Electronic Thesis/Dissertation

The application of access controls on internal information necessarily impacts the availability of that information for sharing inside the enterprise. The decisions establishing the degree of control are a crucial first step to balance the requirements to protect and share. This research develops a set of basic decision factors and examines other attributes of the information environment pertaining to the decision to apply access controls to segregate information within an organization. The methodology employed is the analysis of assessments collected from experts on the topic. Five experts in four areas of endeavor were sampled in the 2010 to 2011 timeframe. The four areas are law, medicine, finance, and U.S. government classified information that is formally compartmented. The experts were first interviewed to assemble a list of potential decision factors. The experts were then interviewed again to obtain a ranking of the factors and gather estimates of the rates of adverse impacts caused by internal compromises when the controls fail, and the converse situation, when the controls succeed, but an adverse impact occurs from the control hindering information sharing. The findings produced eight decision factors, of which, two external decision factors account for more than half of the decision weight (Federal/State Law and industry requirements leading to an accreditation). The next most significant factor is the reduction of the number of persons exposed to the protected information internally in order to reduce the risk of external loss. The remaining factors account for less than a third of decision weight and consist of: exposure of vulnerabilities; information with financial value; public expectations; and harm if revealed to public/competitors. The rate information indicates that for a 100 person organization, the incidence (events per year) of internal compromise is approximately 400 and failure to share rate is 100. However, in both cases, incidents that actually cause harm to the organization occur less than once per year. Useful insights from the experts on these topics are provided, including: substitute audit for control; avoid excessive control which can influence users to bypass protective measures; and provide alternatives for sharing in urgent or emergency situations.

Author

• Foerster, Carl Adolf

Language

• en

Keyword

• information segregation
• internal information segregation
• access control
• compartmentation

Date created

• 2013

Type of Work

• Thesis or Dissertation

Rights statement

• In Copyright

GW Unit

• Engineering Mgt and Systems Engineering

Degree

• D.Sc.

Advisor

• Ryan, Julie J.C.H.

Committee Member(s)

• Mazzuchi, Thomas A.
• Van Dorp, Johan R.
• Murphree, Edward L.
• Bixler, Charles H.

Persistent URL

•  https://scholarspace.library.gwu.edu/etd/ks65hc23n

License

• All rights reserved

Relationships

Items

Thumbnail	Title	Date Uploaded	Visibility	Actions
	Foerster_gwu_0075A_11702.pdf	2018-01-16	Open Access	Press to Select an action Download View in Browser