Analysis Of Decision Factors For The Application Of Information Access Controls Within The Organization Open Access
Downloadable ContentDownload PDF
The application of access controls on internal information necessarily impacts the availability of that information for sharing inside the enterprise. The decisions establishing the degree of control are a crucial first step to balance the requirements to protect and share. This research develops a set of basic decision factors and examines other attributes of the information environment pertaining to the decision to apply access controls to segregate information within an organization. The methodology employed is the analysis of assessments collected from experts on the topic. Five experts in four areas of endeavor were sampled in the 2010 to 2011 timeframe. The four areas are law, medicine, finance, and U.S. government classified information that is formally compartmented. The experts were first interviewed to assemble a list of potential decision factors. The experts were then interviewed again to obtain a ranking of the factors and gather estimates of the rates of adverse impacts caused by internal compromises when the controls fail, and the converse situation, when the controls succeed, but an adverse impact occurs from the control hindering information sharing. The findings produced eight decision factors, of which, two external decision factors account for more than half of the decision weight (Federal/State Law and industry requirements leading to an accreditation). The next most significant factor is the reduction of the number of persons exposed to the protected information internally in order to reduce the risk of external loss. The remaining factors account for less than a third of decision weight and consist of: exposure of vulnerabilities; information with financial value; public expectations; and harm if revealed to public/competitors. The rate information indicates that for a 100 person organization, the incidence (events per year) of internal compromise is approximately 400 and failure to share rate is 100. However, in both cases, incidents that actually cause harm to the organization occur less than once per year. Useful insights from the experts on these topics are provided, including: substitute audit for control; avoid excessive control which can influence users to bypass protective measures; and provide alternatives for sharing in urgent or emergency situations.