Understanding and protecting privacy: formal semantics and principled audit mechanisms
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Hi-index | 0.00 |
Managing information access in highly dynamic business environments is increasingly challenging. With thousands of employees accessing thousands of applications and data sources, managers strive to ensure the employees can access the information they need to create value while protecting information from misuse. We propose an access governance structure with escalation options, ensuring both flexibility and security of information. Using a game-theoretic approach, we show that properly coupling information access, audit, violation penalties and rewards can enable self-interested employees to access information in a timely manner, seizing business opportunities for the firm while managing security risks. Surprisingly we find that providing employees with more access than strictly required can reduce control costs and improve profits.