Usable Security in Practice: Collaborative Management of Electronic & Physical Personal Information

Laurian C. Vega Virginia Tech

Sunday, October 17, 2010

1

Computer Science & Security

Sunday, October 17, 2010

2

In the ACM Portal there are 33,619 references with the word “Security” in the title or abstract. While I’m not here to summarize decades of work, I am here to talk about one aspect of security that hasn’t been covered at all until recently. Security literature, when not proposing a deceptive new algorithm, has been known to put forth the position that humans are the weak link in the security chain. Well recent work has pushed back on that notion. That it isn’t that people aren’t secure, it is that the software that isn’t usable that is the problem. It is an issue that passwords are too complex, and that security systems are not modeled after user mental models. You can read more about this issue in this foundational work, called “Users are not the... My work is an important extension beyond the work of usable security. In my work I look past single individuals looking at computers and instead look at how communities manage security and privacy in the work setting.

Computer Science & Security
Adams, A. and M.A. Sasse, Users Are Not the Enemy, in Communications of the ACM. 1999. p. 40-46.

Sunday, October 17, 2010

2

In the ACM Portal there are 33,619 references with the word “Security” in the title or abstract. While I’m not here to summarize decades of work, I am here to talk about one aspect of security that hasn’t been covered at all until recently. Security literature, when not proposing a deceptive new algorithm, has been known to put forth the position that humans are the weak link in the security chain. Well recent work has pushed back on that notion. That it isn’t that people aren’t secure, it is that the software that isn’t usable that is the problem. It is an issue that passwords are too complex, and that security systems are not modeled after user mental models. You can read more about this issue in this foundational work, called “Users are not the... My work is an important extension beyond the work of usable security. In my work I look past single individuals looking at computers and instead look at how communities manage security and privacy in the work setting.

Medical Informatics & Adoption of Electronic Records

Sunday, October 17, 2010

3

Similar to the rise of studying how to make technology more usable there has been an increase in a push to use electronic records. This push, while not limited to, is ever prevalent in the medical industry where doctors are carrying tables, iphones, and nurses and office staff are working with electronic medical records. When considering electronic records, though, there can be a focus on looking at issues that affect adoption, instead of what how the issues related to their use can affect the work that people are doing. To see these issues we have to go beyond asking questions such as adoption rates, or how usable these systems are, or what are the workflows that people do, but to understand how technologies that are embedded into people’s environments are tools that embody values. It is in understanding the work that people do, that we can then design technologies that support them. You can learn more about this issue in the work of Berner, Detmer, and Simborg, on “Will the Wave Finally Break” These two motivations are what drives my work to understand communities that are allegedly transitioning from paper to electronic records, and, specifically, how these issues are affecting the security of sensitive personal information. To do this I study two locations where these issues are embodied.

Medical Informatics & Adoption of Electronic Records
Berner, E.S., D.E. Detmer & D. Simborg, Will the Wave Finally Break? A Brief View of the Adoption of Electronic Medical Records in the United States. J Am Med Inform Assoc, 2005. 12(1): p. 3-7.

Sunday, October 17, 2010

3

Similar to the rise of studying how to make technology more usable there has been an increase in a push to use electronic records. This push, while not limited to, is ever prevalent in the medical industry where doctors are carrying tables, iphones, and nurses and office staff are working with electronic medical records. When considering electronic records, though, there can be a focus on looking at issues that affect adoption, instead of what how the issues related to their use can affect the work that people are doing. To see these issues we have to go beyond asking questions such as adoption rates, or how usable these systems are, or what are the workflows that people do, but to understand how technologies that are embedded into people’s environments are tools that embody values. It is in understanding the work that people do, that we can then design technologies that support them. You can learn more about this issue in the work of Berner, Detmer, and Simborg, on “Will the Wave Finally Break” These two motivations are what drives my work to understand communities that are allegedly transitioning from paper to electronic records, and, specifically, how these issues are affecting the security of sensitive personal information. To do this I study two locations where these issues are embodied.

