The application of access controls on internal information necessarily impacts the availability of that information for sharing inside the enterprise. The decisions establishing the degree of control are a crucial first step to balance the requirements to protect and share. This research develops a set of basic decision factors and examines other attributes of the information environment pertaining to the decision to apply access controls to segregate information within an organization.
The methodology employed is the analysis of assessments collected from experts on the topic. Five experts in four areas of endeavor were sampled in the 2010 to 2011 timeframe. The four areas are law, medicine, finance, and U.S. government classified information that is formally compartmented. The experts were first interviewed to assemble a list of potential decision factors. The experts were then interviewed again to obtain a ranking of the factors and gather estimates of the rates of adverse impacts caused by internal compromises when the controls fail, and the converse situation, when the controls succeed, but an adverse impact occurs from the control hindering information sharing.
The findings produced eight decision factors, of which, two external decision factors account for more than half of the decision weight (Federal/State Law and industry requirements leading to an accreditation). The next most significant factor is the reduction of the number of persons exposed to the protected information internally in order to reduce the risk of external loss. The remaining factors account for less than a third of decision weight and consist of: exposure of vulnerabilities; information with financial value; public expectations; and harm if revealed to public/competitors. The rate information indicates that for a 100 person organization, the incidence (events per year) of internal compromise is approximately 400 and failure to share rate is 100. However, in both cases, incidents that actually cause harm to the organization occur less than once per year. Useful insights from the experts on these topics are provided, including: substitute audit for control; avoid excessive control which can influence users to bypass protective measures; and provide alternatives for sharing in urgent or emergency situations.
|Advisor:||Ryan, Julie J. C. H.|
|Commitee:||Bixler, Charles H., Mazzuchi, Thomas A., Murphree, Edward L., Van Dorp, Johan R.|
|School:||The George Washington University|
|Department:||Engineering Mgt and Systems Engineering|
|School Location:||United States -- District of Columbia|
|Source:||DAI-A 74/06(E), Dissertation Abstracts International|
|Subjects:||Management, Information science|
|Keywords:||Access control, Compartmentation, Information segregation, Internal information segregation|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be