Increasing demands for data access dominate privacy concerns, putting both data and organizations at risk. However, there is currently a shortage of research on how organizations develop and maintain practices to ensure information privacy. Small scale, preliminary investigations suggest there is variation in organizational practices and those that have been studied only minimally reflect documented organizational policies. While technologies exist to help monitor accesses to data, they are rarely deployed, such that manual audits remain the norm. This project aims to improve security measures in organizations by better understanding risk management and breach discovery life cycles. Traditional technological solutions lack grounding in real organizational routines, resulting in poor fit with existing work practices and limited adoption. The problem demands a multi-disciplinary effort to represent organizational risks and practices, theory to quantify the risk, and methods to translate the findings for privacy and security practices and technologies that seek to mitigate the risk. This work will influence the development and deployment of technological cybersecurity tools in multiple industries. Specifically, it will provide concrete assessments of breach management routines, how they are structured, and the uptake that can reasonably be expected of breach management technologies given industry-specific constraints.
This project uses a sociotechnical approach, integrating qualitative data on privacy practices, and perceived constraints and influences within the process, into a computational model that will be used to represent constraints and influences on the deployment of privacy and security measures. This model will account for various actors within the privacy and security hierarchy, such as compliance officers, security officers and executives. It allows for conceptualization of organizational practices and the areas of potential adaptation for the practices. In particular, the computational contributions are two-fold: (i) an optimization problem formulation of the risk management and breach discovery life cycle, and (ii) a taxonomy of perceived organizational risks and their mapping to mitigating technological measures. In addition, these computational methods will inform changes in life cycle process, and gaps among current technological offerings. Results include tools for analyzing an organization's security routines and risk perspectives, and output organization guidance to better manage risk.
