Cracks in the security foundation: Employee judgments about information sensitivity

Michelle L. Kaarst-Brown; E. Dale Thompson

doi:10.1145/2751957.2751977

Cracks in the security foundation: Employee judgments about information sensitivity

Michelle L. Kaarst-Brown, E. Dale Thompson

School of Information Studies

Research output: Chapter in Book/Entry/Poem › Conference contribution

5 Scopus citations

Abstract

Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make "sensitivity judgments" or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.

Original language	English (US)
Title of host publication	SIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research
Publisher	Association for Computing Machinery, Inc
Pages	145-151
Number of pages	7
ISBN (Electronic)	9781450335577
DOIs	https://doi.org/10.1145/2751957.2751977
State	Published - Jun 4 2015
Event	2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015 - Newport Beach, United States Duration: Jun 4 2015 → Jun 6 2015

Other

Other	2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015
Country/Territory	United States
City	Newport Beach
Period	6/4/15 → 6/6/15

Keywords

Classification
Employee judgments
Information sensitivity
IT security
Security awareness
Security judgments

ASJC Scopus subject areas

Computer Graphics and Computer-Aided Design
Computer Science Applications
Computer Vision and Pattern Recognition

Access to Document

10.1145/2751957.2751977

Cite this

Kaarst-Brown, ML & Thompson, ED 2015, Cracks in the security foundation: Employee judgments about information sensitivity. in SIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research. Association for Computing Machinery, Inc, pp. 145-151, 2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015, Newport Beach, United States, 6/4/15. https://doi.org/10.1145/2751957.2751977

@inproceedings{eff95bc99e0a43339539456cdbf03194,

title = "Cracks in the security foundation: Employee judgments about information sensitivity",

abstract = "Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make {"}sensitivity judgments{"} or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.",

keywords = "Classification, Employee judgments, Information sensitivity, IT security, Security awareness, Security judgments",

author = "Kaarst-Brown, {Michelle L.} and Thompson, {E. Dale}",

year = "2015",

month = jun,

day = "4",

doi = "10.1145/2751957.2751977",

language = "English (US)",

pages = "145--151",

booktitle = "SIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research",

publisher = "Association for Computing Machinery, Inc",

note = "2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015 ; Conference date: 04-06-2015 Through 06-06-2015",

}

TY - GEN

T1 - Cracks in the security foundation

T2 - 2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015

AU - Kaarst-Brown, Michelle L.

AU - Thompson, E. Dale

PY - 2015/6/4

Y1 - 2015/6/4

N2 - Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make "sensitivity judgments" or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.

AB - Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make "sensitivity judgments" or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.

KW - Classification

KW - Employee judgments

KW - Information sensitivity

KW - IT security

KW - Security awareness

KW - Security judgments

UR - http://www.scopus.com/inward/record.url?scp=84981341607&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84981341607&partnerID=8YFLogxK

U2 - 10.1145/2751957.2751977

DO - 10.1145/2751957.2751977

M3 - Conference contribution

AN - SCOPUS:84981341607

SP - 145

EP - 151

BT - SIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research

PB - Association for Computing Machinery, Inc

Y2 - 4 June 2015 through 6 June 2015

ER -

Cracks in the security foundation: Employee judgments about information sensitivity

Abstract

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this