Upload
laurian-vega
View
217
Download
0
Embed Size (px)
Citation preview
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 1/102
Security in Practice: Examining
the Collaborative Management of Sensitive Information in Childcare
Centers and Physician’s Offices
Laurian Vega
March 28th, 2011
1
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 2/102
2
DianaMonkeys
& KlausZuberbühler
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 3/102
3
Unknown environment appear chaotic;
focusing on one element provides clarity
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 4/102
3
Unknown environment appear chaotic;
focusing on one element provides clarity
As scientists, we can present new ways
of looking at old topics (i.e.communication & threats)
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 5/102
3
Unknown environment appear chaotic;
focusing on one element provides clarity
It is only through living the experiencethat true understanding of the
phenomenon of security emerged
As scientists, we can present new ways
of looking at old topics (i.e.communication & threats)
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 6/102
Outline
1. Motivation & Related Work
2. Research Method
3. Sample Security & Privacy
Breakdowns
4. Revisiting Research Themes
5. Security & Privacy Scenarios
• Access v. Inaccess
• Contextual Awareness v.Lack of Contextual
Awareness
• Technological v. Social
Enforcement
4
Security & Privacy
Breakdowns
Research
Themes
Scenarios
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 7/102
Motivation for Work
Related Work
Human-
ComputerInteraction
Usable
Security
Medical
Informatics
5
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 8/102
Motivation for Work:
Usable Security
Related Work
Human-
Computer
Interaction
Usable SecurityMedical
Informatics
• Push back at belief that
humans are weak link in
security
• Software is what is not
usable
• Balance between social
and technical
mechanisms for security
• Security in incongruentwith the user’s primary
task Adams & Sasse (1999): Users Are Not
the Enemy, in Communications of the
ACM. pp 40-46.
6
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 9/102
Motivation for Work:
Human-Computer Interaction
Related Work
Human-
Computer
InteractionUsable Security
Medical
Informatics
Palen & Dourish (2003). Unpacking "privacy" for a
networked world. Conference on Human Factors in
Computing Systems, Ft. Lauderdale, Florida, USA,
ACM.
• The focus on
supporting the user; the
user is always right
• User actions
demonstrate values
• That technology
provides unknown
potential that will impact
privacy• A need to account for
privacy - of which cannot
prior models cannot be
used 7
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 10/102
Motivation for Work:
Medical Informatics
Related Work
Human-
ComputerInteraction
Usable SecurityMedical
Informatics
Berner, Detmer & Simborg (2005): Will the Wave
Finally Break? A Brief View of the Adoption of
Electronic Medical Records in the United States.
Journal of American Medical Informatics Association.
12(1): pp.3-7.
• Increasing adoption of
electronic systems
• National regulation,
HIPAA (Health Insurance
Portability and
Accountability Act)
• Changing relationship
between patient,
technology, & physician• Shared awareness &
social relationships key
for information sharing
8
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 11/102
Motivation for Work
Related Work
Human-Computer
Interaction
Usable
SecurityMedical
Informatics
Study of Collaborative Management
of Sensitive Information
9
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 12/102
Research Method:
Location
• Rural-serving southwest Virginia
• Socio-economic status
• Digital divide
• Different care
• Impacted by local universities
• Location types:
• 12 Childcare Centers
• 19 Physician’s Offices
10
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 13/102
Research Method:
Participant Demographics
Parents
1-2 Avg Number of Children
4 Avg Age of Child
14 Months Avg Time
Childcare
Center
Directors
Physicians’
Office
Directors
12.5 Avg Years Experience 20.16 Avg Years Experience
11
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 14/102
Research Method:
Participant Demographics
ParentsChildcare
Centers &
Directors
Physicians’
Offices &
Directors
12
64.5 Hours Observation 61.25 Hours Observation
20 Avg Person Staff Size
85 Avg Children Enrolled
10 Avg Person Staff Size
128 Avg Children Enrolled
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 15/102
Research Method:
Conducting Observations
• Observed Directors of
childcare centers and
physicians’ offices
• Primarily sat within office of
directors and took paper and
electronic time-stamped
notes (recordings when IRB
approved)
• Annotated actions within
office of people accessing/
modifying/sharing client
information verbally or
electronically along with the
guiding task of the
participants
13
Front Office
Director
Receptionist
Patient Room
Me
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 16/102
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns intobreakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
14
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 17/102
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns intobreakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
15
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 18/102
Tool
Actor Object Outcome
Research Method:
Analysis, Sample Breakdown
16
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 19/102
Access Policy Violations:Discussion of HIPAA Violations
17
Research Method:
Analysis, Sample Breakdown
Filing Cabinets
Nurse Client
File
Open
access
to files
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 20/102
Access Policy Violations:Discussion of HIPAA Violations
17
Research Method:
Analysis, Sample Breakdown
Filing Cabinets
Nurse ClientFile
Filing Cabinets
NurseClientFile
Privacy
Open
accessto files
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 21/102
Access Policy Violations:Discussion of HIPAA Violations
17
Research Method:
Analysis, Sample Breakdown
Filing Cabinets
Nurse ClientFile
Filing Cabinets
NurseClientFile
Privacy
Open
accessto files
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 22/102
Research Method:
Analysis, Definition of Breakdown
Breakdown: When a perturbation occurs in the system
that causes a contradiction to occur between activities or
within parts of the activity system.
