Laurian Vega
February 14th, 2011
1
Outline
• Research Method
• Discussion
• Communities of Security
• Zones of Ambiguity
2
Motivation for Work
Related Work
Human-
Usable Medical
Computer
Security Informatics
Interaction
3
Motivation for Work:
Related Work
Usable Security
Human-
Medical
Usable Security Computer
Informatics
Interaction
Human-Computer Interaction
Human-
Medical
Usable Security Computer
Informatics
Interaction
• The focus on
supporting the user; the
user is always right
• User actions
demonstrate values
• That technology
provides unknown
potential that will impact
privacy
Palen & Dourish (2003). Unpacking "privacy" for a
networked world. Conference on Human Factors in • A need to account for
Computing Systems, Ft. Lauderdale, Florida, USA,
ACM.
privacy - of which cannot
prior models cannot be
used 5
Motivation for Work:
Related Work
Medical Informatics
Human- Medical
Usable Security Computer Informatics
Interaction
• Increasing adoption of
electronic systems
• National regulation,
HIPAA (Health Insurance
Portability and
Accountability Act)
• Changing relationship
between patient,
technology, & physician
Berner, Detmer & Simborg (2005): Will the Wave
Finally Break? A Brief View of the Adoption of • Shared awareness &
Electronic Medical Records in the United States.
Journal of American Medical Informatics Association. social relationships key
12(1): pp.3-7.
for information sharing
6
Motivation for Work
Related Work
Human-
Usable Medical
Computer
Security Informatics
Interaction
• Socio-economic status
• Digital divide
• Different care
• Location types:
• 13 Childcare Centers
• 19 Physician’s Offices
8
Research Method:
Participant Demographics
Childcare Physicians’
Parents Centers Offices
1-2 Avg Number of Children 12.5 Avg Years Experience 20.16 Avg Years Experience
4 Avg Age of Child 20 Avg Person Staff Size 10 Avg Person Staff Size
14 Months Avg Time 85 Avg Children Enrolled 128 Avg Children Enrolled
9
Research Method:
Conducting Observations
10
Research Method:
Observations
11
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
12
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
13
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
14
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)
15
Security & Privacy Breakdowns
Thought topics...
•What is the threat in each breakdown?
16
Security & Privacy Breakdowns:
Not Knowing Who Accessed Client Information
Director’s Office Lobby Entrance Infant Room “The lead teacher in the lobby
computer asks <the director>
about the password of the
computer. This is what she
said, ‘Hey <lead teacher>,
eventually I will remember the
Lead password, but can you tell me
Director Teacher Kitchen now’. <The director> gives
out the password loudly.
Anyone in the office or lobby
or infant room should be able
to hear it. It’s a sequence of
four digits like 1234.”
21
Security & Privacy Breakdowns:
Client Information is Permanent
Director’s Office “No we even have the
deceased; we don’t get rid of
anything”
Director
24
Security & Privacy Breakdowns:
HIPAA Violations
“<The doctor> comes in and <the
director> talks about a phone call
Mechanist earlier...It was a man who was
looking for his wife... <the director>
Patient’s Spouse
said that she would pass on the
message to the wife... The doctor
said that that was good. But <the
nurse> said that was against HIPAA.
Director’s Office Entrance
The doctor jokes that <the nurse> is
all HIPAA compliant - he acts like he
doesn’t take it very seriously. She
says, ‘Well, that is about privacy,
Doctor
what if he was an estranged spouse
Patient looking for his wife to kill her’...
Nurse There isn’t a conclusion on whether
or not <the director> did the right
Patient Room thing.”
25
Security & Privacy Breakdowns:
Licensing Issues
“I tend to, you know 'this is what it says and
before I deviate from this, you know I'm
going to ask someone. I'm reading it this
way is it really ok to do it this way?'”
“<The licensor> has already noted the purse
on the child-accessible, unlocked shelf and
how she dismissed closer inspection for
social reasons. We later learn that she
overlooked a can of spray chemicals in an
unlocked cabinet in the art room, and an
unprotected outlet. Finally, she was made
aware that files were not fully updated and
said that she would turn the other cheek as
long as she didn’t see <the director>
actually updating the files. In the end of the
day, no violations were reported in the final
write-up.” 26
Security & Privacy Breakdowns:
Staff Catching Incorrect Medical Procedure
Stress
Test
Administrator
27
Security & Privacy Breakdowns:
Menacing Outsider
Me Director
28
Discussion
•Communities of Security
•Zones of Ambiguity
29
Security & Privacy Embodiment:
Threat Models
30
Security & Privacy Embodiment:
Threat Models
30
Security & Privacy Embodiment:
Threat Models & Practice
“Computing systems are only security in principle. They are rarely secure in
practice” ~Bellotti & Sellen
Threat models
cannot account
for secure
practice.