Childcare Centers
Sunday, October 17, 2010 4

The first location I study is childcare centers, where one in three children in America spend their day. These places need to balance the daily care of the child, with maintaining and using the private information of child and parent

Physician’s Offices
Sunday, October 17, 2010 5

And I study physician’s offices. 99% of americans see a doctor between three and four times a year, with 1.5 million physicians in the united states alone

Research Question
How do socio-technical systems that use sensitive personal information manage work-practice breakdowns surrounding the implicit and explicit rules of process? •What are the implicit and explicit rules surrounding how medical p racti ces a n d c h i l d c a r e s h a n d l e sensitive personal information? •What breakdowns happen when the explicit and implicit rules are not followed? •How are breakdowns accounted for, negotiated, and managed in sociotechnical systems where sensitive personal information exists?
Sunday, October 17, 2010 6

Method
Location: Southwest-Virginia •Rural IRB Approved 51 Interviewed Participants: • 13 Childcare Directors • 18 Medical Directors • 21 Parents 121 hours of observations • 4 Childcares & 4 Physician’s offices •Notes, collected artifacts, pictures
Sunday, October 17, 2010 7

Cover methods of protecting participant identity

Method
•Studying the world of the
participants as an active - observer

•The research findings are dependent
on the interpretations of the researcher; researcher is the instrument

•Research questions are open, and
adaptive to upon deeper understanding of the research context

•Data is captured in notes & rich
descriptions, transcriptions, artifacts, memos of interpretation, audio recordings, etc

•Data collection is never complete
Sunday, October 17, 2010 8

The questions I am asking need to derive the motivations behind why certain information is private; why certain policies were created; why certain policies are not working. These are questions that cannot be answered quantitatively To analyze the data we used a phenomenological approach of identifying and understanding the themes that impacted the issues of security and privacy. Phenomenology can be used as a method of trying to understand the subjective experience of people within their particular context. It has been used to understand topics of awareness [11], and in the more classical philosophical works of Heidegger [22] and Schutz [31]. The goal of phenomenology is to describe the experiences and reality of a group of people. This method is appropriate for our work because of the focus on the lived experience of security and privacy. It was selected over discourse analysis and grounded theory because these methods can focus on language and process, which was not the goal of our study. Data was analyzed by creating a set of themes, clustering the data into sets of meanings, establishing agreement between the researchers, and then examining the resulting body of data related to the themes.

Dissertation Outcomes
Initial steps in focusing on communities of security A set of scenarios depicting abstracted breakdowns and technology implications A list of derived explicit and explicit rules surrounding the management of sensitive
Sunday, October 17, 2010 9

I’m now going to talk about two norms that are relevant for security that the analysis of participant interviews helped elicit.

Security & Interruptions
Childcares and Physician’s Offices have valuable security practices

•Childcare directors are within
proximal distance to files

•Placing papers with extra
sensitive information in the back of the file

•Physical files afford being closed,
or hidden

•Information can be shredded,
labeled, handed to only specific people
Sunday, October 17, 2010 10

Security & Interruptions
But... these places are intrinsically messy

•41% of the time when someone
is interrupted, they do not return to their task (O’Conaill & Frohlich 1995)

•Directors have to create on-thefly policies and practices to manage privacy in these messy spaces

Sunday, October 17, 2010

11

<first point> unannounced inspection canceled sessions - teachers out sick, directors child was sick, daughter to hospital drive school van went to front desk to assist with busy times rocking sick children to sleep acting as cook --delivering supenia missing patient files - seen in every location a new patient coming to the window an insurance company calling to ask for a copy of a patient’s file ---Understanding the tension between security on-the-fly but managing the messiness of the work in this setting is what reflects a deep need to evaluate where the zones of ambiguity exist in the design space for security and privacy. By allowing for ambiguity about how to respond to a particular new stimulus or problem, the childcare is capable to negotiating a new policy that allows them to navigate to new or bendable appropriate solutions. Recognizing these, and then understanding how to design for them is an emerging area for us to consider.

