In the current series of articles, I'm reviewing some of the papers presented at the 2008 Workshop on the Economics of Information Security (WEIS 2008) at Dartmouth College in June.

Xia Zhao is a research fellow at the Glassmeyer/McNamee Center for Digital Strategies of the Tuck School of Business at Dartmouth. In collaboration with M. Eric Johnson, professor of operations management and director of the Center for Digital Strategies, she presented a paper entitled "Information Governance: Flexibility and Control through Escalation and Incentives."

The researchers present an overview of access-control models and point out that some organizations are experimenting successfully with a model for supporting creativity and effective use of corporate information by allowing rapid access to sensitive information if they need it, subject to appropriate controls and follow-up. They write:

"In an increasingly dynamic world, information governance must be flexible, yet secure. To achieve flexibility, we consider a different approach where employees are given a base level of access, but allowed to escalate into controlled data and applications when needed. This allows one-time access without any time-delaying approval process. We have witnessed such an approach in several settings, including investment banking (where it is sometimes referred to as 'override'… and health care (where it is called 'break glass'…). In the cases we observed, escalation was used to solve a failure of traditional access control system.

"However, escalation potentially breeds significant security risks since employees may abuse their ability to access information. For example, accessing information not for business reasons but rather for personal benefit. To mitigate the associated security risks, the escalation activities are later audited, and employees found to be abusing their accesses are penalized. Auditing (or monitoring) with violation penalties have been implemented by firms seeking to drive desired behavior from employees or partners with respect to financial reporting, contract and regulation compliance. For example, Intel issues ”speeding tickets” to employees that violate information security policies….

"Of course, escalation must be confined to cases where the risk of failure or the cost of recovery is relatively low compared to the cost of not granting access (e.g., the potential value created through escalation). It may not be suited to some financial or trading systems where there is significant risk of massive fraud. Rather it is useful in cases where there are many small risks or where the potential value of escalation is very high. For example, escalation is very effective in situations such as access to private medical information, where emergency access may save someone’s life, or in a time-critical systems where the person with the necessary privileges may be unavailable."

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.