Security in Practice: Examining The Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician's Offices, Presentation

Security in Practice: Examining
the Collaborative Management of

Sensitive Information in Childcare
Centers and Physician’s Offices
Laurian Vega
March 28th, 2011
1
Diana
Monkeys
& Klaus
Zuberbühler
2
Unknown environment appear chaotic;
focusing on one element provides clarity
3
As scientists, we can present new ways

of looking at old topics (i.e.
communication & threats)
3
As scientists, we can present new ways

of looking at old topics (i.e.
communication & threats)
It is only through living the experience

that true understanding of the
phenomenon of security emerged
3
Outline
1. Motivation & Related Work

2. Research Method
3. Sample Security & Privacy Research
Themes
Breakdowns
Security &
4. Revisiting Research Themes
Privacy
5. Security & Privacy Scenarios Breakdowns
• Access v. Inaccess
Scenarios
• Contextual Awareness v.
Lack of Contextual
Awareness
• Technological v. Social
Enforcement
4
Motivation for Work
Related Work
Human-
Usable Medical
Computer
Security Informatics
Interaction
5
Motivation for Work:
Related Work
Usable Security
Human-
Medical
Usable Security Computer
Informatics
Interaction
• Push back at belief that

humans are weak link in
security
• Software is what is not
usable
• Balance between social
and technical
mechanisms for security
• Security in incongruent
with the user’s primary
Adams & Sasse (1999): Users Are Not
task
the Enemy, in Communications of the
ACM. pp 40-46.
6
Related Work
Human-Computer Interaction
Human-
Medical
Usable Security Computer
Informatics
Interaction
• The focus on
supporting the user; the
user is always right
• User actions
demonstrate values
• That technology
provides unknown
potential that will impact
privacy
Palen & Dourish (2003). Unpacking "privacy" for a
networked world. Conference on Human Factors in • A need to account for
Computing Systems, Ft. Lauderdale, Florida, USA,
ACM.
privacy - of which cannot
prior models cannot be
used 7
Related Work
Medical Informatics
Human- Medical
Usable Security Computer Informatics
Interaction
• Increasing adoption of
electronic systems
• National regulation,
HIPAA (Health Insurance
Portability and
Accountability Act)
• Changing relationship
between patient,
technology, & physician
Berner, Detmer & Simborg (2005): Will the Wave
Finally Break? A Brief View of the Adoption of • Shared awareness &
Electronic Medical Records in the United States.
Journal of American Medical Informatics Association. social relationships key
12(1): pp.3-7.
for information sharing
8
Motivation for Work
Related Work
Human-
Usable Medical
Computer
Security Informatics
Interaction
Study of Collaborative Management

of Sensitive Information
9
Research Method:
Location
• Rural-serving southwest Virginia
• Socio-economic status
• Digital divide
• Different care
• Impacted by local universities
• Location types:
• 12 Childcare Centers
• 19 Physician’s Offices
10
Research Method:
Participant Demographics
Childcare Physicians’ Parents

Center Office
Directors Directors
12.5 Avg Years Experience 20.16 Avg Years Experience 1-2 Avg Number of Children
4 Avg Age of Child
14 Months Avg Time
11
Research Method:

Centers & Offices &
Directors Directors
64.5 Hours Observation 61.25 Hours Observation
20 Avg Person Staff Size 10 Avg Person Staff Size

85 Avg Children Enrolled 128 Avg Children Enrolled
12
Research Method:
Conducting Observations
Patient Room Front Office • Observed Directors of

childcare centers and
Director physicians’ offices
Receptionist • Primarily sat within office of

directors and took paper and
Me electronic time-stamped
notes (recordings when IRB
approved)
• Annotated actions within
office of people accessing/
modifying/sharing client
information verbally or
electronically along with the
guiding task of the
participants
13
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
14
Research Method:
Analysis
15
Research Method:
Analysis, Sample Breakdown
Tool
Actor Object Outcome
16
Research Method:
Access Policy Violations:
Discussion of HIPAA Violations
Filing Cabinets
Open
Nurse Client access
File to files
17
Research Method:
Filing Cabinets Filing Cabinets
Open
Nurse Client access Privacy Client Nurse
File to files File
17
Research Method:
Open
File to files File
17
Research Method:
Analysis, Definition of Breakdown
Breakdown: When a perturbation occurs in the system