18
Filing Cabinets
Nurse Client
File
Filing Cabinets
NurseClient
FilePrivacy
Open
access
to files
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 23/102
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
19
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 24/102
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
20
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 25/102
Security & Privacy Breakdowns
•What is the threat in each breakdown?
•What is the role of the individual versus group?
•What is the ambiguity present in any situation?
21
Thought topics...
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 26/102
Files were co-located with the
director yet were stored in:
• Open filing cabinets
• Open shelves
“The files are accessible by
anyone, including the assistants.
With that said, however, there's
always someone in the
administrative office so anyonesneaking in unnoticed is virtually
impossible.” -Observation Notes
Security & Privacy Breakdowns:
Client Information Left in the Open
!
22
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 27/102
Security & Privacy Breakdowns:
Staff Catching Incorrect Medical Procedure
“The <echo-cardiologist>
comes to the window with <the
receptionist>. Turns out that this
patient was scheduled for a
stress test. The problem is that
<the office staff> didn’t realizethat he’d had a heart attack just
a month ago. The echo guy
gets on the phone to cancel the
stress test.”
Front Office
Nurse
Receptionist
Echo-cardiologist
Patient Room
Hospital
Stress
Test
Administrator
23
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 28/102
Security & Privacy Breakdowns:
Missing Child
Salient Points:
• Bus driver discovers he cannot
contact either parents with the
information on the bus, calls center.
• Assistant Director confesses shehas not updated bus information
because she also does not have it.
• Assistant Director gets cell phone
from sister childcare; mother still
does not pick up phone
• Director is able to pull information
from child’s teacher, and from child
through social interaction
School
Childcare
Sister
Childcare
24
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 29/102
Security & Privacy Breakdowns:
Getting Information Purposefully Not in File
In a single office client
information could be stored
in many forms and locations.
Forms of Storage at
Physician’s Offices:• Electronic Billing
• Electronic Health
• Paper Billing
• Paper Health
• Schedule
Medicaid
Queen
Nurse
Payment
Staff
Staff
Staff
Staff
25
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 30/102
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 31/102
Security & Privacy Breakdowns:
Parents Not Knowing Who Can Access Their File
“I guess the officers in the day care
the main teacher the director... I
guess some of the confidential
information even the teachers cannotget just the officers”
“You know I'm probably guessing
that the director or enrollment person
probably has access to that.”
“No idea. Never thought about it.”
“Right. I am really not sure.”
Director’s Office Parents
Teacher
Lead Teacher
Cook
Licensor
Owner
Bus Driver
Who do you think can access
your child’s file?
27
Childcare Center
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 32/102
Security & Privacy Breakdowns:
Not Knowing Who Accessed Client Information
“<people in the office> can
access anything. That’s their
job.”
“Yeah because it doesn’t show
who’s logged in and most of the time I’m logged in in the
front because I’m the only one
up there, but occasionally
someone else will come up
and they’ll just do it, and I
usually check to make sure justbecause it is on my login, but
that’s one thing is we wanted it
to actually show who’s logged
in.”