31
Security & Privacy Embodiment:
Where Security & Privacy are Not Located
• Uninstantiated policies
32
Security & Privacy Embodiment:
Where Security & Privacy are Located
• Local
• Individual
• Care
• Robustness of Information
33
Discussion
•Communities of Security
•Zones of Ambiguity
34
Communities of Security
Entrance Patient Room • Supporting the community in
their shared task of security
Patient and privacy
Patient’s
Family • The activity of managing
sensitive information is
collaborative, yet security is
considered an individual task -
supporting the “user”
Doctor
Patient • Childcare centers and
Director’s Office Nurse physicians’ offices personnel
did not consider their work
Patient Room individual
35
Communities of Security:
Roles, Role Based Authentication
Patient Patient’s Medical Record
Patient’s Family Patient’s Billing Record
Director Post-it Notes Attached to Patient Record
Receptionist Schedule
Doctor Patient’s Medical Record
Nurse Patient’s Billing Record
36
Communities of Security:
Roles representing work
37
Communities of Security:
Roles representing work
37
Communities of Security:
Roles representing work
37
Communities of Security:
Roles representing work
Pat backs
Answer questions
Pay bills
37
Communities of Security:
Relationships & Mediation
• Relationships as mediators
Client
• “Privacy is not simply a way that
information is managed but how
social relations are
managed” (Dourish & Anderson
2006)
38
Discussion
•Communities of Security
•Zones of Ambiguity
39
Zones of Ambiguity
40
Zones of Ambiguity:
Accountability is Ambiguous
41
Zones of Ambiguity:
Information Management is Ambiguous
Teacher
The ambiguity over information
Lead Teacher management allows centers to
create facade and for clients to
Cook
continue going to the center without
Licensor expending energy to become
Owner knowledgeable
Bus Driver
42
Zones of Ambiguity:
‘Client’ is Ambiguous
43
Security & Privacy Scenarios
• Access v. Inaccess
• Anonymity v. Visibility
Patient
• Permanence v. Decay
Patient’s Family
• Centralization v. Decentralization
Director
• Layered v. Flat
Receptionist
• Contextual Awareness v. Lack of
Doctor Contextual Awareness
• Technological v. Social
44
Security & Privacy Scenarios
• Access v. Inaccess
• Anonymity v. Visibility
Patient
• Permanence v. Decay
Patient’s Family
• Centralization v. Decentralization
Director
• Layered v. Flat
Receptionist
• Contextual Awareness v. Lack of
Doctor Contextual Awareness
• Technological v. Social
45
Security & Privacy Scenarios:
Center-managed Privacy v. Client-managed
46
Security & Privacy Scenarios:
Center-managed Privacy v. Client-managed
clientbook
Reese Client
• Access reflects ownership
• Ambiguity over ownership
me
Alice LadyNa are
January 25th,
2011 * lock * like * Comm
ent • Sharing access with external
ingor Anothe
r
people
cto r S o m eth
Do
m your urine
The results fro
e that ... more
analysis indicat
t
like * Commen
2011 * lock *
January 25th,
d
Sherley Frien
sa w your latest x-
Hey Reese,
ary stuff!
rays. Wow, sc lock * like * Comment
2011 *
January 25th,
47
Conclusions
• Security & Privacy are deeply embodied into the care and robustness of
information and are local and individually enacted
• Security & Privacy are communal and systems should be designed to support
collaborative tasks, not individual
48
Thank you
Thank you to Laura Agnich, Monika Akbar, Aubrey Baker, Stacy Branham,
Tom DeHart, Zalia Shams, and Edgardo Vega.
49
Definitions:
Childcare Center & Physician’s Office
50
Rigor & Phenomenology
• However...
• Armour, Marilyn, Stephanie L. Rivaux and Holly Bell (2009). "Using Context to Build Rigor." Qualitative Social Work 8(1): 101-122.
• Creswell, John W. (2007). Qualitative Inquiry and Research Design: Choosing Among Five Approaches. Thousand Oaks, California, Sage Publications, Inc.
51
Research Method:
Phenomenology
Data Reading & Describing Classifying Interpreting Representing
Managing Memoing
Evaluating the Group initial Generating a Creating a
Collecting the Reading the
personal codes or textual description of
data and data, writing
experience statements description of the essence
organizing it notes in the
along with the into related the of the
into margins,
essence of the clusters or phenomenon experience
appropriate writing
experience of meaning explaining and
forms and memos,
the units the ‘what’ discussing it
files forming
participants and ‘how’
initial codes
52
Research Method:
Activity Theory
Tool
Transformation
Subject Object Process Outcome
Division of
Rules Community
Labor
53
Research Method:
Activity Theory
Filing Cabinets
Violations:
within reach
Discussion of
Local Receptionist: Organize files; in+out patient;
HIPAA Practice Physician’s
Office
add in coming information; fax relevant
information