that causes a contradiction to occur between activities or
within parts of the activity system.
Open
File to files File
18
Research Method:
Analysis
19
Research Method:
Analysis
20
Security & Privacy Breakdowns
Thought topics...
•What is the threat in each breakdown?
•What is the role of the individual versus group?
•What is the ambiguity present in any situation?
21
Security & Privacy Breakdowns:
Client Information Left in the Open
Files were co-located with the

director yet were stored in:
• Open filing cabinets
• Open shelves
“The files are accessible by

anyone, including the assistants.
With that said, however, there's
always someone in the
administrative office so anyone
sneaking in unnoticed is virtually
! impossible.” -Observation Notes
22
Staff Catching Incorrect Medical Procedure
Patient Room Front Office “The <echo-cardiologist>

comes to the window with <the
Nurse receptionist>. Turns out that this
patient was scheduled for a
Receptionist
stress test. The problem is that
Echo- <the office staff> didn’t realize
cardiologist that he’d had a heart attack just
a month ago. The echo guy
gets on the phone to cancel the
stress test.”
Hospital
Stress
Test
Administrator
23
Missing Child
Salient Points:
School
• Bus driver discovers he cannot
contact either parents with the
information on the bus, calls center.
• Assistant Director confesses she
has not updated bus information
because she also does not have it.
• Assistant Director gets cell phone
from sister childcare; mother still
does not pick up phone
Sister • Director is able to pull information

Childcare Childcare from child’s teacher, and from child
through social interaction
24
Getting Information Purposefully Not in File
In a single office client

Nurse information could be stored
in many forms and locations.
Staff Medicaid
Queen
Staff Forms of Storage at
Physician’s Offices:
Staff
• Electronic Billing
• Electronic Health
• Paper Billing
• Paper Health
Payment
• Schedule
Staff
25
Sharing Login
Director’s Office Lobby Entrance Infant Room “The lead teacher in the lobby
computer asks <the director>
about the password of the
computer. This is what she
said, ‘Hey <lead teacher>,
eventually I will remember the
Lead password, but can you tell me
Director Teacher Kitchen now’. <The director> gives out
the password loudly. Anyone in
the office or lobby or infant
room should be able to hear it.
It’s a sequence of four digits
like 1234.”
26
Parents Not Knowing Who Can Access Their File
Childcare Center
Who do you think can access
Director’s Office Parents your child’s file?
“I guess the officers in the day care
the main teacher the director... I
guess some of the confidential
information even the teachers cannot
get just the officers”
“You know I'm probably guessing
Teacher that the director or enrollment person
Lead Teacher probably has access to that.”
“No idea. Never thought about it.”
Cook
“Right. I am really not sure.”
Licensor
Owner
Bus Driver
27
Not Knowing Who Accessed Client Information
“<people in the office> can

Physician’s Office access anything. That’s their
Front Office job.”
Nurse “Yeah because it doesn’t show

who’s logged in and most of
Nurse the time I’m logged in in the
Receptionist front because I’m the only one
up there, but occasionally
Assistant
someone else will come up
and they’ll just do it, and I
usually check to make sure just
Nurse Director because it is on my login, but
that’s one thing is we wanted it
Doctor Assistant Director to actually show who’s logged
Surgeon Echo-cardiologist in.”
Nurse Partitioner 28
Children’s Pictures on Facebook
“Two or three of the teachers had friended
facebook
me on Facebook. An a week later in looking
Lady Teacher at their Facebook I noticed that they had
pictures of the children playing in that I
daycare... I called the daycare and told the
Lady Teacher
words words words more words director... Then when I got there to pick
some others words words words
words more words some others
words words words words more
them up the owner was there. So she
words some others words
January 25th, 2011 * lock * like * Comment pulled me aside and apologized and said
Lady Teacher and Other that it would get fixed. And they brought all
Teacher are now friends.
January 25th, 2011 * lock * like * Comment
the securities, teachers into the office and
Other Teacher watched them take the picture down off
words words words more words
from the internet before they left that day.
words words words words more
So, they are definitely on it as far as fixing
the problem and that’s the feeling of

