Sharing or Controlling? Examining the Decision to Segregate Information Within the Organization 

 
Download Article Article in Digital Form

There is an intrinsic tension between sharing information and keeping it secret. Within an organization, the requirements to control information must be balanced with the need to share it to achieve the maximum utility from the information, without negative impacts from unauthorized access.

This article discusses recently conducted research that examined the factors considered in the decision to apply access controls to segregate information within an organization. Although related to the topic, the research focused only on the protection of information from insiders—not from outsiders—in essence, protecting it from one’s own associates. The data for the research were gathered by eliciting assessments from a small cadre of policy experts and were analyzed using Bradley-Terry and other techniques for eliciting expert opinion.

Five experts in each of four topic areas were sampled during 2010. The topic areas were law, medicine, finance and government information (a unique, extreme sector of the information space that is formally compartmented or classified). The results are a ranking of decision factors relating to the internal segregation of information and basic rate information on the adverse impacts caused by improper sharing or the impediment of information flow caused by restrictive control measures. This information provides the groundwork for devising efficient organizational policy for situations requiring that information be segregated internally. Useful insights from the experts interviewed are also provided.

Introduction

Figure 1With respect to information in general, the characteristics of openness and secrecy occupy opposite ends of the spectrum. The publication or sharing of information tends to make the task of preserving its confidentiality more difficult. Similarly, steps taken to increase privacy tend to make sharing more difficult. The spectrum of sharing and protection is illustrated in a notational manner in figure 1.

The granularity of such decisions has long skewed toward the coarse side, identifying groups or classes according to natural boundaries such as corporate affiliation or nationality. However, there are situations in which access and privacy decisions must be made within the organizational space. The risk here may not be primarily of compromise to the outside world, but of compromise within the organization that results in harm to the organization.

Methodology

In the arena of information security, the emphasis is on protecting the enterprise and its resources from external loss or attack, thus limiting the available hard data on internal compromise. For that reason, the data used in this effort were obtained using several techniques to extract assessments from experts. The experts were chosen for their direct involvement in the policy and/or practice of making decisions to restrict access to information within the organization. The sample was skewed toward participants with significant experience, averaging more than 20 years in their fields. For the ranking of decision factors, the method used was the execution of a Bradley-Terry Paired Comparison.1, 2, 3 This is a technique for determining a numerical (rank and weight) preference by having the participants perform a side-by-side comparison of all possible combinations of factors being evaluated. For the numerical estimates, the classic model for the combination of expert judgment was employed without calibration.4

The most significant limitation to this work is the small sample size. However, given the high experience level of the sample and the wide range of subject areas, the results derived should present a reasonable first exploration of the topic.

Topic Area Insight

These descriptions are assembled from the subject interviews to present some insight into the environment and do not purport to be a complete assessment of each field.

Law
In this area, segregated information includes, for example, client case information, patent and intellectual property, and strategic business plans. The standards for the legal community in the US, for example, are primarily set by the applicable state bar association. Case material may be separated; however, this practice is highly dependent on the specific cases being worked and, in some situations, that there was no internal segregation of client case information. In addition to case information, management information, senior partner information, business intelligence and strategic plans may also be segregated.

Finance
In this area, segregated information includes customer financial records, customer personal information, banking operations information and transaction information. The financial industry faces a wide and complex array of legal requirements at both local and federal levels as well as rigorous regulatory requirements from banking/financial associations. In addition to externally imposed rules, banks are subject to following the guidance set out in their customer agreements, which can stipulate privacy protections, thus adding the risk of their violation. In terms of harm, issues with oversight bodies are serious, but transgressions exposed to the public are viewed as more significant because of the potential damage to the institutional reputation.

Medicine
In this area, segregated information includes patient medical information and patient personal information. The medical field has a sharp boundary between care providers and all others (e.g., administrative, business, facility). The care providers must have access to patient information in urgent situations, and systems are, therefore, constructed so that the technical barriers that prevent internal sharing can be bypassed in emergencies. To compensate for the risk of bypassing access controls, extensive audits are performed, either manually or by employing algorithms to discover unauthorized behavior.

Government Formally Compartmented Information
In this area, segregated information includes military and intelligence capabilities and vulnerabilities, intelligence sources, and methods. The government sample for this research is the protection of classified material by formal compartmentation, which applies extremely rigorous internal access control. In these processes, information is bound by a definition and given a unique name (code word), which serves as an identifier for that material. Only personnel specifically authorized for the named compartment may have access. The preponderance of all losses from compartments is almost always to other persons possessing a security clearance, thus mitigating the damage.

Decision Factors

There are a number of tests required for the execution of the Bradley-Terry model to evaluate whether the experts committed logical errors (circular triads) or answered randomly. These tests were conducted on the data and none of the 20 experts were eliminated. The UNIBALANCE5 software package from Technical University Delft was used to calculate the validity tests, scalar values and ranking.