Front Office
Nurse
Receptionist
Nurse
Assistant
Nurse
Doctor
Surgeon
Nurse Partitioner
Director
Assistant Director
Echo-cardiologist
28
Physician’s Office
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 33/102
Security & Privacy Breakdowns:
Children’s Pictures on Facebook
“Two or three of the teachers had friendedme on Facebook. An a week later in looking
at their Facebook I noticed that they had
pictures of the children playing in that I
daycare... I called the daycare and told the
director... Then when I got there to pick
them up the owner was there. So she
pulled me aside and apologized and said
that it would get fixed. And they brought all
the securities, teachers into the office and
watched them take the picture down off
from the internet before they left that day.So, they are definitely on it as far as fixing
the problem and that’s the feeling of
nervousness that I have. You know just like
very personal pictures are up.”
Lad y Teacher
Lady Teacher
words words words more words
some o thers words words words
words more words some others
words words words words more
words some others words
Januar y 25th, 2011 * lock * like * Comment
Lad y Teacher and O ther
Teacher are no w friends.
January 25 th, 2011 * lock * lik e * Commen t
O ther Teacher
words words words more words
some o thers words words words
words more words some o thers
words words words words more
words some o thers wordsJanuary 25 th, 2011 * lock * lik e * Commen t
Lad y Teacher
words words words more words
some o thers words words words
words more words some o thers
words words words words more
words some o thers words
January 25 th, 2011 * lock * lik e * Comment
29
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 34/102
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 35/102
Security & Privacy Breakdowns:
HIPAA Violations
“<The doctor> comes in and <thedirector> talks about a phone call
earlier...It was a man who was looking
for his wife... <the director> said that
she would pass on the message to
the wife... The doctor said that that
was good. But <the nurse> said thatwas against HIPAA . The doctor jokes
that <the nurse> is all HIPAA
compliant - he acts like he doesn’t
take it very seriously. She says, ‘Well,
that is about privacy, what if he wasan estranged spouse looking for his
wife to kill her’... There isn’t a
conclusion on whether or not <the
director> did the right thing.”
Director’s Office Entrance
Patient Room
Doctor
Patient
Nurse
Mechanist
Patient’s Spouse
31
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 36/102
Security & Privacy Breakdowns:
Menacing Outsider
• Man in a red bandana who
maintains the lawn care
• Casual mention, and no intention
to take action
• Only mention by any participant of
a real security threat
Director’s Office
DirectorMe
Lobby Entrance
Lawn Care Person
32
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 37/102
Discussion
•Security & Privacy Embodiment
•Communities of Security
•Zones of Ambiguity
33
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 38/102
Security & Privacy Embodiment:
Threat Models
Security threats as a model for situating security and privacy:
“In these domains the adversarial actions are unintentional, unwelcome,
and intrusive access and modification of sensitive personal information.
Examples include medical and childcare center personnel, medical
researchers, and insurance companies accessing patient or childinformation that should not be available (i.e., private). A second example
includes ‘work-around’ practices of the personnel themselves that
results in unknown and insecure information disclosures.”
34
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 39/102
Security & Privacy Embodiment:
Threat Models
Security threats as a model for situating security and privacy:
“In these domains the adversarial actions are unintentional, unwelcome,
and intrusive access and modification of sensitive personal information.
Examples include medical and childcare center personnel, medical
researchers, and insurance companies accessing patient or childinformation that should not be available (i.e., private). A second example
includes ‘work-around’ practices of the personnel themselves that
results in unknown and insecure information disclosures.”
34
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 40/102
Security & Privacy Embodiment:
Threat Models & Practice
“Computing systems are only secure in principle. They are rarely secure inpractice” ~Bellotti & Sellen
Threat models
cannot account
for secure
practice.