Lady Teacher
words words words more words
nervousness that I have. You know just like
words words words words more very personal pictures are up.”
29
Hesitation about Writing or Storing Information
“... we train our doctors to write it all

down... if we’re in the court of law...
And if you write it down then you got a
record of what occurred.”
“...they use initials, they put it in a
cabinet... so that no one will
accidentally discover it. At the same
time we don't want them to see, like
especially if it becomes an unfounded
LCV
case. We try to keep that stuff kinda
separate... so that it's not necessarily
SB 100% visible.”
LCV
“and a lot of the times we will have a
person listed as the child's father but is
not actually the child's father and we
know that but it's not... listed in there”
30
HIPAA Violations
“<The doctor> comes in and <the
director> talks about a phone call
Mechanist earlier...It was a man who was looking
for his wife... <the director> said that
Patient’s Spouse
she would pass on the message to
the wife... The doctor said that that
was good. But <the nurse> said that
was against HIPAA. The doctor jokes
Director’s Office Entrance
that <the nurse> is all HIPAA
compliant - he acts like he doesn’t
take it very seriously. She says, ‘Well,
that is about privacy, what if he was
Doctor
an estranged spouse looking for his
Patient wife to kill her’... There isn’t a
Nurse conclusion on whether or not <the
director> did the right thing.”
Patient Room
31
Menacing Outsider
• Man in a red bandana who

Lawn Care Person maintains the lawn care
Director’s Office Lobby Entrance • Casual mention, and no intention

to take action
• Only mention by any participant of

a real security threat
Me Director
32
Discussion
•Security & Privacy Embodiment
•Communities of Security
•Zones of Ambiguity
33
Security & Privacy Embodiment:
Threat Models
Security threats as a model for situating security and privacy:
“In these domains the adversarial actions are unintentional, unwelcome,

and intrusive access and modification of sensitive personal information.
Examples include medical and childcare center personnel, medical
researchers, and insurance companies accessing patient or child
information that should not be available (i.e., private). A second example
includes ‘work-around’ practices of the personnel themselves that
results in unknown and insecure information disclosures.”
34
Threat Models
Security threats as a model for situating security and privacy:
“In these domains the adversarial actions are unintentional, unwelcome,

and intrusive access and modification of sensitive personal information.
Examples include medical and childcare center personnel, medical
researchers, and insurance companies accessing patient or child
information that should not be available (i.e., private). A second example
includes ‘work-around’ practices of the personnel themselves that
results in unknown and insecure information disclosures.”
34
Threat Models & Practice
“Computing systems are only secure in principle. They are rarely secure in
practice” ~Bellotti & Sellen
Threat models
cannot account
for secure
practice.
35
Security & Privacy Embodiment
• Security was not found in activities where:
• There was a conflict between external policies
• When there were uninstantiated policies
• Security was found in activities that were:
• Local
• Individual
• Care
• Robustness of Information
36
Discussion
37
Communities of Security
Entrance Patient Room • Supporting the community in
their shared task of security
Patient and privacy
Patient’s
Family • The activity of managing
sensitive information is
collaborative, yet security is
considered an individual task -
supporting the “user”
Doctor
Patient • Childcare centers and
Director’s Office Nurse physicians’ offices personnel
did not consider their work
Patient Room individual
38
Communities of Security:
Roles, Role Based Authentication
Patient Patient’s Medical Record
Patient’s Family Patient’s Billing Record
Director Post-it Notes Attached to Patient Record
Receptionist Schedule
Doctor Patient’s Medical Record
Nurse Patient’s Billing Record
Role-based authentication. A user is assigned a role that has predefined

access to certain information
39
Roles representing work
40
“They can access

anything. That’s their
job.” ~ Office Director
40
Care for the Client

Pull client files
Pat backs
Answer questions
See the client
“They can access Update client’s information

