usable security in practice: collaborative management of electronic & physical personal information...

8/8/2019 Usable Security in Practice: Collaborative Management of Electronic & Physical Personal Information - Presentation

1/20

Usable Security in Practice: CollaborativeManagement of Electronic & Physical Personal

Information

Laurian C. Vega

Virginia Tech

ay, October 17, 2010


2/20


3/20

Computer

Science &Security

Adams, A. and M.A.

Sasse, Users Are Not

the Enemy, in

Communications of

the ACM. 1999. p.

40-46.


the ACM Portal there are 33,619 references with the word Security in the title or abstrac

hile Im not here to summarize decades of work, I am here to talk about one aspect ofcurity that hasnt been covered at all until recently. Security literature, when not proposindeceptive new algorithm, has been known to put forth the position that humans are theak link in the security chain. Well recent work has pushed back on that notion. That it isn

at people arent secure, it is that the software that isnt usable that is the problem. It is anue that passwords are too complex, and that security systems are not modeled after use

ental models.

u can read more about this issue in this foundational work, called Users are not the...

y work is an important extension beyond the work of usable security. In my work I look pagle individuals looking at computers and instead look at how communities manage

curity and privacy in the work setting.


4/20


5/20

MedicalInformatics &

Adoption ofElectronicRecords

Berner, E.S., D.E. Detmer &

D. Simborg, Will the WaveFinally Break? A Brief View

of the Adoption of

Electronic Medical Records

in the United States. J Am

Med Inform Assoc, 2005.

12(1): p. 3-7.


milar to the rise of studying how to make technology more usable there has been ancrease in a push to use electronic records. This push, while not limited to, is ever prevalenthe medical industry where doctors are carrying tables, iphones, and nurses and ofce

aare working with electronic medical records.

hen considering electronic records, though, there can be a focus on looking at issues thatect adoption, instead of what how the issues related to their use can aect the work thatople are doing. To see these issues we have to go beyond asking questions such asoption rates, or how usable these systems are, or what are the workflows that people do,t to understand how technologies that are embedded into peoples environments are tooat embody values. It is in understanding the work that people do, that we can then designchnologies that support them.

u can learn more about this issue in the work of Berner, Detmer, and Simborg, on Will thave Finally Break

ese two motivations are what drives my work to understand communities that are allegednsitioning from paper to electronic records, and, specifically, how these issues are

ecting the security of sensitive personal information. To do this I study two locations wheese issues are embodied.


6/20

Childcare Centersay, October 17, 2010

e first location I study is childcare centers, where one in three children in America spendeir day. These places need to balance the daily care of the child, with maintaining and usie private information of child and parent


7/20

Physicians Officesay, October 17, 2010

d I study physicians ofces. 99% of americans see a doctor between three and four timear, with 1.5 million physicians in the united states alone


8/20

ResearchQuestion

How do socio-technical systems thatuse sensitive personal informationmanage work-practice breakdownssurrounding the implicit and explicitrules of process?

What are the implicit and explicitru les surrounding how medica lpractices and childcares handlesensitive personal information?

What breakdowns happen when theexplicit and implicit rules are notfollowed?

How are breakdowns accounted for,negotiated, and managed in socio-technical systems where sensitivepersonal information exists?



9/20

MethodLocation: Southwest-Virginia

Rural

IRB Approved

51 Interviewed Participants:

13 Childcare Directors 18 Medical Directors 21 Parents

121 hours of observations

4 Childcares & 4 Physiciansoffices

Notes, collected artifacts,pictures


ver methods of protecting participant identity


10/20

MethodStudying the world of theparticipants as an active - observer

The research findings are dependenton the interpretations of theresearcher; researcher is theinstrument

Research questions are open, andadaptive to upon deeperunderstanding of the research context

Data is captured in notes & richdescriptions, transcriptions, artifacts,memos of interpretation, audiorecordings, etc

Data collection is never complete


e questions I am asking need to derive the motivations behind why certain information isvate; why certain policies were created; why certain policies are not working. These areestions that cannot be answered quantitatively

analyze the data we used a phenomenological approach of identifying and understandine themes that impacted the issues of security and privacy. Phenomenology can be used aethod of trying to understand the subjective experience of people within their particularntext. It has been used to understand topics of awareness [11], and in the more classicalilosophical works of Heidegger [22] and Schutz [31]. The goal of phenomenology is toscribe the experiences and reality of a group of people. This method is appropriate for ork because of the focus on the lived experience of security and privacy. It was selecteder discourse analysis and grounded theory because these methods can focus on languaged process, which was not the goal of our study. Data was analyzed by creating a set ofemes, clustering the data into sets of meanings, establishing agreement between thesearchers, and then examining the resulting body of data related to the themes.


11/20

Dissertation Outcomes

Initial steps in focusing oncommunities of security

A set of scenarios depicting

abstracted breakdowns and

technology implications

A list of derived explicit

and explicit rules

surrounding the

management of sensitive


m now going to talk about two norms that are relevant for security that the analysis ofrticipant interviews helped elicit.