35
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 41/102
Security & Privacy Embodiment
• Security was not found in activities where:
• There was a conflict between external policies
• When there were uninstantiated policies
• Security was found in activities that were:
• Local
• Individual
• Care
• Robustness of Information
36
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 42/102
Discussion
•Security & Privacy Embodiment
•Communities of Security
•Zones of Ambiguity
37
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 43/102
Communities of Security
• Supporting the community in
their shared task of security
and privacy
• The activity of managing
sensitive information is
collaborative, yet security is
considered an individual task -
supporting the “user”
• Childcare centers andphysicians’ offices personnel
did not consider their work
individual
Director’s Office
Entrance
Patient Room
Doctor
Patient
Nurse
Patient’s
Family
Patient
Patient Room
38
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 44/102
Communities of Security:
Roles, Role Based Authentication
Role-based authentication. A user is assigned a role that has predefined
access to certain information
Patient
Patient’s Family
Director
Receptionist
Doctor
Nurse
Patient’s Medical Record
Patient’s Billing Record
Post-it Notes Attached to Patient Record
Schedule
Patient’s Medical Record
Patient’s Billing Record
39
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 45/102
Communities of Security:
Roles representing work
40
C S
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 46/102
Communities of Security:
Roles representing work
“They can access
anything. That’s their
job.” ~ Office Director
40
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 47/102
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 48/102
Discussion
•Security & Privacy Embodiment
•Communities of Security
•Zones of Ambiguity
41
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 49/102
Zones of Ambiguity
A zone of ambiguity is where
current behavioral practices allow
fundamentally contradictory
concerns to exist in tacit
compromise with one another.
Social systems afford ambiguity -
they allow for the unsaid and the
unarticulated
Technology articulates andformalizes policies and
procedures, leaving little room for
ambiguity
42
Z f A bi it
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 50/102
Zones of Ambiguity:
Accountability is Ambiguous
Who accessed, modifies, and
deletes information is not
tracked.
The values of collaboration is in
direct contradiction to security,
reflected in ambiguity
Leaving workstations open,
passwords not being used, and
passwords being shouted.
43
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 51/102
Security & Privacy Scenarios
44
• Access v. Inaccess
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy• Technological v. Social
Enforcement
S it & P i S i
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 52/102
45
Security & Privacy Scenarios
Actors & Location
Actors:
• Alice: Works in the center and has
moderate access to information
• Rosemary: Works with Alice, less
access
• Nancy: A new regulator checking
centers for information management
Location:
• Interrupting phone calls, little time
to handle tasks• People constantly entering and
leaving
• Stack of work sitting on desks
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 53/102
Security & Privacy Scenarios
46
• Access v. Inaccess
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy• Technological v. Social
Enforcement
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 54/102
Security & Privacy Scenarios
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 55/102
Security & Privacy Scenarios:
Access v. Inaccess
48
• Open access can be
compatible with maintaining
security.
• Visible security
mechanisms serve as
reminders of privacy.
• Access security
mechanisms can reinforcesocial work.
Inaccess Access
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 56/102
Security & Privacy Scenarios:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 57/102
Security & Privacy Scenarios:
Contextual v. Lack of Contextual Awareness
50
Contextual Awareness Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room. The system, grays out the display.
Judy leaves, the display returns, and Rosemary
remembers similar client. She says, “Display Sam
Williams” and the system asks for a password. Alice
says the password to the system. The system then
displays the record and emails Alice a new password.
Lack of Contextual Awareness Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room, and Alice uses a remote to shut off
the display. Judy leaves, Alice turns the display back
on. Rosemary remembers a similar client, and tries to
pull it up. Rosemary asks Alice what the password is,
and Alice walks over and types it in. The system
displays the record and when they are done
discussing the issue, Alice walks back to her
workstation.
Security & Privacy Scenarios:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 58/102
Security & Privacy Scenarios:
Contextual v. Lack of Contextual Awareness
51
Contextual Awareness Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room. The system, grays out the display.
Judy leaves, the display returns, and Rosemary
remembers similar client. She says, “Display Sam
Williams” and the system asks for a password. Alice
says the password to the system. The system then
displays the record and emails Alice a new password.
Lack of Contextual Awareness Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room, and Alice uses a remote to shut off
the display. Judy leaves, Alice turns the display back
on. Rosemary remembers a similar client, and tries to
pull it up. Rosemary asks Alice what the password is,
and Alice walks over and types it in. The system
displays the record and when they are done
discussing the issue, Alice walks back to her
workstation.