anything. That’s their
job.” ~ Office Director Discuss next course of action about client
Bill the client
Pay bills
Put client files away
40
Discussion
41
Zones of Ambiguity
A zone of ambiguity is where

current behavioral practices allow
fundamentally contradictory
concerns to exist in tacit
compromise with one another.
Social systems afford ambiguity -

they allow for the unsaid and the
unarticulated
Technology articulates and

formalizes policies and
procedures, leaving little room for
ambiguity
42
Zones of Ambiguity:
Accountability is Ambiguous
Who accessed, modifies, and

deletes information is not
tracked.
The values of collaboration is in

direct contradiction to security,
reflected in ambiguity
Leaving workstations open,

passwords not being used, and
passwords being shouted.
43
Security & Privacy Scenarios
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack
of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy
Enforcement
44
Actors & Location
Actors:
• Alice: Works in the center and has
moderate access to information
• Rosemary: Works with Alice, less
access
• Nancy: A new regulator checking
centers for information management
Location:
• Interrupting phone calls, little time
to handle tasks
• People constantly entering and
leaving
• Stack of work sitting on desks
45
• Layered v. Flat
Enforcement
46
Security & Privacy Scenarios:
Access v. Inaccess
Access
Inaccess Access Alice hangs up and walks to the open cabinets,
finds the client’s file, and writes down private
information. However, she could not find everything
so she goes to the shared computer. She quickly
pulls up the record, and then returns to the phone.
Inaccess
Alice hangs up and walks to the client file room
entering her door code. She goes to the filing
cabinets and enters her password, finds the client
file, and logs her name on the outside of the file.
However, she could not find everything so she goes
over to the computer station entering her password.
She pulls up the record, can see the previous
accessers, and tries to find the additional
information. She realizes that she cannot access it.
She logs out of the computer, and passes a
message to the director.
47
Access v. Inaccess
Inaccess Access
• Open access can be
compatible with maintaining
security.
• Visible security
mechanisms serve as
reminders of privacy.
• Access security
mechanisms can reinforce
social work.
48
• Layered v. Flat
Enforcement
49
Contextual v. Lack of Contextual Awareness
Contextual Awareness
Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room. The system, grays out the display.
Judy leaves, the display returns, and Rosemary
remembers similar client. She says, “Display Sam
Williams” and the system asks for a password. Alice
says the password to the system. The system then
displays the record and emails Alice a new password.
Lack of Contextual Awareness

enters the room, and Alice uses a remote to shut off
the display. Judy leaves, Alice turns the display back
on. Rosemary remembers a similar client, and tries to
pull it up. Rosemary asks Alice what the password is,
and Alice walks over and types it in. The system
displays the record and when they are done
discussing the issue, Alice walks back to her
workstation.
50
Contextual Awareness
enters the room. The system, grays out the display.
Judy leaves, the display returns, and Rosemary
remembers similar client. She says, “Display Sam
Williams” and the system asks for a password. Alice
says the password to the system. The system then
displays the record and emails Alice a new password.
Lack of Contextual Awareness

enters the room, and Alice uses a remote to shut off
the display. Judy leaves, Alice turns the display back
on. Rosemary remembers a similar client, and tries to
pull it up. Rosemary asks Alice what the password is,
and Alice walks over and types it in. The system
displays the record and when they are done
discussing the issue, Alice walks back to her
workstation.
51
• People-centric and rule-

centric policies are not the
same thing
• Balancing the need to
know with privacy.
• Contextual Awareness
supports nefarious activities,
but prohibits communal
awareness.
52
• Layered v. Flat
Enforcement
53
Technological v. Social Enforcement
Social Enforcement
Nancy is visiting for an inspection. She enters and
explains that that a client was unsatisfied with their
information management. Alice shows Nancy her re-
issuing of passwords, her auditing of files, and the
citations she issued leaving stations open. Nancy also
starts to check 5% of client files, inspects the
location, and writes a citation for information being left
out of the client’s file. She then asks for access to the
complainer's file. Nancy reviews the access log and
validates that there were numerous accesses to the
file without changes. Alice explains that she was
unaware of the problem. Nancy issues a citation.
54
Technological v. Social Enforcement
• Social application of rules

affords negotiation.
• Electronic systems and
social systems have different
methods of enforcing
compliance.
55
Discussion
• Seamless & Seamful
• Surveillance
•“Do Nothing” Scenario
56
Discussion
Themes:
• Security & Privacy