12/20

Security &Interruptions

Childcares and Physicians Officeshave valuable security practices

Childcare directors are withinproximal distance to files

Placing papers with extrasensitive information in the backof the file

Physical files afford being closed,or hidden

Information can be shredded,labeled, handed to only specificpeople



13/20

Security &Interruptions

But... these places areintrinsically messy

41% of the time when someoneis interrupted, they do not returnto their task (OConaill &Frohlich 1995)

Directors have to create on-the

-

fly policies and practices tomanage privacy in these messyspaces


rst point>announced inspectionnceled sessions - teachers out sick, directors child was sick, daughter to hospitalve school vannt to front desk to assist with busy timescking sick children to sleepting as cook-livering supeniassing patient files - seen in every location

new patient coming to the windowinsurance company calling to ask for a copy of a patients file

--derstanding the tension between security on-the-fly but managing the messiness of therk in this setting is what reflects a deep need to evaluate where the zones of ambiguityist in the design space for security and privacy. By allowing for ambiguity about how to

spond to a particular new stimulus or problem, the childcare is capable to negotiating aw policy that allows them to navigate to new or bendable appropriate solutions.cognizing these, and then understanding how to design for them is an emerging area forto consider.


14/20

InformationRedundancy

Information in multiple forms:electronic, billing, health

Reasons:

To serve a community purpose

To protect information from beinglost

To use appropriate informationbased on contextual needs

The problem is, and someone

wouldnt think about why itsso important, but its like the

Virginia Tech massacre we had3 patients who we had to

identify the bodies.

12ay, October 17, 2010

Files from 1930s - 3rd generation inherited files


15/20



Reasons:To serve a community purpose

To protect information frombeing lost

To use appropriate information

we actually have a series ofbackups. We have a local tape

backup and we have an off site

backup which actually backs upover the internet at my house at

night... And then at my home weactually have two hard drives andmy wife goes to the safety deposit

box and swaps them out regularly.So if somebodys mad enough to

burn this office down and my homedown, well still have a record in a

safe deposit box.


nsion between keeping information safe and information accessible.


16/20



Reasons:To serve a community purpose

To protect information frombeing lost

To use appropriate information

We have an electronic medicalrecord here so its all eventually

entered in. The information is takendown by a nurse interviewer

preoperatively on a pre-op visit....And then eventually that all gets

put into the electronic medicalrecord... but of course we transfer a

lot of that information onto the

anesthesia record which is enteredin real time into the electronicmedical record



17/20

A special thanks to my committee: Steve

Harrison, Deborha Tatar, Enid Montague,

Dennis Kafura, and Scott McCrickard;and, Tom DeHart, Laura Agnich,

Edgardo Vega, Zalia Shams, Monika

Akbar, Stacy Branham, & Aubrey Baker

who helped run, code, and analyze the

data.

Laurian VegaDepartment of Computer

Science, Virginia Tech

Thank you



18/20

Photo Attribution

Slide 1

http://weblogs.jomc.unc.edu/ihc/wp-content/uploads/2010/04/

electronic_medical_records.jpg

SILK Information Systems: http://www.flickr.com/photos/36734051@N04/3385146885/

http://www.corbisimages.com/Images/spacer.gif

Slide 2

formalfallacy @ Dublin: http://www.flickr.com/photos/formalfallacy/2057169454/

Slide 11

.penny: http://www.flickr.com/photos/44124468595@N01/14370954/

Slide 17

Simon Lieschke: http://www.flickr.com/photos/slieschke/226873460/

http://www.flickr.com/photos/slieschke/226873460/http://www.flickr.com/photos/slieschke/226873460/http://www.flickr.com/photos/44124468595@N01/14370954/http://www.flickr.com/photos/44124468595@N01/14370954/


19/20

Documenting Breakdowns &Activity Theory

Tool

Subject Object OutcomeTransformationProcess

Rules CommunityDivision of

Labor


wasnt selected: Value-Centered Design, Design tensions, Communities of Practice, DCog, Common information Spaces, and Macroergonomicsand Engles, but is highly influenced by Vygotsky (Roth et al. 2007), Leontev (Leont'ev 1981 (Russian original 1947)), and Luria.ivity is the central part - focus on the context of the activity instead of surrounding the actions/operationsivities are dynamic and have different scale; Activities have history - e.g., a formfacts serve as mediators; have limitations; limitations may be particular to objective of activityivity structure - explain parts of diagram


20/20

SensitiveInformation Rich

Places

Aspects:

Managing others information

Information in multiple places

Numerous people accessing

Information in different forms

Managing security & privacy issecondary


th childcares and physicians ofces are sensitive information rich places. What do I meanthat. I mean that they have the following characteristics. [Read characteristics] By studyinth childcares and physicians ofces I will be able to better generalize about how privacyd security are managed in this space.

so considered for study were employee records, criminal records, and others that haveen considered for future work.

usable security in practice: collaborative management of electronic & physical personal information...

Documents