Usable Security in Practice: Collaborative Management of Electronic & Physical Personal Information

From Anita Borg Institute Wiki

Here is the abstract and a link to my dissertation proposal (http://bit.ly/alOn39).

Abstract

Traditionally, electronic and physical security was conceptualized as rules, locks, and passwords. More recently, security research has explored how security is part of a larger socio-technical system [16] that involves people using technologies and their environments to create safe praxis. When examining security as one part of this system, or as a supporting mechanism, issues of trust [10], privacy [6], and negotiation start to appear: trust, because interpersonal relationships are relied upon to work effectively together; privacy, because people are working with information or details that are sensitive; and, negotiation, because the rules or standards that groups are working within encounter breakdowns or instances where rules are not clearly defined [14] thus requiring changes to be mediated.

Blog Links

• Gail Carmichael: http://compscigail.blogspot.com/2010/09/usable-security.html
• Terri Oda: http://terriko.dreamwidth.org/39227.html (contains all three presentations from the PhD Forum 3 session)
• Valerie Fenwick: http://bubbva.blogspot.com/2010/09/ghc10-phd-forum-3-uieducation-another.html (contains all 3 presentations)

Session Notes

Presenter: Laurian Vega, PhD student at Virginia Tech

Spends time in childcare facilities and physician's offices and observing their data security practices

Drivers

• computer science & security
• usable security

Often assumed that humans are the weak link in security - but not true, software doesn't support user's mental model, need security software that represents how users think.

Reference: Users are Not the Enemy by A. Adams

Extensions of her work

• her work focuses on multiple users not single
• medical informatics area - need to go beyond adoption, usability and workflows, need to consider environment

In childcare centers directors need to manage info about children and parents - don't have HIPPA guidelines of physician's office.

Research Questions

• How do socio-technical systems that use sensitivie personal information manage work practice breakdowns surrounding the implicit and explicit rules of process?
• What are the implicit and explicit rules surrounding how medical practices and childcare facilities handle sensitive personal info?
• What breakdowns happen when explicit and implicit rules are not followed?
• How are breakdowns accounted for?

Study Method

• rural location of southwest-Virginia
• IRB approved
• 51 interviewed
• 121 hours
• active observer
• she is interpreting the research
• data captured in notes & rich descriptions

Dissertation Outcomes

• initial steps
• scenarios
• rules

Security Practices Observed in Childcare Setting

• stay physically close to files
• place sensitive papers in back of file
• close files & hide files
• files only handed to specific people

Interruptions

• 41% of time people don't return to task after being interrupted
• lots of interruptions in childcare facility
• directors had to manage security on the fly
• designers don't think about people being constantly interrupted

Discovered lots of redundancy in data storage. Reasons included:

1. community purpose
2. protect info from being lost
3. to use appropriate info based on contextual needs

---

Notes taken by Keita Del Valle, GHC 2010 Live Notetaker.