WEIS 2008: Escalation and incentives for better security

In the current series of articles, I'm reviewing some of the papers presented at the 2008 Workshop on the Economics of Information Security (WEIS 2008) at Dartmouth College in June.

Xia Zhao is a research fellow at the Glassmeyer/McNamee Center for Digital Strategies of the Tuck School of Business at Dartmouth. In collaboration with M. Eric Johnson, professor of operations management and director of the Center for Digital Strategies, she presented a paper entitled "Information Governance: Flexibility and Control through Escalation and Incentives."

The researchers present an overview of access-control models and point out that some organizations are experimenting successfully with a model for supporting creativity and effective use of corporate information by allowing rapid access to sensitive information if they need it, subject to appropriate controls and follow-up. They write:

"In an increasingly dynamic world, information governance must be flexible, yet secure. To achieve flexibility, we consider a different approach where employees are given a base level of access, but allowed to escalate into controlled data and applications when needed. This allows one-time access without any time-delaying approval process. We have witnessed such an approach in several settings, including investment banking (where it is sometimes referred to as 'override'… and health care (where it is called 'break glass'…). In the cases we observed, escalation was used to solve a failure of traditional access control system.

"However, escalation potentially breeds significant security risks since employees may abuse their ability to access information. For example, accessing information not for business reasons but rather for personal benefit. To mitigate the associated security risks, the escalation activities are later audited, and employees found to be abusing their accesses are penalized. Auditing (or monitoring) with violation penalties have been implemented by firms seeking to drive desired behavior from employees or partners with respect to financial reporting, contract and regulation compliance. For example, Intel issues ”speeding tickets” to employees that violate information security policies….

"Of course, escalation must be confined to cases where the risk of failure or the cost of recovery is relatively low compared to the cost of not granting access (e.g., the potential value created through escalation). It may not be suited to some financial or trading systems where there is significant risk of massive fraud. Rather it is useful in cases where there are many small risks or where the potential value of escalation is very high. For example, escalation is very effective in situations such as access to private medical information, where emergency access may save someone’s life, or in a time-critical systems where the person with the necessary privileges may be unavailable."

Using mathematical modeling, the authors developed the following key insights:

1. The quality of auditing is critically important for the success of an access-privilege-escalation system.
2. A range of penalties for violation of security standards using such an escalation system can be effective in reducing abuse; examples include mandatory compliance training (yecchh), writing explanatory reports (even more aversive in my opinion) and penalizing the employee’s manager (The horror! The horror!).
3. Some data cannot be included in the range available through escalation.
4. Not all employees can be granted escalation privileges: the decision should be based on trust and need.
5. Observing the patterns of escalation can teach management about unsuspected information needs.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.