Embodiment
• Communities of Security
• Zones of Ambiguity
57
Conclusions
• I used HCI theory and phenomenological analysis to study security and

privacy to understand and evaluate the collaborative practice of managing
sensitive personal information.
• The practices that people do in the management of sensitive information in

childcare centers and physician’s offices are incongruent with current
electronic systems.
• These themes (Security Embodiment, Communities of Security, and Zones of

Ambiguity) cross cut the scenarios as well as the data through different
lenses.
• The goals of security and privacy can be in conflict with the provision of care,
but through considering the presented spectrums we have ways of talking
about how the provision of care can be supported.
58
Thank you
Thank you to Laura Agnich, Monika Akbar, Aubrey Baker, Stacy Branham,
Tom DeHart, Zalia Shams, and Edgardo Vega.
59
Presentation Citations Outside of Dissertation
• The story of the Diana Monkeys was first heard on Radio Lab, on their show
“Wild Talk.” A short description is also provided on this Times story, “Smarter
Than You Think.” The study was published by the Study of Animal Behavior,
with the article titled “The alarm call system of female Campbell’s monkeys.”
60
Research Method
• Research Questions
• Participants & Locations
• Data Collection
• Data Analysis
61
Research Method
• Data Collection
• Data Analysis
62
Research Questions
What breakdowns happen when Used Activity Theory to

the explicit and implicit rules are siphon data to list of
not followed? breakdowns
How are breakdowns Used Phenomenology to

accounted for, negotiated, and create list of themes to
managed in socio-technical understand breakdowns
systems where sensitive
personal information exists?
What are the implicit and explicit Used Near Future scenarios
rules surrounding how to explain guiding principles as
physicians’ offices and childcare implications for design
centers handle sensitive
personal information?
63
Research Method
• Data Collection
• Data Analysis
64
Participants & Locations:
Definitions of Locations
• Childcare center: a facility where parents engage in an service agreement

with a care giver to assume responsibility and provide supervision of the child
for approximately five days a week – less than 24 hours in the day, baring
sickness; hold more than two children under the age of 13; licensed by the
Virginia Department of Social Services (adapted from Virginia Department of
Social Services Website (2010a)) .
• Physician’s Office: a facility where patients engage in a service agreement

with an health care professionals to provide care, education, and treatment to
the patient, usually less serious than to warrant a visit to the hospital
emergency room; seen by appointment and during regular business hours
(adapted from Virginia Board of Medicine Website (2006) and inclusive of
practices as defined by HIPAA to include doctors, clinics, psychologists,
dentists, chiropractors, nursing homes, and pharmacies (2010e)).
65
Rural-Serving Southwest Virginia
Rural and rural-serving care providers have

been found to have the following relevant
characteristics:
• Patients are more likely to be uninsured
(20%)
• Patients are less likely to seek
preventative care and medicine
• Rural regions have fewer physician’s and
dentists per patient, with 10% of physician’s
in this area versus 25% of population
•Infants and adolescent mortality along with
rates of obesity and tobacco use are higher
•41% of local public health agencies
reported funding to be their main
challenged (compared to 26% of non-rural
agencies)
66
Childcare Centers
Childcare center stakeholders:

• Director
• Assistant Director
• Receptionist
• Lead Teacher
• Teacher(s) (substitutes)
• Cook
• Parents
• Children
• Inspectors: DSS State Licensor,
Health Inspector, Fire Marshal
• Early Intervention
67
Physicians’ Offices
Physicians’ Office stakeholders:

• Director
• Assistant Director
• Receptionist(s)
• Nurse(s)
• Doctors, Physician’s assistant,
Nurse Practitioner
• Patients
• Patients’ friends and family
• Pharmacies
• Insurance Company
Representatives
68
Multisite Fieldwork
• Provides perspective on a diversity of issues that are experienced by

numerous people instead of on a micro-culture.
• Examples of use in ethnography (e.g., work of Marcus) and within HCI (e.g.,
work of Wyche).
69
Research Method:

