TY - GEN
T1 - Cracks in the security foundation
T2 - 2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015
AU - Kaarst-Brown, Michelle L.
AU - Thompson, E. Dale
N1 - Publisher Copyright:
Copyright is held by the author/owner(s).
PY - 2015/6/4
Y1 - 2015/6/4
N2 - Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make "sensitivity judgments" or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.
AB - Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make "sensitivity judgments" or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.
KW - Classification
KW - Employee judgments
KW - IT security
KW - Information sensitivity
KW - Security awareness
KW - Security judgments
UR - http://www.scopus.com/inward/record.url?scp=84981341607&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84981341607&partnerID=8YFLogxK
U2 - 10.1145/2751957.2751977
DO - 10.1145/2751957.2751977
M3 - Conference contribution
AN - SCOPUS:84981341607
T3 - SIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research
SP - 145
EP - 151
BT - SIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research
PB - Association for Computing Machinery, Inc
Y2 - 4 June 2015 through 6 June 2015
ER -