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 59/102
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 60/102
Security & Privacy Scenarios:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 61/102
Security & Privacy Scenarios:
Technological v. Social Enforcement
54
Social EnforcementNancy is visiting for an inspection. She enters and
explains that that a client was unsatisfied with their
information management. Alice shows Nancy her re-
issuing of passwords, her auditing of files, and the
citations she issued leaving stations open. Nancy also
starts to check 5% of client files, inspects the
location, and writes a citation for information being left
out of the client’s file. She then asks for access to thecomplainer's file. Nancy reviews the access log and
validates that there were numerous accesses to the
file without changes. Alice explains that she was
unaware of the problem. Nancy issues a citation.
Security & Privacy Scenarios:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 62/102
Security & Privacy Scenarios:
Technological v. Social Enforcement
55
• Social application of rules
affords negotiation.
• Electronic systems andsocial systems have different
methods of enforcing
compliance.
Security & Privacy Scenarios:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 63/102
Security & Privacy Scenarios:
Discussion
• Seamless & Seamful
• Surveillance
•“Do Nothing” Scenario
56
Security & Privacy Scenarios:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 64/102
57
Security & Privacy Scenarios:
Discussion
Themes:
•Security & PrivacyEmbodiment
•Communities of Security
•Zones of Ambiguity
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 65/102
Conclusions
• I used HCI theory and phenomenological analysis to study security and
privacy to understand and evaluate the collaborative practice of managing
sensitive personal information.
• The practices that people do in the management of sensitive information in
childcare centers and physician’s offices are incongruent with current
electronic systems.
• These themes (Security Embodiment, Communities of Security, and Zones of
Ambiguity) cross cut the scenarios as well as the data through different
lenses.
• The goals of security and privacy can be in conflict with the provision of care,
but through considering the presented spectrums we have ways of talking
about how the provision of care can be supported.
58
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 66/102
Thank you
Thank you to Laura Agnich, Monika Akbar, Aubrey Baker, Stacy Branham,
Tom DeHart, Zalia Shams, and Edgardo Vega.
59
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 67/102
Presentation Citations Outside of Dissertation
• The story of the Diana Monkeys was first heard on Radio Lab, on their show“Wild Talk.” A short description is also provided on this Times story, “Smarter
Than You Think.” The study was published by the Study of Animal Behavior ,
with the article titled “The alarm call system of female Campbell’s monkeys.”
60
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 68/102
Research Method
• Research Questions
• Participants & Locations
• Data Collection
• Data Analysis
61
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 69/102
Research Method
• Research Questions
• Participants & Locations
• Data Collection
• Data Analysis
62
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 70/102
Research Questions
What breakdowns happen whenthe explicit and implicit rules are
not followed?
How are breakdowns
accounted for, negotiated, andmanaged in socio-technical
systems where sensitive
personal information exists?
What are the implicit and explicitrules surrounding how
physicians’ offices and childcare
centers handle sensitive
personal information?
Used Activity Theory tosiphon data to list of
breakdowns
Used Phenomenology to
create list of themes tounderstand breakdowns
Used Near Future scenariosto explain guiding principles as
implications for design
63
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 71/102
Research Method
• Research Questions
• Participants & Locations
• Data Collection
• Data Analysis
64
Participants & Locations:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 72/102
Participants & Locations:
Definitions of Locations
• Childcare center: a facility where parents engage in an service agreementwith a care giver to assume responsibility and provide supervision of the child
for approximately five days a week – less than 24 hours in the day, baring
sickness; hold more than two children under the age of 13; licensed by the
Virginia Department of Social Services (adapted from Virginia Department of
Social Services Website (2010a)) .
• Physician’s Office: a facility where patients engage in a service agreement
with an health care professionals to provide care, education, and treatment to
the patient, usually less serious than to warrant a visit to the hospital
emergency room; seen by appointment and during regular business hours
(adapted from Virginia Board of Medicine Website (2006) and inclusive of
practices as defined by HIPAA to include doctors, clinics, psychologists,
dentists, chiropractors, nursing homes, and pharmacies (2010e)).