Center Office
Directors Directors
4 Avg Age of Child
14 Months Avg Time
70
Research Method:

Centers & Offices &
Directors Directors
12 Interviews 16 Interviews 21 Interviews

4 Observation Locations 5 Observation Locations
64.5 Hours Observation 61.25 Hours Observation
20 Avg Person Staff Size 10 Avg Person Staff Size 4 Avg Age of Child
85 Avg Children Enrolled 128 Avg Children Enrolled 14 Months Avg Time
71
Research Method
• Data Collection
• Data Analysis
72
Data Collection:
Study 1 & Study 2
Study 1: All data and preliminary analysis of that data collected prior to the
proposal defense. This includes all interviews with childcare center directors,
initial observations of childcare centers, interviews with parents, and the first 13
interviews with physicians’ office directors.
Study 2: All data collected post the research defense and analysis of all data
from all studies. The data collected includes observations of childcare centers
and physicians’ office along with two additional interviews with physicians’
office directors.
73
Data Collection:
Data Sampling
Possible Data Stratified Sampling Method:
Sources • Define groups of to be sampled

that share distinct characteristics
(e.g., childcare centers, physicians’
offices, parents).
• Purposefully diversifies population
to be sampled along specific criteria
• Useful for exploring divergent
versions of an issue to be studied
74
Data Collection:
Interview Protocol & Conducting the Interview
Interview Transcript Sections:
• Demographics
• Information tools, documentation,
and methods
• Catalogued list of stakeholders and
access to client information
• Electronic record tools
Interview Conducted:
• Met at office of agreed location
• Introduction
• Informed Consent
• Recording started
• Interview Questions
• Thanked for time
75
Research Method:
Observation Protocol
Observed Directors
Patient Room Front Office
• Follow-up of interviews to see
differences between official and
Director
unofficial aspects of security
Receptionist • Directors are primarily located
with client files, making their
Me
office a hotspot for client
information access
• Directors are also primarily
located with the computers
76
Data Collection:
Conducting Observation
Observation Notes Covered:
• Actions of directors and anyone in
director’s office
• The location of any visible client
information
• Time stamps of any action
• Any time a client files was accessed
or modified
• Any information that was shared
orally about a client
• Any time the director engaged with a
piece of technology
• Interpretations of activities
77
Data Collection:
Participant Recruitment
Childcare Center Directors
Comprehensive list of all childcare
centers in the NRV area from VA DSS
website. All contacted by phone.
Physician’s Office Directors
List of all offices in Blacksburg &
Christiansburg were canvased by foot.
List expanded to NRV area for
observations.
Parents
Flyers placed in childcare centers,
announcements sent over listserv for
working moms, and advertisements
placed in company newsletter
78
Data Collection:
Training & Preparing for Interviews & Observations
Training Procedure:
• Review prior literature and discuss
• Become familiar and practice
protocols
• Review prior data and reports
• Meet with team to discuss data and
practice with protocols
• Shadowing by experienced
researcher for first session
79
Data Collection:
Data Management
Data is comprised of:
• Interview recordings
• Interview transcripts
• Interview notes
• Forms
• Pictures
• Drawings & diagrams
• Observation notes
• Observation transcripts
• Observation recordings
80
Data Collection
Dates & Times of Observations
Childcare Centers Physicians’ Offices

7 8 9 10 11 12 1 2 3 4 5 6 8 9 10 11 12 1 2 3 4 5
August 30th, 2010 August 16th, 2010
August 31st, 2010 August 19th, 2010
October 13th, 2009 August 19th, 2010
October 15th, 2009 August 23rd, 2010
October 16th, 2009
August 26th, 2010
October 21st, 2009
July 13th, 2010
October 22nd, 2009
July 15th, 2010
October 23rd, 2009
July 1st, 2010
October 26th, 2009
July 6th, 2010
October 29th, 2009
June 7th, 2010
October 30th, 2009
September 14th, 2010 September 1st, 2010
September 15th, 2010 September 7th, 2010
September 2nd, 2010 September 9th, 2010
September 2nd, 2010
September 8th, 2010
September 8th, 2010
September 9th, 2010
81
Research Method
• Data Collection
• Data Analysis
82
Data Analysis:
Activity Theory
Tool
Transformation
Subject Object Process Outcome
Division of
Rules Community
Labor
83
Data Analysis:
Tool
Actor Object Outcome

