Professional Documents
Culture Documents
1
Diana
Monkeys
& Klaus
Zuberbühler
2
Unknown environment appear chaotic;
focusing on one element provides clarity
3
Unknown environment appear chaotic;
focusing on one element provides clarity
3
Unknown environment appear chaotic;
focusing on one element provides clarity
3
Outline
• Access v. Inaccess
Scenarios
• Contextual Awareness v.
Lack of Contextual
Awareness
• Technological v. Social
Enforcement
4
Motivation for Work
Related Work
Human-
Usable Medical
Computer
Security Informatics
Interaction
5
Motivation for Work:
Related Work
Usable Security
Human-
Medical
Usable Security Computer
Informatics
Interaction
Human-Computer Interaction
Human-
Medical
Usable Security Computer
Informatics
Interaction
• The focus on
supporting the user; the
user is always right
• User actions
demonstrate values
• That technology
provides unknown
potential that will impact
privacy
Palen & Dourish (2003). Unpacking "privacy" for a
networked world. Conference on Human Factors in • A need to account for
Computing Systems, Ft. Lauderdale, Florida, USA,
ACM.
privacy - of which cannot
prior models cannot be
used 7
Motivation for Work:
Related Work
Medical Informatics
Human- Medical
Usable Security Computer Informatics
Interaction
• Increasing adoption of
electronic systems
• National regulation,
HIPAA (Health Insurance
Portability and
Accountability Act)
• Changing relationship
between patient,
technology, & physician
Berner, Detmer & Simborg (2005): Will the Wave
Finally Break? A Brief View of the Adoption of • Shared awareness &
Electronic Medical Records in the United States.
Journal of American Medical Informatics Association. social relationships key
12(1): pp.3-7.
for information sharing
8
Motivation for Work
Related Work
Human-
Usable Medical
Computer
Security Informatics
Interaction
• Socio-economic status
• Digital divide
• Different care
• Location types:
• 12 Childcare Centers
• 19 Physician’s Offices
10
Research Method:
Participant Demographics
12.5 Avg Years Experience 20.16 Avg Years Experience 1-2 Avg Number of Children
4 Avg Age of Child
14 Months Avg Time
11
Research Method:
Participant Demographics
12
Research Method:
Conducting Observations
14
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
15
Research Method:
Analysis, Sample Breakdown
Tool
16
Research Method:
Analysis, Sample Breakdown
Access Policy Violations:
Discussion of HIPAA Violations
Filing Cabinets
Open
Nurse Client access
File to files
17
Research Method:
Analysis, Sample Breakdown
Access Policy Violations:
Discussion of HIPAA Violations
Open
Nurse Client access Privacy Client Nurse
File to files File
17
Research Method:
Analysis, Sample Breakdown
Access Policy Violations:
Discussion of HIPAA Violations
Open
Nurse Client access Privacy Client Nurse
File to files File
17
Research Method:
Analysis, Definition of Breakdown
Open
Nurse Client access Privacy Client Nurse
File to files File
18
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
19
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
20
Security & Privacy Breakdowns
Thought topics...
•What is the threat in each breakdown?
21
Security & Privacy Breakdowns:
Client Information Left in the Open
22
Security & Privacy Breakdowns:
Staff Catching Incorrect Medical Procedure
Stress
Test
Administrator
23
Security & Privacy Breakdowns:
Missing Child
Salient Points:
School
• Bus driver discovers he cannot
contact either parents with the
information on the bus, calls center.
• Assistant Director confesses she
has not updated bus information
because she also does not have it.
• Assistant Director gets cell phone
from sister childcare; mother still
does not pick up phone
24
Security & Privacy Breakdowns:
Getting Information Purposefully Not in File
25
Security & Privacy Breakdowns:
Sharing Login
Director’s Office Lobby Entrance Infant Room “The lead teacher in the lobby
computer asks <the director>
about the password of the
computer. This is what she
said, ‘Hey <lead teacher>,
eventually I will remember the
Lead password, but can you tell me
Director Teacher Kitchen now’. <The director> gives out
the password loudly. Anyone in
the office or lobby or infant
room should be able to hear it.
It’s a sequence of four digits
like 1234.”
26
Security & Privacy Breakdowns:
Parents Not Knowing Who Can Access Their File
Childcare Center
Who do you think can access
Director’s Office Parents your child’s file?
