zones of ambiguity dealers

8/9/2019 Zones of Ambiguity Dealers

1/24

June 9th, 2010, Dealers

Security Knowledge: Evaluating

the Practice of Security inChildcares & Physicians OfficesLaurian Vega

Steve Harrison & Deborah TatarDepartment of Computer Science, Virginia Tech

Wednesday, July 7, 2010


2/24

+Usability

Adams, A. and M.A. Sasse, Users AreNot the Enemy, in Communications of

the ACM. 1999. p. 40-46.



3/24

Childcare CentersWednesday, July 7, 2010


4/24

Physicians OfficesWednesday, July 7, 2010


5/24

SensitiveInformation Rich

Places Aspects:

Managing others information Information in multiple

places

Numerous people accessing

Information in different forms

Managing security & privacyis secondary



6/24

Studying

Security Practice

Trust: People share knowledgeand sensitive informationtowards mutual goals

Privacy: working andmanaging sensitive

information Negotiation: when security

breakdowns occur rules are notclear



7/24

Method

Southwest-Virginia Rurual

IRB Approved 46 Interviewed Participants:

Childcare & Medical Directors,Parents

14 Childcare Observations Observations 2-3 hours,

Notes, collected artifacts,coded by 2 researchers

Observation of physiciansoffices currently underway



8/24

Competing identities of business and care

Childcare

Directors



9/24

Zones of

Ambiguitythose components of thepractices that might have

to be resolved with theaddition or enforcement ofmore official protocolupon the introduction of

computerized informationhandling mechanisms



10/24

Child-centeredknowledge

communication

Childcares function andcoordinate based on the daily

routines of parents

It is within this communicationthat shared private informationco-constructed and divulged

Parents reflected a deep needfor face-to-face communication



11/24


communication

There exists the potential forcommunication breakdowns

even within information richenvironments



12/24


communication "we try to remind [the parents]

verbally and give themsomething because most of ourparents actually had - I actuallyhad to take apart my parenthandbook and take theagreement sheet off of the backbecause I found out that mostof the time I was gettingenrollment forms I wasn'tgetting that sheet back becauseno one reads the handbook."



13/24

Parents DelegateSecurity & Privacy to

Childcares

Assumptions:

That directors monitor whoaccesses files

That information is centrally

located

That there are restrictivepolicies



14/24


Childcares

Parental concerns unsurfaced:

Obfuscating information

Parents, when able, notselected for no one to haveaccess

Through interviews parentsreflected that they weregoing to find out

This is foolish of me as a

parent, but I have neverasked.



15/24

Childcare Providers,Security, &

Interruptions

Childcares have valuablesecurity practices

Directors office being aseparate place

Placing files with extra

sensitive information in theback of the file

Physically mediatingsensitive information



16/24

Childcare Providers,Security, &

Interruptions

But... these places areintrinsically messy

41% of the time when someoneis interrupted, they do notreturn to their task (OConaill& Frohlich 1995)

Childcare directors have tocreate on-the-fly policies andpractices to manage privacy inthese messy spaces



17/24

Summary

Practice is as important as policy for

security and privacy Social systems naturally create zones for

ambiguity to manage the messiness of life

To truly design usable security meansunderstanding how to also design for thesezones of ambiguity



18/24

Thank you

A special thanks to Tom DeHart, Laura Agnich, Edgardo Vega,

Zalia Shams, Monika Akbar, Stacy Branham, & Aubrey Baker

who helped run, code, and analyze the data.

Laurian Vega

Steve Harrison & Deborah TatarDepartment of Computer Science, Virginia Tech



19/24

Zones of

AmbiguityPolicies are recognized

valuable but as not really

representing the practice

That quality communicationis necessary for the co-construction of knowledge

Parents had little knowledgeof how their informationwas managed, and used tobe generally with ambiguity



20/24


communication The quality of this

communication affects:

Perceptions of a childs safety

The negotiation of how howthe care will be managed

The business of the childcare

the teachers are well informed

and they know even what my kid

like and dislike and all that and I

feel that I have her secure and in agood place. In the old daycare, if I

asked 'did my kid sleep today' they

would respond 'I don't know, I just

got here.



21/24

HIPAA

Effective in 1996

Outlines (somewhat

ambiguously) US Nationalregulations in regards toprivacy and security ofpatients information

The HIPAA Privacy Rule provides federal protections for personal health information held bycovered entities and gives patients an array of rights with respect to that information. At the

same time, the Privacy Rule is balanced so that it permits the disclosure of personal health

information needed for patient care and other important purposes.The Security Rule specifies aseries of administrative, physical, and technical safeguardsfor covered entities to use to assure

the confidentiality, integrity, and availability of electronic protected health information. Wednesday, July 7, 2010


22/24

Southwest

Virginia Rural Appalachia

Highly impacted bysurrounding university

Low technology adoption

Population around 150,000 insurrounding municipalities

30 childcares, 60 medicalpractices within 10 miles of

universityWednesday, July 7, 2010


23/24Wednesday, July 7, 2010


24/24


Childcares In general, parents are unaware

and content with how theirinformation is being managed

Because the childcare is trustedwith the child, they are trustedwith the childs information

zones of ambiguity dealers

Documents