65
Participants & Locations:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 73/102
Participants & Locations:
Rural-Serving Southwest Virginia
Rural and rural-serving care providers havebeen found to have the following relevant
characteristics:
• Patients are more likely to be uninsured
(20%)
• Patients are less likely to seek preventative care and medicine
• Rural regions have fewer physician’s and
dentists per patient, with 10% of physician’s
in this area versus 25% of population
•Infants and adolescent mortality along with
rates of obesity and tobacco use are higher
•41% of local public health agencies
reported funding to be their main
challenged (compared to 26% of non-rural
agencies)
66
Participants & Locations:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 74/102
Participants & Locations:
Childcare Centers
67
Childcare center stakeholders:
• Director
• Assistant Director
• Receptionist
• Lead Teacher
• Teacher(s) (substitutes)
• Cook
• Parents
• Children
• Inspectors: DSS State Licensor,
Health Inspector, Fire Marshal
• Early Intervention
Participants & Locations:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 75/102
Participants & Locations:
Physicians’ Offices
68
Physicians’ Office stakeholders:
• Director
• Assistant Director
• Receptionist(s)
• Nurse(s)
• Doctors, Physician’s assistant,Nurse Practitioner
• Patients
• Patients’ friends and family
• Pharmacies
• Insurance CompanyRepresentatives
Participants & Locations:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 76/102
Participants & Locations:
Multisite Fieldwork
69
• Provides perspective on a diversity of issues that are experienced bynumerous people instead of on a micro-culture.
• Examples of use in ethnography (e.g., work of Marcus) and within HCI (e.g.,
work of Wyche).
Research Method:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 77/102
esea c et od
Participant Demographics
Parents
1-2 Avg Number of Children
4 Avg Age of Child
14 Months Avg Time
ChildcareCenter
Directors
Physicians’Office
Directors
12.5 Avg Years Experience 20.16 Avg Years Experience
70
Research Method:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 78/102
Participant Demographics
Parents
1-2 Avg Number of Children
4 Avg Age of Child
14 Months Avg Time
ChildcareCenters &
Directors
Physicians’Offices &
Directors
71
12 Interviews
4 Observation Locations
64.5 Hours Observation
16 Interviews
5 Observation Locations
61.25 Hours Observation
12.5 Avg Years Experience
20 Avg Person Staff Size
85 Avg Children Enrolled
20.16 Avg Years Experience
10 Avg Person Staff Size
128 Avg Children Enrolled
21 Interviews
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 79/102
Research Method
• Research Questions
• Participants & Locations
• Data Collection
• Data Analysis
72
Data Collection:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 80/102
Study 1 & Study 2
Study 1: All data and preliminary analysis of that data collected prior to theproposal defense. This includes all interviews with childcare center directors,
initial observations of childcare centers, interviews with parents, and the first 13
interviews with physicians’ office directors.
Study 2: All data collected post the research defense and analysis of all datafrom all studies. The data collected includes observations of childcare centers
and physicians’ office along with two additional interviews with physicians’
office directors.
73
Data Collection:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 81/102
Data Sampling
74
Stratified Sampling Method:
• Define groups of to be sampled
that share distinct characteristics
(e.g., childcare centers, physicians’
offices, parents).
• Purposefully diversifies population
to be sampled along specific criteria
• Useful for exploring divergent
versions of an issue to be studied
Possible DataSources
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 82/102
Research Method:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 83/102
Observation Protocol
76
Front Office
Director
Receptionist
Patient Room
Me
Observed Directors• Follow-up of interviews to see
differences between official and
unofficial aspects of security
• Directors are primarily located
with client files, making their
office a hotspot for client
information access
• Directors are also primarily
located with the computers
Data Collection:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 84/102
Conducting Observation
77
Observation Notes Covered:• Actions of directors and anyone in
director’s office
• The location of any visible client
information
• Time stamps of any action
• Any time a client files was accessed
or modified
• Any information that was shared
orally about a client
• Any time the director engaged with apiece of technology
• Interpretations of activities
Data Collection:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 85/102
Participant Recruitment
78
Childcare Center DirectorsComprehensive list of all childcare
centers in the NRV area from VA DSS
website. All contacted by phone.
Physician’s Office Directors
List of all offices in Blacksburg &
Christiansburg were canvased by foot.