“I guess the officers in the day care
the main teacher the director... I
guess some of the confidential
information even the teachers cannot
get just the officers”
“You know I'm probably guessing
Teacher that the director or enrollment person
Lead Teacher probably has access to that.”
“No idea. Never thought about it.”
Cook
“Right. I am really not sure.”
Licensor
Owner
Bus Driver
27
Security & Privacy Breakdowns:
Not Knowing Who Accessed Client Information
Nurse Partitioner 28
Security & Privacy Breakdowns:
Children’s Pictures on Facebook
“Two or three of the teachers had friended
facebook
me on Facebook. An a week later in looking
Lady Teacher at their Facebook I noticed that they had
pictures of the children playing in that I
daycare... I called the daycare and told the
Lady Teacher
words words words more words director... Then when I got there to pick
some others words words words
words more words some others
words words words words more
them up the owner was there. So she
words some others words
January 25th, 2011 * lock * like * Comment pulled me aside and apologized and said
Lady Teacher and Other that it would get fixed. And they brought all
Teacher are now friends.
January 25th, 2011 * lock * like * Comment
the securities, teachers into the office and
Other Teacher watched them take the picture down off
words words words more words
some others words words words
words more words some others
from the internet before they left that day.
words words words words more
words some others words
So, they are definitely on it as far as fixing
January 25th, 2011 * lock * like * Comment
29
Security & Privacy Breakdowns:
Hesitation about Writing or Storing Information
Me Director
32
Discussion
•Communities of Security
•Zones of Ambiguity
33
Security & Privacy Embodiment:
Threat Models
34
Security & Privacy Embodiment:
Threat Models
34
Security & Privacy Embodiment:
Threat Models & Practice
“Computing systems are only secure in principle. They are rarely secure in
practice” ~Bellotti & Sellen
Threat models
cannot account
for secure
practice.
35
Security & Privacy Embodiment
• Local
• Individual
• Care
• Robustness of Information
36
Discussion
•Communities of Security
•Zones of Ambiguity
37
Communities of Security
Entrance Patient Room • Supporting the community in
their shared task of security
Patient and privacy
Patient’s
Family • The activity of managing
sensitive information is
collaborative, yet security is
considered an individual task -
supporting the “user”
Doctor
Patient • Childcare centers and
Director’s Office Nurse physicians’ offices personnel
did not consider their work
Patient Room individual
38
Communities of Security:
Roles, Role Based Authentication
Patient Patient’s Medical Record
Patient’s Family Patient’s Billing Record
Director Post-it Notes Attached to Patient Record
Receptionist Schedule
Doctor Patient’s Medical Record
Nurse Patient’s Billing Record
39
Communities of Security:
Roles representing work
40
Communities of Security:
Roles representing work
40
Communities of Security:
Roles representing work
Pat backs
Answer questions
Pay bills
40
Discussion
•Communities of Security
•Zones of Ambiguity
41
Zones of Ambiguity
42
Zones of Ambiguity:
Accountability is Ambiguous
43
Security & Privacy Scenarios
• Access v. Inaccess
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack
of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy
• Technological v. Social
Enforcement
44
Security & Privacy Scenarios
Actors & Location
Actors:
• Alice: Works in the center and has
moderate access to information
• Rosemary: Works with Alice, less
access
• Nancy: A new regulator checking
centers for information management
Location:
• Interrupting phone calls, little time
to handle tasks
• People constantly entering and
leaving
• Stack of work sitting on desks
45
Security & Privacy Scenarios
• Access v. Inaccess
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack
of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy
• Technological v. Social
Enforcement
46
Security & Privacy Scenarios:
Access v. Inaccess
Access
Inaccess Access Alice hangs up and walks to the open cabinets,
finds the client’s file, and writes down private
information. However, she could not find everything
so she goes to the shared computer. She quickly
pulls up the record, and then returns to the phone.
Inaccess
Alice hangs up and walks to the client file room
entering her door code. She goes to the filing
cabinets and enters her password, finds the client
file, and logs her name on the outside of the file.
However, she could not find everything so she goes
over to the computer station entering her password.
She pulls up the record, can see the previous
accessers, and tries to find the additional
information. She realizes that she cannot access it.
