childcares and Physician’s Offices
have valuable security practices
•Childcare directors are within
proximal distance to files
•Placing papers with extra
sensitive information in the back
of the file
•Physical files afford being closed,
or hidden
•Information can be shredded,
labeled, handed to only specific
people

Sunday, October 17, 2010 10

 Security &
Interruptions
But... these places are
intrinsically messy
•41% of the time when someone
is interrupted, they do not return
to their task (O’Conaill &
Frohlich 1995)
•Directors have to create on-the-
fly policies and practices to
manage privacy in these messy
spaces

Sunday, October 17, 2010 11

<first point>
unannounced inspection
canceled sessions - teachers out sick, directors child was sick, daughter to hospital
drive school van
went to front desk to assist with busy times
rocking sick children to sleep
acting as cook
---
delivering supenia
missing patient files - seen in every location
a new patient coming to the window
an insurance company calling to ask for a copy of a patient’s file

----
Understanding the tension between security on-the-fly but managing the messiness of the
work in this setting is what reflects a deep need to evaluate where the zones of ambiguity
exist in the design space for security and privacy. By allowing for ambiguity about how to
respond to a particular new stimulus or problem, the childcare is capable to negotiating a
new policy that allows them to navigate to new or bendable appropriate solutions.
Recognizing these, and then understanding how to design for them is an emerging area for
us to consider.
 Information
Redundancy
Information in multiple forms:
electronic, billing, health
“The problem is, and someone
Reasons:
wouldn’t think about why it’s
•To serve a community purpose so important, but it’s like the
•To protect information from being Virginia Tech massacre we had
lost
3 patients who we had to
•To use appropriate information identify the bodies.”
based on contextual needs

Sunday, October 17, 2010

12 12

(1) Files from 1930s - 3rd generation inherited files


Information
Redundancy
Information in multiple forms:
electronic, billing, health
Reasons:
•To serve a community purpose
•To protect information from
being lost
•To use appropriate information
Sunday, October 17, 2010
Tension between keeping information safe and information accessible.
“…we actually have a series of
backups. We have a local tape
backup and we have an off site
backup which actually backs up
over the internet at my house at
night... And then at my home we
actually have two hard drives and
my wife goes to the safety deposit
box and swaps them out regularly.
So if somebody’s mad enough to
burn this office down and my home
down, we’ll still have a record in a
safe deposit box.”
13 13

Information
Redundancy
Information in multiple forms:
electronic, billing, health
Reasons:
•To serve a community purpose
•To protect information from
being lost
•To use appropriate information
Sunday, October 17, 2010
“We have an electronic medical
record here – so it’s all eventually
entered in. The information is taken
down by a nurse interviewer
preoperatively on a pre-op visit....
And then eventually that all gets
put into the electronic medical
record... but of course we transfer a
lot of that information onto the
anesthesia record which is entered
in real time into the electronic
medical record”
14 14
 Thank you
Laurian Vega
Department of Computer
Science, Virginia Tech

A special thanks to my committee: Steve

Harrison, Deborha Tatar, Enid Montague,
Dennis Kafura, and Scott McCrickard;
and, Tom DeHart, Laura Agnich,
Edgardo Vega, Zalia Shams, Monika
Akbar, Stacy Branham, & Aubrey Baker
who helped run, code, and analyze the
data.

Sunday, October 17, 2010 15

 Photo Attribution
Slide 1

http://weblogs.jomc.unc.edu/ihc/wp-content/uploads/2010/04/
electronic_medical_records.jpg

SILK Information Systems: http://www.flickr.com/photos/36734051@N04/3385146885/

http://www.corbisimages.com/Images/spacer.gif

Slide 2

formalfallacy @ Dublin: http://www.flickr.com/photos/formalfallacy/2057169454/

Slide 11

.penny: http://www.flickr.com/photos/44124468595@N01/14370954/

Slide 17

Simon Lieschke: http://www.flickr.com/photos/slieschke/226873460/

Sunday, October 17, 2010 16

 Documenting Breakdowns &
Activity Theory
Tool

Transformation
Subject Object Process Outcome

Rules Division of
Community
Labor
Sunday, October 17, 2010 17
What wasn’t selected: Value-Centered Design, Design tensions, Communities of Practice, DCog, Common information Spaces, and Macroergonomics
Marx and Engles, but is highly influenced by Vygotsky (Roth et al. 2007), Leont’ev (Leont'ev 1981 (Russian original 1947)), and Luria.
1. Activity is the central part - focus on the context of the activity instead of surrounding the actions/operations
2. Activities are dynamic and have different scale; Activities have history - e.g., a form
3. Artifacts serve as mediators; have limitations; limitations may be particular to objective of activity
4. Activity structure - explain parts of diagram
 Sensitive
Information Rich
Places
Aspects:
•Managing other’s information
•Information in multiple places
•Numerous people accessing
•Information in different forms
•Managing security & privacy is
secondary

Sunday, October 17, 2010 18

Both childcares and physicians offices are sensitive information rich places. What do I mean
by that. I mean that they have the following characteristics. [Read characteristics] By studying
both childcares and physician’s offices I will be able to better generalize about how privacy
and security are managed in this space.

Also considered for study were employee records, criminal records, and others that have
been considered for future work.