Home Tuck Dartmouth Search Site Map Contact Us
Information Leakage in the Extended Enterprise

In this project, we are examining the business risks of different types of disclosures including inadvertent web posting, social networks, blogs, and peer-to-peer file sharing networks.

Eric Johnson testified before Congress about information leaks over file-sharing networks.

Eric Johnson at Security Standard
Eric Johnson also spoke at Security Standard about the psychology of risk and information leaks.

CERT podcast with Eric Johnson and Scott Dynes on inadvertent disclosure

Video: Eric Johnson on Prodecting Yourself from Indentity Theft

Inadvertent disclosure of sensitive business information represents one the largest classes of recent security failures. With each new story, firms come under increased pressure to harden their networks and take a more aggressive security posture. However, it is often not clear what security initiatives offer firms the greatest improvement.

In this project, we are examining different types of disclosures including lost mass storage devices, inadvertent web posting, social networks, blogs, and peer-to-peer file sharing networks. In each case, the disclosures are the same: sensitive information inadvertently leaked creating embarrassment, vulnerabilities, and financial losses for the firm, its investors, and customers. We show how confidential and potentially damaging documents have made their way onto public networks.

The research also shows that criminals actively search hoping to find information that they can exploit. We show how information is exploited including fraud and identity theft. Ongoing work is examining the extent of the leakage problem in different industries including US Banking and healthcare.

  • Healthcare Data Hemorrhages and Medical Identity Theft: Confidential data hemorrhaging from health-care providers pose financial risks to firms and medical risks to patients. In this project, we are examining the consequences of data hemorrhages including privacy violations, medical fraud, financial identity theft, and medical identity theft. We also exploring the types and sources of data hemorrhages. Research findings presented at IEEE Symposium on Security and Privacy 2010. PDF (69KB) Financial Cryptography and Data Security 2009. PDF (890KB)

  • Inadvertent Disclosures Amoung Top US Banks: In this project, we characterize the extent of the security risk for a group of large financial institutions using a direct analysis of leaked documents. We also characterize the threat of loss by examining search patterns in peer-to-peer networks. Our analysis demonstrates both a substantial threat and vulnerability for large financial firms. We find a statistically significant link between leakage and leak sources including the firm employment base and the number of retail accounts. We also find a link between firm visibility and threat activity. Finally, we find that firms with more leaks also experience increased threat. Research findings in Journal of Management Information Systems. PDF (650KB)

  • Consumer Risks of Inadvertent Disclosure: Peer-to-peer (P2P) software clients have become part of the standard suite of PC applications for many users. With millions of users worldwide sharing music, video, software, and pictures, file movement on these networks represent a significant percentage of internet traffic. Through honey-pot experiments that expose personal financial information, we graphically show the risks consumer faces. Research findings in Communications of the ACM. PDF (746KB)

     

    Video:
    Eric Johnson explains inadvertent disclosures over the internet.

    Eric Johnson

Return to the Center's Information Security Project
Risks for Corporate Documents and IP at HICSS08
Inadvertent Disclosure at WEIS 2007
Department of Homeland Security funds study - press release
Director Eric Johnson on Bank Leaks - Video