Information Redundancy
Information in multiple forms: electronic, billing, health Reasons:

•To serve a community purpose •To protect information from being
lost

•To use appropriate information
based on contextual needs
Sunday, October 17, 2010

“The problem is, and someone wouldn’t think about why it’s so important, but it’s like the Virginia Tech massacre we had 3 patients who we had to identify the bodies.”

12

12

(1) Files from 1930s - 3rd generation inherited files

Information Redundancy
Information in multiple forms: electronic, billing, health Reasons:

•To serve a community purpose •To protect information from
being lost

“…we actually have a series of backups. We have a local tape backup and we have an off site backup which actually backs up over the internet at my house at night... And then at my home we actually have two hard drives and my wife goes to the safety deposit box and swaps them out regularly. So if somebody’s mad enough to burn this office down and my home down, we’ll still have a record in a safe deposit box.”

•To use appropriate information
Sunday, October 17, 2010

13

13

Tension between keeping information safe and information accessible.

Information Redundancy
Information in multiple forms: electronic, billing, health Reasons:

•To serve a community purpose •To protect information from
being lost

“We have an electronic medical record here – so it’s all eventually entered in. The information is taken down by a nurse interviewer preoperatively on a pre-op visit.... And then eventually that all gets put into the electronic medical record... but of course we transfer a lot of that information onto the anesthesia record which is entered in real time into the electronic medical record”

•To use appropriate information
Sunday, October 17, 2010

14

14

Thank you
Laurian Vega
Department of Computer Science, Virginia Tech
A special thanks to my committee: Steve Harrison, Deborha Tatar, Enid Montague, Dennis Kafura, and Scott McCrickard; and, Tom DeHart, Laura Agnich, Edgardo Vega, Zalia Shams, Monika Akbar, Stacy Branham, & Aubrey Baker who helped run, code, and analyze the data.

Sunday, October 17, 2010

15

Photo Attribution
Slide 1 http://weblogs.jomc.unc.edu/ihc/wp-content/uploads/2010/04/ electronic_medical_records.jpg SILK Information Systems: http://www.flickr.com/photos/36734051@N04/3385146885/ http://www.corbisimages.com/Images/spacer.gif Slide 2 formalfallacy @ Dublin: http://www.flickr.com/photos/formalfallacy/2057169454/ Slide 11 .penny: http://www.flickr.com/photos/44124468595@N01/14370954/ Slide 17 Simon Lieschke: http://www.flickr.com/photos/slieschke/226873460/

Sunday, October 17, 2010

16

Documenting Breakdowns & Activity Theory
Tool

Subject

Object

Transformation Process

Outcome

Rules

Community

Division of Labor
17

Sunday, October 17, 2010 What wasn’t selected: Value-Centered Design, Design tensions, Communities of Practice, DCog, Common information Spaces, and Macroergonomics Marx and Engles, but is highly influenced by Vygotsky (Roth et al. 2007), Leont’ev (Leont'ev 1981 (Russian original 1947)), and Luria. 1. Activity is the central part - focus on the context of the activity instead of surrounding the actions/operations 2. Activities are dynamic and have different scale; Activities have history - e.g., a form 3. Artifacts serve as mediators; have limitations; limitations may be particular to objective of activity 4. Activity structure - explain parts of diagram

Sensitive Information Rich Places
Aspects:

•Managing other’s information •Information in multiple places •Numerous people accessing •Information in different forms •Managing security & privacy is
secondary

Sunday, October 17, 2010

18

Both childcares and physicians offices are sensitive information rich places. What do I mean by that. I mean that they have the following characteristics. [Read characteristics] By studying both childcares and physician’s offices I will be able to better generalize about how privacy and security are managed in this space. Also considered for study were employee records, criminal records, and others that have been considered for future work.

Sign up to vote on this title
UsefulNot useful