Balancing the Public Policy Drivers in the Tension between Privacy and Security

Balancing the Public Policy Drivers in the Tension between Privacy and Security

John W. Bagby (The Pennsylvania State University, USA)
DOI: 10.4018/978-1-60566-326-5.ch008
OnDemand PDF Download:


The public expects that technologies used in electronic commerce and government will enhance security while preserving privacy. These expectations are focused through public policy influences, implemented by law, regulation, and standards emanating from states (provincial governments), federal agencies (central governments) and international law. They are influenced through market pressures set in contracts. This chapter posits that personally identifiable information (PII) is a form of property that flows along an “information supply chain” from collection, through archival and analysis and ultimately to its use in decision-making. The conceptual framework for balancing privacy and security developed here provides a foundation to develop and implement public policies that safeguard individual rights, the economy, critical infrastructures and national security. The illusive resolution of the practical antithesis between privacy and security is explored by developing some tradeoff relationships using exemplars from various fields that identify this quandary while recognizing how privacy and security sometimes harmonize.
Chapter Preview


Public policy drives private enterprise and public institutional efforts to maintain security. A traditional focus on criminal enforcement and regulatory risks in the protection of physical property fails to adequately protect networked computers and the related impact on the national economy and critical infrastructures. Security failures make confidential-private data more vulnerable. These include vulnerabilities in the electronic transaction processing systems underlying electronic commerce and the systems supporting digital government. National security is imperiled with any substantial weakening of the national economy. Fundamental to information assurance (IA) is regulatory compliance with both security and privacy law, responsibilities that are dispersed among (1) individuals, (2) government at all levels: local, state/provincial, national/federal, regional/international, (3) private-sector entities generally and (4) specifically, private sector organizations in the burgeoning data management industry (e.g., suppliers and users of data, service providers to the “information supply chain”). Public policy must continually draw a balance between individual interests in secrecy or solitude and society’s interests in security, order and efficiency. Privacy law in the United States is a fragmented, assortment of rights from various sources: constitutions, federal statutes and regulations, state statutes and regulations, standards, common law precedents and private contracts. This chapter frames the debate over privacy rights and security imperatives, first as a tradeoff, largely in the realms of national security and crimes, but then finds important points of complementarity between individuals’ security and their privacy. Analysis using this model reveals insights for public policy makers that contribute to the implementation of technology by attenuating public surprise of privacy intrusions and enabling public support for reasonable security measures.

Confronting the professionals in the information technology (IT) industry who are most intimately engaged in IA, cyber-security and the facilitation of privacy protection, there is an often daunting complexity in public policy imperatives, because they are derived from law, standards, contracts, litigation and regulation and because the sources of these pressures are so varied. This uncertainty is particularly complicated for the control of personally identifiable information (PII) data security risks. A confluence of pressures now focuses on how vulnerabilities of tangible and intangible assets impact the reliability of information systems underlying transaction records. Internal control systems are the key mechanisms for the maintenance of security over information assets exerted through their influence over decision-making and operations monitoring in private-sector institutions, but with close analogs for public-sector institutions (Sarbanes-Oxley Act, 2002).

This chapter contends that to clarify IA threat reduction duties, IT professionals must more clearly understand public policy imperatives for internal control that emanate from evolving standards of professional practice and ethics, financial reporting standards, corporate governance, privacy law, trade secret intellectual property (IP), technology transfer contractual duties, electronic records management best practices, tort and criminal law and fiduciary duties. These are hugely diverse and complex influences so a comprehensive treatment of their details is well beyond the scope of this chapter. Nevertheless, various exemplars of these sources are examined conceptually to provide insight into how public policy exerts pressure that constitutes a confluence of regulatory and market-based forces influencing the development, implementation, testing, revision and evolution of internal control. These pressures comprise a major component of the public policy environment of IT Governance. In the U.S., privacy laws are apparently distinct regimes, so they may be misinterpreted as limited, “sectoral” silos applicable only narrowly to particular industries or professions. However, this chapter argues that they are increasingly broadening to include internal control pressures impacting service providers, consultants, publicly-traded corporations, closely-held companies, non-governmental organizations (NGOs) and government agencies at all levels (Bagby, 2007-2).