(ive)
84
Data Analysis:
Filing Cabinets
Open
Nurse Client access
File to files
85
Data Analysis:
Open
File to files File
85
Data Analysis:
Open
File to files File
85
Data Analysis:
Combining Breakdowns
Childcare Director
Accessing
Parent 1 Client
their file
File
86
Data Analysis:
Childcare Director
Accessing
Parent 1 Client
their file
File
Childcare Director
Accessing
Parent 2 Client
their file
File
86
Data Analysis:
Childcare Director
Parent 1 Client File Accessing their file
Childcare Director
Childcare
Parent 2 Client File Accessing their file Director
Childcare Director
Accessing their file Accessing

Parent 3 Client File
Parent Client
their file
Childcare Director 1-11 File
Childcare Director
Childcare Director
87
Data Analysis:
Phenomenology
Data Reading & Describing Classifying Interpreting Representing
Managing Memoing
Evaluating the Group initial Generating a Creating a
Collecting the Reading the
personal codes or textual description of
data and data, writing
experience statements description of the essence
organizing it notes in the
along with the into related the of the
into margins,
essence of the clusters or phenomenon experience
appropriate writing
experience of meaning explaining and
forms and memos,
the units the ‘what’ discussing it
files forming
participants and ‘how’
initial codes
Key Aspects:
• Focusing on the experience of a phenomenon
• Bracketing off individual interpretations
• Respecting and collating different experiences through
horzontalization of data
• Result is a description of the phenomenon answering questions of
‘what’ and ‘how.’
88
Data Analysis:
Classifying Data
To construct themes:
• Reviewed each breakdown
type, read examples
• Collated similar breakdowns
together tagging for cause,
technologies, and people
involved
• Tentative groups memo’d, met
with external researcher to review
them; new groups made, one
dissolved
• Final groups created and
described
89
Data Analysis:
Phenomenological Themes
Breakdown Themes Title Description of Breakdown Themes
Policy Violation When there is an explicit policy governing how sensitive personal information should be
managed, but the policy is not followed.
Access Policy Work-arounds When there is an explicit policy governing how sensitive personal information should be
managed, but the office staff find a method to get around the policy or a loophole.
Beliefs About Security Ideas that people have about security and privacy that are questionably correct.
Human-Technology Mismatch When technology exists that offers a solution, but the people do not like using the
technology thus resulting in a situation that is less secure.
Inadequate Representation in A system exists that has all of the information that is desired, but because of the way the
Available Information System system is set up the user is incapable of using it. This is relevant for issues like access logs.
Information Acquisition The centers having difficulty acquiring information that is sensitive.
Information System Issues The information system exists but results in additional problems relating to managing client
information (e.g. system crashing).
Information Withheld/Hidden Information is sought, and the information exists, but a person enforces a policy restricting
access to that information
Local Negotiation of Content The content that actually goes into the client’s files is negotiated.
Local Negotiation of Policy There is an explicit policy that regulates how the situation is supposed to unfold, but locally
in practice the policy is different.
Access Policy There exists a policy that is restricts access to some needed piece of information.
Practice/Performance Issues In the action of enacting a policy there are difficulties.
Sensitive Information Publicly Sensitive information is viewable to anyone who walks by.
Available
Social Relations Issues Problems that occur socially that then affect client care or the management of client
information.
Synchronizing Information
with Reality
The information that exists in a client file is not representative of some objective reality. 90
Data Analysis:
Phenomenological Themes
Breakdown Themes Title Description of Breakdown Themes
Policy Violation When there is an explicit policy governing how sensitive personal information should be
managed, but the policy is not followed.
Access Policy Work-arounds When there is an explicit policy governing how sensitive personal information should be
managed, but the office staff find a method to get around the policy or a loophole.
Beliefs About Security Ideas that people have about security and privacy that are questionably correct.
Human-Technology Mismatch When technology exists that offers a solution, but the people do not like using the
technology thus resulting in a situation that is less secure.
Inadequate Representation in A system exists that has all of the information that is desired, but because of the way the
Available Information System system is set up the user is incapable of using it. This is relevant for issues like access logs.
Information Acquisition The centers having difficulty acquiring information that is sensitive.
Information System Issues The information system exists but results in additional problems relating to managing client
information (e.g. system crashing).
Information Withheld/ Information is sought, and the information exists, but a person enforces a policy
Hidden restricting access to that information
Local Negotiation of Content The content that actually goes into the client’s files is negotiated.
Local Negotiation of Policy There is an explicit policy that regulates how the situation is supposed to unfold, but locally
in practice the policy is different.
Access Policy There exists a policy that is restricts access to some needed piece of information.
Practice/Performance Issues In the action of enacting a policy there are difficulties.
Sensitive Information Publicly Sensitive information is viewable to anyone who walks by.
Available
Social Relations Issues Problems that occur socially that then affect client care or the management of client
information.
Synchronizing Information
with Reality
The information that exists in a client file is not representative of some objective reality. 91
Data Analysis:
Near Future Scenarios
To construct scenarios:
• Derived problems from
breakdowns and brainstormed
possible solutions
• Constraints for brainstorming
were: could be used within
childcare center or physician’s
office, and had to be in response
to a breakdown
• These scenario ideas were
then organized to reflect
contrasting spectrums
• 8 spectrums derived (e.g.,
access v. inaccess)
92

