Carl A. Foerster
The focus of the information security community is most often on the protection of organizational information from the outside world. The threats could be hackers and scammers who are trying to get into your network to rob or deceive you. In keeping with this view, most preventive measures are aimed at guarding the castle walls and protecting the data flow with firewalls, a host of other techniques, and, hopefully, good employee training and vigilance.
Our research looks at another area that also requires attention: internal threats.
Within many organizations there is a need to segregate information internally—to prevent access by the organization’s internal employees to its own information. The most obvious example of this is the restriction of employee personnel information to only those people who have a justified need for access. There are other situations where core business information must also be segregated, so that those who need the information have it and those who do not need it are prevented from accessing it. This is, of course, the basis of role-based access, which essentially engineers the system permissions according to various classes of information requirements.
What are the factors behind the decisions when those permissions are developed?
That is the essence of our research: examining the underlying decision factors that are considered regarding applying controls on information in order to segregate it within the organization. In addition to examining the factors and gauging their significance, this research provides a limited look at the consequences of failures of internal segregation and the price paid for achieving this protection.