She logs out of the computer, and passes a
message to the director.
47
Security & Privacy Scenarios:
Access v. Inaccess
Inaccess Access
• Open access can be
compatible with maintaining
security.
• Visible security
mechanisms serve as
reminders of privacy.
• Access security
mechanisms can reinforce
social work.
48
Security & Privacy Scenarios
• Access v. Inaccess
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack
of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy
• Technological v. Social
Enforcement
49
Security & Privacy Scenarios:
Contextual v. Lack of Contextual Awareness
Contextual Awareness
Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room. The system, grays out the display.
Judy leaves, the display returns, and Rosemary
remembers similar client. She says, “Display Sam
Williams” and the system asks for a password. Alice
says the password to the system. The system then
displays the record and emails Alice a new password.
50
Security & Privacy Scenarios:
Contextual v. Lack of Contextual Awareness
Contextual Awareness
Alice selects to show a client’s record on the wall.
While discussing the issue with Rosemary, Judy
enters the room. The system, grays out the display.
Judy leaves, the display returns, and Rosemary
remembers similar client. She says, “Display Sam
Williams” and the system asks for a password. Alice
says the password to the system. The system then
displays the record and emails Alice a new password.
51
Security & Privacy Scenarios:
Contextual v. Lack of Contextual Awareness
52
Security & Privacy Scenarios
• Access v. Inaccess
• Anonymity v. Visibility
• Permanence v. Decay
• Centralization v. Decentralization
• Layered v. Flat
• Contextual Awareness v. Lack
of Contextual Awareness
• Center-managed Privacy v.
Client managed Privacy
• Technological v. Social
Enforcement
53
Security & Privacy Scenarios:
Technological v. Social Enforcement
Social Enforcement
Nancy is visiting for an inspection. She enters and
explains that that a client was unsatisfied with their
information management. Alice shows Nancy her re-
issuing of passwords, her auditing of files, and the
citations she issued leaving stations open. Nancy also
starts to check 5% of client files, inspects the
location, and writes a citation for information being left
out of the client’s file. She then asks for access to the
complainer's file. Nancy reviews the access log and
validates that there were numerous accesses to the
file without changes. Alice explains that she was
unaware of the problem. Nancy issues a citation.
54
Security & Privacy Scenarios:
Technological v. Social Enforcement
55
Security & Privacy Scenarios:
Discussion
• Surveillance
56
Security & Privacy Scenarios:
Discussion
Themes:
• Communities of Security
• Zones of Ambiguity
57
Conclusions
• The goals of security and privacy can be in conflict with the provision of care,
but through considering the presented spectrums we have ways of talking
about how the provision of care can be supported.
58
Thank you
Thank you to Laura Agnich, Monika Akbar, Aubrey Baker, Stacy Branham,
Tom DeHart, Zalia Shams, and Edgardo Vega.
59
Presentation Citations Outside of Dissertation
• The story of the Diana Monkeys was first heard on Radio Lab, on their show
“Wild Talk.” A short description is also provided on this Times story, “Smarter
Than You Think.” The study was published by the Study of Animal Behavior,
with the article titled “The alarm call system of female Campbell’s monkeys.”
60
Research Method
• Research Questions
• Data Collection
• Data Analysis
61
Research Method
• Research Questions
• Data Collection
• Data Analysis
62
Research Questions
What are the implicit and explicit Used Near Future scenarios
rules surrounding how to explain guiding principles as
physicians’ offices and childcare implications for design
centers handle sensitive
personal information?
63
Research Method
• Research Questions
• Data Collection
• Data Analysis
64
Participants & Locations:
Definitions of Locations
65
Participants & Locations:
Rural-Serving Southwest Virginia
67
Participants & Locations:
Physicians’ Offices
68
Participants & Locations:
Multisite Fieldwork
• Examples of use in ethnography (e.g., work of Marcus) and within HCI (e.g.,
work of Wyche).