List expanded to NRV area for
observations.
Parents
Flyers placed in childcare centers,
announcements sent over listserv for
working moms, and advertisements
placed in company newsletter
Data Collection:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 86/102
Training & Preparing for Interviews & Observations
79
Training Procedure:• Review prior literature and discuss
• Become familiar and practice
protocols
• Review prior data and reports
• Meet with team to discuss data and
practice with protocols
• Shadowing by experienced
researcher for first session
Data Collection:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 87/102
Data Management
80
Data is comprised of:• Interview recordings
• Interview transcripts
• Interview notes
• Forms
• Pictures
• Drawings & diagrams
• Observation notes
• Observation transcripts
• Observation recordings
Data Collection
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 88/102
Dates & Times of Observations
Childcare Centers Physicians’ Offices7 8 9 10 11 12 1 2 3 4 5 6
August 30th, 2010
August 31st, 2010
October 13th, 2009
October 13th, 2009
October 14th, 2009
October 15th, 2009
October 16th, 2009October 21st, 2009
October 22nd, 2009
October 23rd, 2009
October 26th, 2009
October 29th, 2009
October 30th, 2009
September 14th, 2010
September 15th, 2010
September 2nd, 2010
September 2nd, 2010
September 8th, 2010
September 8th, 2010
September 9th, 2010
8 9 10 11 12 1 2 3 4 5
August 16th, 2010
August 19th, 2010
August 19th, 2010
August 20th, 2010
August 20th, 2010
August 23rd, 2010
August 26th, 2010
July 13th, 2010
July 15th, 2010
July 1st, 2010
July 6th, 2010
June 7th, 2010
September 1st, 2010
September 7th, 2010
September 9th, 2010
81
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 89/102
Research Method
• Research Questions
• Participants & Locations
• Data Collection
• Data Analysis
82
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 90/102
Activity Theory
83
Tool
Subject Object Outcome Transformation
Process
Rules CommunityDivision of
Labor
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 91/102
Tool
Actor Object(ive)
Outcome
y
Analysis, Sample Breakdown
84
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 92/102
Filing Cabinets
Nurse ClientFile
Access Policy Violations:Discussion of HIPAA Violations
85
y
Analysis, Sample Breakdown
Open
accessto files
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 93/102
Filing Cabinets
Nurse ClientFile
Access Policy Violations:Discussion of HIPAA Violations
85
y
Analysis, Sample Breakdown
Filing Cabinets
NurseClientFilePrivacy
Open
accessto files
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 94/102
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 95/102
Combining Breakdowns
86
Childcare Director
Parent 1 ClientFile
Accessing
their file
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 96/102
Combining Breakdowns
86
Childcare Director
Parent 1 ClientFile
Accessing
their file
Childcare Director
Parent 2 Client
File
Accessing
their file
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 97/102
Combining Breakdowns
87
Childcare Director
Parent 2 Client File Accessing their file
Childcare Director
Parent 1 Client File Accessing their file
Childcare Director
Parent 3 Client File Accessing their file
Childcare Director
Parent 4 Client File Accessing their file
Childcare Director
Parent 5 Client File Accessing their file
Childcare Director
Parent 6 Client File Accessing their file
Childcare
Director
Parent
1-11Client
File
Accessing
their file
Data Analysis:
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 98/102
Phenomenology
88
Collecting the
data and
organizing it
into
appropriate
forms and
files
Reading the
data, writing
notes in the
margins,
writing
memos,
forminginitial codes
Evaluating the
personal
experience
along with the
essence of the
experience of
the
participants
Group initial
codes or
statements
into related
clusters or
meaning
units
Generating a
textual
description of
the
phenomenon
explaining
the ‘what’
and ‘how’
Creating a
description of
the essence
of the
experience
and
discussing it
Data
Managing
Reading &
Memoing DescribingClassifying Interpreting Representing
Key Aspects:
• Focusing on the experience of a phenomenon
• Bracketing off individual interpretations• Respecting and collating different experiences through
horzontalization of data
• Result is a description of the phenomenon answering questions of
‘what’ and ‘how.’
