Carl A. Foerster
There is an intrinsic tension between sharing information and keeping it secret. Within an organization, the requirements to control information must be balanced with the need to share it to achieve the maximum utility from the information, without negative impacts from unauthorized access.
This article discusses recently conducted research that examined the factors considered in the decision to apply access controls to segregate information within an organization. Although related to the topic, the research focused only on the protection of information from insiders—not from outsiders—in essence, protecting it from one’s own associates. The data for the research were gathered by eliciting assessments from a small cadre of policy experts and were analyzed using Bradley-Terry and other techniques for eliciting expert opinion.
Five experts in each of four topic areas were sampled during 2010. The topic areas were law, medicine, finance and government information (a unique, extreme sector of the information space that is formally compartmented or classified). The results are a ranking of decision factors relating to the internal segregation of information and basic rate information on the adverse impacts caused by improper sharing or the impediment of information flow caused by restrictive control measures. This information provides the groundwork for devising efficient organizational policy for situations requiring that information be segregated internally. Useful insights from the experts interviewed are also provided.
With respect to information in general, the characteristics of openness and secrecy occupy opposite ends of the spectrum. The publication or sharing of information tends to make the task of preserving its confidentiality more difficult. Similarly, steps taken to increase privacy tend to make sharing more difficult. The spectrum of sharing and protection is illustrated in a notational manner in figure 1.
The granularity of such decisions has long skewed toward the coarse side, identifying groups or classes according to natural boundaries such as corporate affiliation or nationality. However, there are situations in which access and privacy decisions must be made within the organizational space. The risk here may not be primarily of compromise to the outside world, but of compromise within the organization that results in harm to the organization.
In the arena of information security, the emphasis is on protecting the enterprise and its resources from external loss or attack, thus limiting the available hard data on internal compromise. For that reason, the data used in this effort were obtained using several techniques to extract assessments from experts. The experts were chosen for their direct involvement in the policy and/or practice of making decisions to restrict access to information within the organization. The sample was skewed toward participants with significant experience, averaging more than 20 years in their fields. For the ranking of decision factors, the method used was the execution of a Bradley-Terry Paired Comparison.1, 2, 3 This is a technique for determining a numerical (rank and weight) preference by having the participants perform a side-by-side comparison of all possible combinations of factors being evaluated. For the numerical estimates, the classic model for the combination of expert judgment was employed without calibration.4
The most significant limitation to this work is the small sample size. However, given the high experience level of the sample and the wide range of subject areas, the results derived should present a reasonable first exploration of the topic.
These descriptions are assembled from the subject interviews to present some insight into the environment and do not purport to be a complete assessment of each field.
LawIn this area, segregated information includes, for example, client case information, patent and intellectual property, and strategic business plans. The standards for the legal community in the US, for example, are primarily set by the applicable state bar association. Case material may be separated; however, this practice is highly dependent on the specific cases being worked and, in some situations, that there was no internal segregation of client case information. In addition to case information, management information, senior partner information, business intelligence and strategic plans may also be segregated.
FinanceIn this area, segregated information includes customer financial records, customer personal information, banking operations information and transaction information. The financial industry faces a wide and complex array of legal requirements at both local and federal levels as well as rigorous regulatory requirements from banking/financial associations. In addition to externally imposed rules, banks are subject to following the guidance set out in their customer agreements, which can stipulate privacy protections, thus adding the risk of their violation. In terms of harm, issues with oversight bodies are serious, but transgressions exposed to the public are viewed as more significant because of the potential damage to the institutional reputation.
MedicineIn this area, segregated information includes patient medical information and patient personal information. The medical field has a sharp boundary between care providers and all others (e.g., administrative, business, facility). The care providers must have access to patient information in urgent situations, and systems are, therefore, constructed so that the technical barriers that prevent internal sharing can be bypassed in emergencies. To compensate for the risk of bypassing access controls, extensive audits are performed, either manually or by employing algorithms to discover unauthorized behavior.
Government Formally Compartmented InformationIn this area, segregated information includes military and intelligence capabilities and vulnerabilities, intelligence sources, and methods. The government sample for this research is the protection of classified material by formal compartmentation, which applies extremely rigorous internal access control. In these processes, information is bound by a definition and given a unique name (code word), which serves as an identifier for that material. Only personnel specifically authorized for the named compartment may have access. The preponderance of all losses from compartments is almost always to other persons possessing a security clearance, thus mitigating the damage.
There are a number of tests required for the execution of the Bradley-Terry model to evaluate whether the experts committed logical errors (circular triads) or answered randomly. These tests were conducted on the data and none of the 20 experts were eliminated. The UNIBALANCE5 software package from Technical University Delft was used to calculate the validity tests, scalar values and ranking.
A subset of the experts was interviewed to gather a collection of potential factors that were consolidated into eight final items to be evaluated. The interview subjects were repeatedly reminded to focus their answers relevant to internal segregation within the organization, rather than protection from outsiders. Each factor is presented here starting with its ranking (1–8), a short name in bold type, Bradley-Terry (BT) score, a long form of the item in italic type and brief comments. Figure 2 presents the results broken down by topic area:
A secondary set of data taken as part of this research was the estimated rates of occurrence of events caused by a failure of the internal controls to keep the information segregated or a failure to share as a result of the internal controls. The impacts were categorized into three classes:
The rates of internal breaches and failures to share were assessed by asking each expert to estimate the frequency of each category of impact event and to associate a probability with that estimate. These data were used to construct a cumulative distribution function (CDF) for each case. The results were diverse, and figure 3 presents a very rough approximation plot of the median rates vs. the size of the organization. Since the government case is unique, it has been removed, along with several outlying data points. Note that large impact events occur at roughly one-tenth the frequency of small impact events. Also, it can be observed that the rates are not linear with population size, first climbing and then decreasing, indicating that it is not a geometric effect as might be expected. Missing line segments are a result of some experts indicating that specific condition is not possible.
The research showed that the top two reasons to segregate information internally are legal requirements and industry standards that result in certification or accreditation. However, the next three factors—minimizing external loss, revealing vulnerabilities and public expectations—are much more subjective in nature, requiring human judgment rather than meeting strict criteria. The rate information indicates that sharing failures tends to occur more often than an internal breach and that the relation of both to population size is nonlinear. A brief recap of pertinent observations from the experts follows:
1 Modarres, Mohammad; Risk Analysis in Engineering, Taylor & Francis Group, USA, 20062 Cooke, Roger M.; Experts in Uncertainty: Opinion and Subjective Probability in Science, Oxford University Press, UK, 19913 Kendall, Maurice G.; Rank Correlation Methods, 3rd Edition, Hafner Publishing Company, USA, 19624 Op cit, Cooke5 Macutikiewicz, Marcin; Roger M. Cooke; UNIBALANCE Users Manual, Technical University Delft, 2006
Carl A. Foerster is a doctoral candidate at George Washington University. A retired US Air Force Lieutenant Colonel, he is now a scientist for the MITRE Corporation, a not-for-profit, federally funded research and development center. He has worked at all levels of US military/intelligence special programs over the past 30 years and now supports the US Intelligence Community.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.