69
Research Method:
Participant Demographics
12.5 Avg Years Experience 20.16 Avg Years Experience 1-2 Avg Number of Children
4 Avg Age of Child
14 Months Avg Time
70
Research Method:
Participant Demographics
12.5 Avg Years Experience 20.16 Avg Years Experience 1-2 Avg Number of Children
20 Avg Person Staff Size 10 Avg Person Staff Size 4 Avg Age of Child
85 Avg Children Enrolled 128 Avg Children Enrolled 14 Months Avg Time
71
Research Method
• Research Questions
• Data Collection
• Data Analysis
72
Data Collection:
Study 1 & Study 2
Study 1: All data and preliminary analysis of that data collected prior to the
proposal defense. This includes all interviews with childcare center directors,
initial observations of childcare centers, interviews with parents, and the first 13
interviews with physicians’ office directors.
Study 2: All data collected post the research defense and analysis of all data
from all studies. The data collected includes observations of childcare centers
and physicians’ office along with two additional interviews with physicians’
office directors.
73
Data Collection:
Data Sampling
74
Data Collection:
Interview Protocol & Conducting the Interview
Interview Transcript Sections:
• Demographics
• Information tools, documentation,
and methods
• Catalogued list of stakeholders and
access to client information
• Electronic record tools
Interview Conducted:
• Met at office of agreed location
• Introduction
• Informed Consent
• Recording started
• Interview Questions
• Thanked for time
75
Research Method:
Observation Protocol
Observed Directors
Patient Room Front Office
• Follow-up of interviews to see
differences between official and
Director
unofficial aspects of security
Receptionist • Directors are primarily located
with client files, making their
Me
office a hotspot for client
information access
• Directors are also primarily
located with the computers
76
Data Collection:
Conducting Observation
Observation Notes Covered:
• Actions of directors and anyone in
director’s office
• The location of any visible client
information
• Time stamps of any action
• Any time a client files was accessed
or modified
• Any information that was shared
orally about a client
• Any time the director engaged with a
piece of technology
• Interpretations of activities
77
Data Collection:
Participant Recruitment
Childcare Center Directors
Comprehensive list of all childcare
centers in the NRV area from VA DSS
website. All contacted by phone.
Physician’s Office Directors
List of all offices in Blacksburg &
Christiansburg were canvased by foot.
List expanded to NRV area for
observations.
Parents
Flyers placed in childcare centers,
announcements sent over listserv for
working moms, and advertisements
placed in company newsletter
78
Data Collection:
Training & Preparing for Interviews & Observations
Training Procedure:
• Review prior literature and discuss
• Become familiar and practice
protocols
• Review prior data and reports
• Meet with team to discuss data and
practice with protocols
• Shadowing by experienced
researcher for first session
79
Data Collection:
Data Management
Data is comprised of:
• Interview recordings
• Interview transcripts
• Interview notes
• Forms
• Pictures
• Drawings & diagrams
• Observation notes
• Observation transcripts
• Observation recordings
80
Data Collection
Dates & Times of Observations
81
Research Method
• Research Questions
• Data Collection
• Data Analysis
82
Data Analysis:
Activity Theory
Tool
Transformation
Subject Object Process Outcome
Division of
Rules Community
Labor
83
Data Analysis:
Analysis, Sample Breakdown
Tool
84
Data Analysis:
Analysis, Sample Breakdown
Access Policy Violations:
Discussion of HIPAA Violations
Filing Cabinets
Open
Nurse Client access
File to files
85
Data Analysis:
Analysis, Sample Breakdown
Access Policy Violations:
Discussion of HIPAA Violations
Open
Nurse Client access Privacy Client Nurse
File to files File
85
Data Analysis:
Analysis, Sample Breakdown
Access Policy Violations:
Discussion of HIPAA Violations
Open
Nurse Client access Privacy Client Nurse
File to files File
85
Data Analysis:
Combining Breakdowns
Childcare Director
Accessing
Parent 1 Client
their file
File
86
Data Analysis:
Combining Breakdowns
Childcare Director
Accessing
Parent 1 Client
their file
File
Childcare Director
Accessing
Parent 2 Client
their file
File
86
Data Analysis:
Combining Breakdowns
Childcare Director
Childcare Director
Childcare
Parent 2 Client File Accessing their file Director
Childcare Director
Childcare Director
Childcare Director
87
Data Analysis:
Phenomenology
Data Reading & Describing Classifying Interpreting Representing
Managing Memoing
Evaluating the Group initial Generating a Creating a
Collecting the Reading the
personal codes or textual description of
data and data, writing
experience statements description of the essence
organizing it notes in the
along with the into related the of the
into margins,
essence of the clusters or phenomenon experience
appropriate writing
experience of meaning explaining and
forms and memos,
the units the ‘what’ discussing it
files forming
participants and ‘how’
initial codes
Key Aspects:
• Focusing on the experience of a phenomenon
• Bracketing off individual interpretations
• Respecting and collating different experiences through
horzontalization of data
• Result is a description of the phenomenon answering questions of
‘what’ and ‘how.’