Data Analysis:
Cl if i D
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 99/102
Classifying Data
89
To construct themes:• Reviewed each breakdown
type, read examples
• Collated similar breakdowns
together tagging for cause,
technologies, and peopleinvolved
• Tentative groups memo’d, met
with external researcher to review
them; new groups made, one
dissolved
• Final groups created and
described
Data Analysis:
Ph l i l Th
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 100/102
Phenomenological Themes
Breakdown Themes Title Description of Breakdown Themes
Policy Violation When there is an explicit policy governing how sensitive personal information should bemanaged, but the policy is not followed.
Access Policy Work-arounds When there is an explicit policy governing how sensitive personal information should bemanaged, but the office staff find a method to get around the policy or a loophole.
Beliefs About Security Ideas that people have about security and privacy that are questionably correct.
Human-Technology Mismatch When technology exists that offers a solution, but the people do not like using thetechnology thus resulting in a situation that is less secure.
Inadequate Representation in Available Information System
A system exists that has all of the information that is desired, but because of the way thesystem is set up the user is incapable of using it. This is relevant for issues like access logs.
Information Acquisition The centers having difficulty acquiring information that is sensitive.
Information System Issues The information system exists but results in additional problems relating to managing clientinformation (e.g. system crashing).
Information Withheld/Hidden Information is sought, and the information exists, but a person enforces a policy restrictingaccess to that information
Local Negotiation of Content The content that actually goes into the client’s files is negotiated.
Local Negotiation of Policy There is an explicit policy that regulates how the situation is supposed to unfold, but locally
in practice the policy is different. Access Policy There exists a policy that is restricts access to some needed piece of information.
Practice/Performance Issues In the action of enacting a policy there are difficulties.
Sensitive Information Publicly Available
Sensitive information is viewable to anyone who walks by.
Social Relations Issues Problems that occur socially that then affect client care or the management of clientinformation.
Synchronizing Informationwith Reality
The information that exists in a client file is not representative of some objective reality.
90
Data Analysis:
Ph l i l Th
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 101/102
Phenomenological Themes
Breakdown Themes Title Description of Breakdown Themes
Policy Violation When there is an explicit policy governing how sensitive personal information should bemanaged, but the policy is not followed.
Access Policy Work-arounds When there is an explicit policy governing how sensitive personal information should bemanaged, but the office staff find a method to get around the policy or a loophole.
Beliefs About Security Ideas that people have about security and privacy that are questionably correct.
Human-Technology Mismatch When technology exists that offers a solution, but the people do not like using thetechnology thus resulting in a situation that is less secure.
Inadequate Representation in Available Information System
A system exists that has all of the information that is desired, but because of the way thesystem is set up the user is incapable of using it. This is relevant for issues like access logs.
Information Acquisition The centers having difficulty acquiring information that is sensitive.
Information System Issues The information system exists but results in additional problems relating to managing clientinformation (e.g. system crashing).
Information Withheld/
Hidden
Information is sought, and the information exists, but a person enforces a policy
restricting access to that information
Local Negotiation of Content The content that actually goes into the client’s files is negotiated.
Local Negotiation of Policy There is an explicit policy that regulates how the situation is supposed to unfold, but locally
in practice the policy is different.
Access Policy There exists a policy that is restricts access to some needed piece of information.
Practice/Performance Issues In the action of enacting a policy there are difficulties.
Sensitive Information Publicly Available
Sensitive information is viewable to anyone who walks by.
Social Relations Issues Problems that occur socially that then affect client care or the management of clientinformation.
Synchronizing Informationwith Reality
The information that exists in a client file is not representative of some objective reality.
91
Data Analysis:
N F t S i
8/7/2019 Security in Practice: Examining the Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician’s Offices, Presentation
http://slidepdf.com/reader/full/security-in-practice-examining-the-collaborative-management-of-personal-sensitive 102/102
Near Future Scenarios
To construct scenarios:• Derived problems from
breakdowns and brainstormed
possible solutions
• Constraints for brainstorming
were: could be used withinchildcare center or physician’s
office, and had to be in response
to a breakdown
• These scenario ideas were
then organized to reflect
contrasting spectrums
• 8 spectrums derived (e.g.,
access v. inaccess)