Cracks in the security foundation: Employee judgments about information sensitivity

Michelle L. Kaarst-Brown, E. Dale Thompson

Research output: Chapter in Book/Entry/PoemConference contribution

8 Scopus citations

Abstract

Despite the increased focus on IT security, much of our reliance on 'information sensitivity classifications' is based on broadly specified technical 'access controls' or policies and procedures for the handling of organizational data - many of them developed incrementally over decades. One area ignored in research and practice is how human beings make "sensitivity judgments" or 'classify' information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.

Original languageEnglish (US)
Title of host publicationSIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research
PublisherAssociation for Computing Machinery, Inc
Pages145-151
Number of pages7
ISBN (Electronic)9781450335577
DOIs
StatePublished - Jun 4 2015
Event2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015 - Newport Beach, United States
Duration: Jun 4 2015Jun 6 2015

Publication series

NameSIGMIS-CPR 2015 - Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research

Other

Other2015 ACM SIGMIS Conference on Computers and People Research, SIGMIS-CPR 2015
Country/TerritoryUnited States
CityNewport Beach
Period6/4/156/6/15

Keywords

  • Classification
  • Employee judgments
  • IT security
  • Information sensitivity
  • Security awareness
  • Security judgments

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design
  • Computer Science Applications
  • Computer Vision and Pattern Recognition

Fingerprint

Dive into the research topics of 'Cracks in the security foundation: Employee judgments about information sensitivity'. Together they form a unique fingerprint.

Cite this