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Merrill Warkentin
Kenneth J. Knapp
Kenneth J. Knapp
Chapter 1
Jaziar Radianti, Jose J. Gonzalez
This chapter discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. It is difficult... Sample PDF
Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities
Chapter 2
Somak Bhattacharya, Samresh Malhotra, S. K. Ghosh
As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical... Sample PDF
An Attack Graph Based Approach for Threat Identification of an Enterprise Network
Chapter 3
Robert F. Mills, Gilbert L. Peterson, Michael R. Grimaila
The purpose of this chapter is to introduce the insider threat and discuss methods for preventing, detecting, and responding to the threat. Trusted... Sample PDF
Insider Threat Prevention, Detection and Mitigation
Chapter 4
Richard T. Gordon, Allison S. Gehrke
This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this... Sample PDF
An Autocorrelation Methodology for the Assessment of Security Assurance
Chapter 5
Ken Webb
This chapter results from a qualitative research study finding that a heightened risk for management has emerged from a new security environment... Sample PDF
Security Implications for Management from the Onset of Information Terrorism
Chapter 6
Yves Barlette, Vladislav V. Fomin
This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A... Sample PDF
The Adoption of Information Security Management Standards: A Literature Review
Chapter 7
Peter R. Marksteiner
Information overload is an increasingly familiar phenomenon, but evolving United States military doctrine provides a new analytical approach and a... Sample PDF
Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension
Chapter 8
John W. Bagby
The public expects that technologies used in electronic commerce and government will enhance security while preserving privacy. These expectations... Sample PDF
Balancing the Public Policy Drivers in the Tension between Privacy and Security
Chapter 9
Indira R. Guzman, Kathryn Stam, Shaveta Hans, Carole Angolano
The goal of our study is to contribute to a better understanding of role conflict, skill expectations, and the value of information technology (IT)... Sample PDF
Human Factors in Security: The Role of Information Security Professionals within Organizations
Chapter 10
Nikolaos Bekatoros HN, Jack L. Koons III, Mark E. Nissen
The US Government is moving apace to develop doctrines and capabilities that will allow the Department of Defense (DoD) to exploit Cyberspace for... Sample PDF
Diagnosing Misfits, Inducing Requirements, and Delineating Transformations within Computer Network Operations Organizations
Chapter 11
Rodger Jamieson, Stephen Smith, Greg Stephens, Donald Winchester
This chapter outlines components of a strategy for government and a conceptual identity fraud enterprise management framework for organizations to... Sample PDF
An Approach to Managing Identity Fraud
Chapter 12
Alanah Davis, Gert-Jan de Vreede, Leah R. Pietron
This chapter presents a repeatable collaboration process as an approach for developing a comprehensive Incident Response Plan for an organization or... Sample PDF
A Repeatable Collaboration Process for Incident Response Planning
Chapter 13
Dean A. Jones, Linda K Nozick, Mark A. Turnquist, William J. Sawaya
A pandemic influenza outbreak could cause serious disruption to operations of several critical infrastructures as a result of worker absenteeism.... Sample PDF
Pandemic Influenza, Worker Absenteeism and Impacts on Critical Infrastructures: Freight Transportation as an Illustration
Chapter 14
Preeti Singh, Pranav Singh, Insu Park, JinKyu Lee
We live in a digital era where the global community relies on Information Systems to conduct all kinds of operations, including averting or... Sample PDF
Information Sharing: A Study of Information Attributes and their Relative Significance During Catastrophic Events
Chapter 15
Gregory B. White, Mark L. Huson
The protection of cyberspace is essential to ensure that the critical infrastructures a nation relies on are not corrupted or disrupted. Government... Sample PDF
An Overview of the Community Cyber Security Maturity Model
Chapter 16
Doug White, Alan Rea
In this chapter the authors present essential server security components and develop a set of logical steps to build hardened servers. The authors... Sample PDF
Server Hardening Model Development: A Methodology-Based Approach to Increased System Security
Chapter 17
Jeff Teo
Computer attacks of all sorts are commonplace in today’s interconnected, globalized society. A computer worm, written and released in one part of... Sample PDF
Trusted Computing: Evolution and Direction
Chapter 18
Miguel Jose Hernandez y Lopez, Carlos Francisco Lerma Resendez
This chapter discusses the basic aspects of Honeypots, how they are implemented in modern computer networks, as well as their practical uses and... Sample PDF
Introduction, Classification and Implementation of Honeypots
About the Contributors