A subset of the experts was interviewed to gather a collection of potential factors that were consolidated into eight final items to be evaluated. The interview subjects were repeatedly reminded to focus their answers relevant to internal segregation within the organization, rather than protection from outsiders. Each factor is presented here starting with its ranking (1–8), a short name in bold type, Bradley-Terry (BT) score, a long form of the item in italic type and brief comments. Figure 2 presents the results broken down by topic area:

  • Law (BT 0.3710)—The information is protected internally because there are statutes mandating that its confidentiality be protected. This is the information for which there is federal or local law requiring protection.
  • Industry-required (BT 0.1917)—The information is protected because there are industry standard practices requiring the protective measures. This is the information that is protected in accordance with industry standard practices in which compliance is necessary to obtain a formal accreditation.
  • Minimize loss (BT 0.1227)—The information is protected to minimize the number of people exposed to the information to prevent external loss. The information is protected because there is a requirement or perception that its exposure be minimized to decrease the probability that it will suffer external loss intentionally or unintentionally.
  • Vulnerabilities revealed (BT 0.1094)—The information is protected because it reveals vulnerabilities that can be exploited to reach other valuable objects or information.This is the information that reveals a shortcoming in protection or an easy path to the theft of valuable real-world objects, cash, property or services.
  • Public expectation (BT 0.0697)—The information is protected because the public expects it to be treated confidentially.
  • Financial value (BT 0.0522)—The information is protected because it can be easily exploited for monetary value. This is the information for which there is an easy path to convert the knowledge for monetary gain.
  • Embarrassing (BT 0.0436)—The information is protected because it would have a negative organizational impact if revealed to competitors or the public. This is the information that could harm an organization, through, for example, adverse pending legal action, financial difficulties or product deficiencies, if it is lost to competitors or the public.
  • Industry-recommended (BT 0.0397)—The information is protected because there are industry standard practices recommending the protective measures. This is the information that is protected in accordance with industry standard practices and disseminated by an industry-sponsored/run organization.

Figure 2

Estimating Event Rates

A secondary set of data taken as part of this research was the estimated rates of occurrence of events caused by a failure of the internal controls to keep the information segregated or a failure to share as a result of the internal controls. The impacts were categorized into three classes:

  • Small impact—The event is noted, but requires no remedial action.
  • Medium impact—The event is noted and requires immediate remedial action to prevent the event from occurring again.
  • Large impact—The event is noted, requires immediate remedial action to prevent reoccurrence and requires mitigation of the effects caused by the event.

Event-Rate Results

The rates of internal breaches and failures to share were assessed by asking each expert to estimate the frequency of each category of impact event and to associate a probability with that estimate. These data were used to construct a cumulative distribution function (CDF) for each case. The results were diverse, and figure 3 presents a very rough approximation plot of the median rates vs. the size of the organization. Since the government case is unique, it has been removed, along with several outlying data points. Note that large impact events occur at roughly one-tenth the frequency of small impact events. Also, it can be observed that the rates are not linear with population size, first climbing and then decreasing, indicating that it is not a geometric effect as might be expected. Missing line segments are a result of some experts indicating that specific condition is not possible.

Figure 3

Summary and Observations

The research showed that the top two reasons to segregate information internally are legal requirements and industry standards that result in certification or accreditation. However, the next three factors—minimizing external loss, revealing vulnerabilities and public expectations—are much more subjective in nature, requiring human judgment rather than meeting strict criteria. The rate information indicates that sharing failures tends to occur more often than an internal breach and that the relation of both to population size is nonlinear. A brief recap of pertinent observations from the experts follows:

  • Audit instead of control—Several of the experts, particularly in the medical area, indicated that audit can be used to decrease the amount of control applied to segregate information. This allows greater flexibility in that the material is more accessible, but the audit acts as a deterrent to unauthorized access or use of information because the user population is aware of the monitoring and the consequences.
  • Too much control breeds work-around behavior—If the application of information controls impedes members of the user population in their normal business processes, they will tend to develop methods to circumvent the controls. This can create an environment with more risk than the benefits provided by the control.
  • User population does not recognize the value of information—Several subjects reported that the value of corporate information was not always understood by the general user population, particularly intellectual property. This lack of awareness would lead to users not taking advantage of available methods to minimize the risk of compromise.
  • Manual override to access information—As mentioned in the medical case, a technique for overcoming the negative effects of internal segregation is to enable an override of the protections for urgent situations. This is similar to a fire-alarm button being available, but behind a glass case (“in case of emergency, break the glass”). However, this remedy exists only when the person seeking the information knows that it exists. In some of the situations examined, particularly the government case, users may not be aware that information exists to satisfy their needs and that the internal segregation hinders effectiveness.
  • Impediments to sharing exist only for time-sensitive information—Unlike compromise, an impact from failing to share can occur only if the material in question has some time-sensitive requirement attached. If the information is not needed by a specific point in time, there is no adverse impact as a result of a sharing failure. An example here was business-partner information that, while important, would not be needed for continuing operations.

References

  • Allen, Thomas B.; Cheryl Harness; George Washington, Spymaster: How Americans Outspied the British and Won the Revolutionary War, National Geographic Society, 2004
  • Brooking, Ann; Corporate Memory: Strategies for Knowledge Management, International Thomson Business Press, USA, 1999
  • National Institute of Standards and Technology (NIST), Federal Information Processing Standards Publication (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006
  • NIST, Interagency Report (IR) 7298, Glossary of Key Information Security Terms, April 2006
  • Boyce, Joseph George; Dan Wesley Jennings; Information assurance: Managing Organizational TT Security Risks, Elsevier, USA, 1951

Endnotes

1 Modarres, Mohammad; Risk Analysis in Engineering, Taylor & Francis Group, USA, 2006
2 Cooke, Roger M.; Experts in Uncertainty: Opinion and Subjective Probability in Science, Oxford University Press, UK, 1991
3 Kendall, Maurice G.; Rank Correlation Methods, 3rd Edition, Hafner Publishing Company, USA, 1962
4 Op cit, Cooke
5 Macutikiewicz, Marcin; Roger M. Cooke; UNIBALANCE Users Manual, Technical University Delft, 2006

Carl A. Foerster is a doctoral candidate at George Washington University. A retired US Air Force Lieutenant Colonel, he is now a scientist for the MITRE Corporation, a not-for-profit, federally funded research and development center. He has worked at all levels of US military/intelligence special programs over the past 30 years and now supports the US Intelligence Community.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.