Security in Practice: Examining The Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician's Offices, Presentation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security in Practice: Examining The Collaborative Management of Personal Sensitive Information in Childcare Centers and Physician's Offices, Presentation

Uploaded by

Copyright:

Available Formats

Security in Practice: Examining

the Collaborative Management of

As scientists, we can present new ways

As scientists, we can present new ways

It is only through living the experience

1. Motivation & Related Work

• Push back at belief that

Study of Collaborative Management

• Rural-serving southwest Virginia

• Impacted by local universities

Childcare Physicians’ Parents

Childcare Physicians’ Parents

64.5 Hours Observation 61.25 Hours Observation

20 Avg Person Staff Size 10 Avg Person Staff Size

Patient Room Front Office • Observed Directors of

Receptionist • Primarily sat within office of

Actor Object Outcome

Filing Cabinets Filing Cabinets

Filing Cabinets Filing Cabinets

Breakdown: When a perturbation occurs in the system

Filing Cabinets Filing Cabinets

•What is the role of the individual versus group?

•What is the ambiguity present in any situation?

Files were co-located with the

“The files are accessible by

Patient Room Front Office “The <echo-cardiologist>

Sister • Director is able to pull information

In a single office client

“<people in the office> can

Nurse “Yeah because it doesn’t show

the problem and that’s the feeling of

“... we train our doctors to write it all

• Man in a red bandana who

Director’s Office Lobby Entrance • Casual mention, and no intention

• Only mention by any participant of

•Security & Privacy Embodiment

Security threats as a model for situating security and privacy:

“In these domains the adversarial actions are unintentional, unwelcome,

Security threats as a model for situating security and privacy:

“In these domains the adversarial actions are unintentional, unwelcome,

• Security was not found in activities where:

• There was a conflict between external policies

• When there were uninstantiated policies

• Security was found in activities that were:

•Security & Privacy Embodiment

Role-based authentication. A user is assigned a role that has predefined

“They can access

Care for the Client

See the client

“They can access Update client’s information

Bill the client

Put client files away

•Security & Privacy Embodiment

A zone of ambiguity is where

Social systems afford ambiguity -

Technology articulates and

Who accessed, modifies, and

The values of collaboration is in

Leaving workstations open,

Lack of Contextual Awareness

Lack of Contextual Awareness

• People-centric and rule-

• Social application of rules