88
Data Analysis:
Classifying Data
To construct themes:
• Reviewed each breakdown
type, read examples
• Collated similar breakdowns
together tagging for cause,
technologies, and people
involved
• Tentative groups memo’d, met
with external researcher to review
them; new groups made, one
dissolved
• Final groups created and
described
89
Data Analysis:
Phenomenological Themes
Breakdown Themes Title Description of Breakdown Themes
Policy Violation When there is an explicit policy governing how sensitive personal information should be
managed, but the policy is not followed.
Access Policy Work-arounds When there is an explicit policy governing how sensitive personal information should be
managed, but the office staff find a method to get around the policy or a loophole.
Beliefs About Security Ideas that people have about security and privacy that are questionably correct.
Human-Technology Mismatch When technology exists that offers a solution, but the people do not like using the
technology thus resulting in a situation that is less secure.
Inadequate Representation in A system exists that has all of the information that is desired, but because of the way the
Available Information System system is set up the user is incapable of using it. This is relevant for issues like access logs.
Information Acquisition The centers having difficulty acquiring information that is sensitive.
Information System Issues The information system exists but results in additional problems relating to managing client
information (e.g. system crashing).
Information Withheld/Hidden Information is sought, and the information exists, but a person enforces a policy restricting
access to that information
Local Negotiation of Content The content that actually goes into the client’s files is negotiated.
Local Negotiation of Policy There is an explicit policy that regulates how the situation is supposed to unfold, but locally
in practice the policy is different.
Access Policy There exists a policy that is restricts access to some needed piece of information.
Practice/Performance Issues In the action of enacting a policy there are difficulties.
Sensitive Information Publicly Sensitive information is viewable to anyone who walks by.
Available
Social Relations Issues Problems that occur socially that then affect client care or the management of client
information.
Synchronizing Information
with Reality
The information that exists in a client file is not representative of some objective reality. 90
Data Analysis:
Phenomenological Themes
Breakdown Themes Title Description of Breakdown Themes
Policy Violation When there is an explicit policy governing how sensitive personal information should be
managed, but the policy is not followed.
Access Policy Work-arounds When there is an explicit policy governing how sensitive personal information should be
managed, but the office staff find a method to get around the policy or a loophole.
Beliefs About Security Ideas that people have about security and privacy that are questionably correct.
Human-Technology Mismatch When technology exists that offers a solution, but the people do not like using the
technology thus resulting in a situation that is less secure.
Inadequate Representation in A system exists that has all of the information that is desired, but because of the way the
Available Information System system is set up the user is incapable of using it. This is relevant for issues like access logs.
Information Acquisition The centers having difficulty acquiring information that is sensitive.
Information System Issues The information system exists but results in additional problems relating to managing client
information (e.g. system crashing).
Information Withheld/ Information is sought, and the information exists, but a person enforces a policy
Hidden restricting access to that information
Local Negotiation of Content The content that actually goes into the client’s files is negotiated.
Local Negotiation of Policy There is an explicit policy that regulates how the situation is supposed to unfold, but locally
in practice the policy is different.
Access Policy There exists a policy that is restricts access to some needed piece of information.
Practice/Performance Issues In the action of enacting a policy there are difficulties.
Sensitive Information Publicly Sensitive information is viewable to anyone who walks by.
Available
Social Relations Issues Problems that occur socially that then affect client care or the management of client
information.
Synchronizing Information
with Reality
The information that exists in a client file is not representative of some objective reality. 91
Data Analysis:
Near Future Scenarios
To construct scenarios:
• Derived problems from
breakdowns and brainstormed
possible solutions
• Constraints for brainstorming
were: could be used within
childcare center or physician’s
office, and had to be in response
to a breakdown
• These scenario ideas were
then organized to reflect
contrasting spectrums
• 8 spectrums derived (e.g.,
access v. inaccess)
92