Вы находитесь на странице: 1из 24

Security Knowledge: Evaluating

the Practice of Security in


Childcares & Physician’s Offices
Laurian Vega
Steve Harrison & Deborah Tatar
Department of Computer Science, Virginia Tech

June 9th, 2010, Dealers

Wednesday, July 7, 2010


+ Usability

Adams, A. and M.A. Sasse, Users Are


Not the Enemy, in Communications of
the ACM. 1999. p. 40-46.

Wednesday, July 7, 2010


Childcare Centers
Wednesday, July 7, 2010
Physician’s Offices
Wednesday, July 7, 2010
Sensitive
Information Rich
Places
✤ Aspects:

✤ Managing other’s information

✤ Information in multiple
places

✤ Numerous people accessing

✤ Information in different forms

✤ Managing security & privacy


is secondary

Wednesday, July 7, 2010


Studying
Security Practice

✤ Trust: People share knowledge


and sensitive information
towards mutual goals

✤ Privacy: working and


managing sensitive
information

✤ Negotiation: when security


breakdowns occur rules are not
clear

Wednesday, July 7, 2010


Method

✤ Southwest-Virginia
✤ Rurual

✤ IRB Approved
✤ 46 Interviewed Participants:
Childcare & Medical Directors,
Parents
✤ 14 Childcare Observations
✤ Observations 2-3 hours,

Notes, collected artifacts,


coded by 2 researchers
✤ Observation of physician’s
offices currently underway

Wednesday, July 7, 2010


Childcare
Directors
Competing identities of business and care

Wednesday, July 7, 2010


Zones of
Ambiguity
those components of the
practices that might have
to be resolved with the
addition or enforcement of
more official protocol
upon the introduction of
computerized information
handling mechanisms

Wednesday, July 7, 2010


Child-centered
knowledge
communication
✤ Childcares function and
coordinate based on the daily
routines of parents

✤ It is within this communication


that shared private information
co-constructed and divulged

✤ Parents reflected a deep need


for face-to-face communication

Wednesday, July 7, 2010


Child-centered
knowledge
communication
✤ There exists the potential for
communication breakdowns
even within information rich
environments

Wednesday, July 7, 2010


Child-centered
knowledge
communication
✤ "we try to remind [the parents]
verbally and give them
something because most of our
parents actually had - I actually
had to take apart my parent
handbook and take the
agreement sheet off of the back
because I found out that most
of the time I was getting
enrollment forms I wasn't
getting that sheet back because
no one reads the handbook."

Wednesday, July 7, 2010


Parents Delegate
Security & Privacy to
Childcares

✤ Assumptions:

✤ That directors monitor who


accesses files

✤ That information is centrally


located

✤ That there are restrictive


policies

Wednesday, July 7, 2010


Parents Delegate
Security & Privacy to
Childcares

✤ Parental concerns unsurfaced:


“This is foolish of me as a
✤ Obfuscating information parent, but I have never
asked.”
✤ Parents, when able, not
selected for no one to have
access

✤ Through interviews parents


reflected that they were
going to find out

Wednesday, July 7, 2010


Childcare Providers,
Security, &
Interruptions

✤ Childcares have valuable


security practices

✤ Directors office being a


separate place

✤ Placing files with extra


sensitive information in the
back of the file

✤ Physically mediating
sensitive information

Wednesday, July 7, 2010


Childcare Providers,
Security, &
Interruptions

✤ But... these places are


intrinsically messy

✤ 41% of the time when someone


is interrupted, they do not
return to their task (O’Conaill
& Frohlich 1995)

✤ Childcare directors have to


create on-the-fly policies and
practices to manage privacy in
these messy spaces

Wednesday, July 7, 2010


Summary

✤ Practice is as important as policy for


security and privacy
✤ Social systems naturally create zones for
ambiguity to manage the messiness of life
✤ To truly design usable security means
understanding how to also design for these
zones of ambiguity
Wednesday, July 7, 2010
Thank you
Laurian Vega
Steve Harrison & Deborah Tatar
Department of Computer Science, Virginia Tech

A special thanks to Tom DeHart, Laura Agnich, Edgardo Vega,


Zalia Shams, Monika Akbar, Stacy Branham, & Aubrey Baker
who helped run, code, and analyze the data.

Wednesday, July 7, 2010


Zones of
Ambiguity
• Policies are recognized
valuable but as not really
representing the practice

• That quality communication


is necessary for the co-
construction of knowledge

• Parents had little knowledge


of how their information
was managed, and used to
be generally with ambiguity

Wednesday, July 7, 2010


Child-centered
knowledge
communication
✤ The quality of this
communication affects:

✤ Perceptions of a child’s safety


“the teachers are well informed
✤ The negotiation of how how and they know even what my kid
the care will be managed like and dislike and all that and I
feel that I have her secure and in a
✤ The business of the childcare good place. In the old daycare, if I
asked 'did my kid sleep today' they
would respond 'I don't know, I just
got here.’”

Wednesday, July 7, 2010


HIPAA
✤ Effective in 1996

✤ Outlines (somewhat
ambiguously) US National
regulations in regards to
privacy and security of
patients’ ‘information’

“The HIPAA Privacy Rule provides federal protections for personal health information held by
covered entities and gives patients an array of rights with respect to that information. At the
same time, the Privacy Rule is balanced so that it permits the disclosure of personal health
information needed for patient care and other important purposes. The Security Rule specifies a
series of administrative, physical, and technical safeguards for covered entities to use to assure
the confidentiality, integrity, and availability of electronic protected health information.” 

Wednesday, July 7, 2010


Southwest
Virginia
✤ Rural Appalachia

✤ Highly impacted by
surrounding university

✤ Low technology adoption

✤ Population around 150,000 in


surrounding municipalities

✤ 30 childcares, 60 medical
practices within 10 miles of
university

Wednesday, July 7, 2010


Wednesday, July 7, 2010
Parents Delegate
Security & Privacy to
Childcares
✤ In general, parents are unaware
and content with how their
information is being managed

✤ Because the childcare is trusted


with the child, they are trusted
with the child’s information

Wednesday, July 7, 2010