Skip to main content

Find us on

facebook youtube flickr twitter itunes u logo

Upcoming Events  

Jenna Weins

Leveraging Data Across Time and Space to Build Predictive Models for Healthcare-Associated Infections
Jenna Wiens
The University of Michigan
Oct 31, 2014
1:45pm - 006 Steele 

cybersec awareness month

My Computer Ate My Data, Changed My Students' Grades and Stole My Money
OR
What all faculty need to know about securing their information
DCAL, 102 Baker Library
Nov 4, 2014 12-1:30pm
Registration required

 

 

 

Recent Talks  

Radu Sion

Computation Privacy and Regulatory Compliance Mechanisms for the Cloud
Radu Sion
Stony Brook University and Private Machines Inc.
May 28, 2013

mechael youtube

Keynote: Securing IT in Healthcare: Part III
Patty Mechael
mHealth Alliance
May 16, 2013

 

Newsletter 

ists newsletter fall 2013

 

ISTS Information Pamphlet


2012BrochureCover

 

Institute for Security, Technology, and Society
Dartmouth College
6211 Sudikoff Laboratory
Hanover, NH 03755 USA
info.ists@dartmouth.edu

Information Risk in Data-Oriented Enterprises (IRIDOE)

Project Summary

Many modern industries share and operate on information. As with the rest of society, these industries are moving their operations into electronic settings. In some fields (such as the financial sector), operating on data electronically offers a vital competitive edge; in other fields (such as in health care), operating on data electronically can be a very desirable cost-cutting measure. In both cases, firms are faced with the challenge of channeling the right information to employees, while ensuring that these information systems don't provide data entitlements that inappropriately enable misuse or violate customer privacy. At the same time, these industries are facing increased pressure from American and international governments to comply with new regulations regarding shared data-regulations that are well intentioned, but that perhaps do not fulfill the purpose their writers intended.

This situation creates a volatile mix of problems. Businesses seek to embed their information processes into technological systems, yet many problems cannot be solved using current technologies. Some enterprises (including many in the financial sector) are forced to build custom applications to meet their business goals. Enterprises also need to make rational business and technical decisions that balance information security risk with the cost of risk countermeasures, yet evaluating this risk and estimating that cost is in itself a hard problem.

This situation also offers exciting opportunities for research and education. Dartmouth has expertise that is highly relevant in this space: the PKI/Trust Lab in the Computer Science Department does cutting-edge research in the development of technology that effectively embodies real-world trust patterns, and the Center for Digital Strategies at Tuck is a thought leader in business-technology interaction.

This interdisciplinary project will thus examine both the underlying organizational and business causes, as well as the business costs, of risky information security practices in enterprises. Building on insights gained in Phase 0 (currently in progress under the name IRIPS and funded outside of this proposal), Phase 1 of this project will focus on employee entitlement in financial sector, including role development and lifecycle management.

We will expand the field study collaboration we started in Phase 0, and deliver a document outlining the key security challenges facing developers and managers in enabling appropriate information access. Based on those results we will develop models for entitlement provisioning and role lifecycle management. Additionally, we will develop a simulation to examine the flow of employees and their information needs in a simplified organization, and test our provisioning model on simulated enterprises. In Phase 2 of this project we will complete our work in the financial sector and begin a pilot investigation in the health care industry, with the objective of comparing the problems, issues, techniques and strategies we examined in the first phase and evaluate their possible effectiveness in healthcare.

Overall, understanding the information flows required by enterprises, and the usability and cost issues that constrain effective information security solutions for those flows, will enable researchers to better craft and evaluate information security technology for all business sectors. Researchers in security, PKI, and authorization lament the gap between lab technology and real-world humans; by working in collaboration with financial and healthcare organizations, we hope to reduce that gap and improve the state of information security technology in enterprise environments. This project will benefit data-centric industries, government regulators, technology innovators, and the general public by exploring current practices, current problems, and developing new theories for better mapping security into a data-oriented organization.

Last Updated: 3/14/13