Home Tuck Dartmouth Search Site Map Contact Us
Information Risk in Data-Oriented Enterprises

This interdisciplinary research project is supported in part by NIST and the Department of Homeland Security through the Institute of Security Technology Studies.

Eric Johnson, Robin Sundaram, and John Gallant
Video: Eric Johnson and John Gallant interview Robin Sundaram, CISO, ChoicePoint on information risk.

Access with Audit presented at WISE, Dec 2008.
PDF (148KB)

Access Goverance presented at WEIS, June 2008
PDF (148KB)

Presentations at INFORMS 2008 and WISE 08

Information risk paper presented at FinanceCom 2007
PDF (148KB)

Tuck Today article

Iinformation RiskJohnson's new book on information risk and the economics of security.

Project Initiation Press Release
PDF (16KB)

Many industries that share and operate on information are moving their operations into electronic settings. In some fields, this move offers a vital competitive edge; in others, this can be a desirable cost-cutting measure. The challenge these firms face is building information systems that deliver the right information to employees, while ensuring they don't provide data entitlements that inappropriately enable misuse or violate customer privacy.

Project team:
M. Eric Johnson, CDS Director; Sean Smith, Dartmouth CS professor; Tony Portera T'07; Sara Sinclair, Dartmouth CS PhD; Stephanie Trudeau D'09; Xia Zhao, CDS Research Fellow (not shown below).

Information Risk in Data-Oriented Enterprises

With a research team from computer science and business, we are investigating how information risk can be articulated and monetized with the goal of developing lifecycle management approaches to information provisioning. We are developing models of both the organizational and system application structure to allow us to simulate the effectiveness of potential technical and access policy changes. For example, a model of an organization that allows the simulation of employee hiring, termination, promotion, and supervisory relationship changes enables us to predict how auto-provisioning users with a certain role at a certain lifecycle event would affect the overall system.

This project will benefit data-oriented enterprises by both analyzing many current best-practices for provisioning and developing new approaches that reduce information risk.

Financial Institutions Field Study
The financial services industry is arguably the leading private sector in managing complex information security in a professional services setting. Large global enterprises with thousands of employees, contractors, and partners scattered around the world, they require information systems that are flexible, yet secure.
[  in PDF format (157K) ]

Access Governace with Esclation
Information access in healthcare and financial services settings require different levels of flexiblity and control. Using game-theoretic models and simulation we are developing new information governance models based on incentives and controls. Research Findings in WEIS 2008.

This research is supported in part by:
ISTS

Return to the Center's Information Security Project
Current Projects, Institute for Security Technology Studies
"ISTS Embeds Students in Financial Institutions" - ISTS Quarterly
"Embedding Information Security into the Organization," M. Eric Johnson and Eric Goetz, Security & Privacy Magazine, IEEE
"Security Summit," Network World
"Security and Privacy: Business Dilemma or Opportunity?" - a Tuck alumni panel hosted by the Center for Digital Strategies