Dealing with Information Security and Privacy

Introduction

Technological developments continue to provide benefits to society by making rapid access to information cost effective and simple to obtain for the end-user. Unfortunately, easy access to information has complications that negatively impact personal privacy and security for individuals and for organizations. As technology becomes more pervasive it is important to understand how privacy and security can be compromised at the sake of progress.

According to Solove (2011), even when an individual has nothing to hide, it is troubling that a person’s individual freedoms can be taken away just by walking down the street. Not only are surveillance cameras starting to track our every movement, social media allows almost instant access to information that formerly would not be accessible. There are no rules protecting the individual’s right to privacy from government entities and organizations that collect information on citizens while in the public eye.

The collection of general information including the tracking of movements, combined with more specific information about the public allows for the development of profiles that eventually limit speech and limit freedom of individuals to freely associate with controversial groups (Doyle, 2012). Consequently, privacy should be addressed for the public specifically when individuals feel they have nothing to hide and as new devices are developed for the public privacy should be factor in the development. The information that is available on the Internet enhances the ability of organizations and hackers that later may compromise personal security for citizens.

For instance, consider the information that is available on Facebook, even though there are some security systems in place to protect the users, such as flagging content, users are not informed on how personal information is tracked, collected and disseminated to others in the network. Facebook potential grants access to friends but it also grants access of personal information to the world (Hull, Richter-Lipford, & Latulipe, 2011). Therefore, the Facebook user’s information can be easily shared with third parties who have not been granted access to this information.

Since no information is available to the user explaining how the newsfeed function is shared with others, anyone who is a friend or an acquaintance may have access to these personal conversations that occur (Hull et al., 2011). In many cases the program interface extends information beyond the friendship circle. This design flaw confuses the user about who may have access to personal information; as evidenced by today’s more complicated third-party privacy statements.

One way to determine the optimal investment level in security and privacy for an organization is to design a risk neutral situation. Organizational strategies can be developed based on the level of risk a company is willing to take based on the likelihood of certain outcomes. A risk neutral situation implies spending the least amount of money to protect the greatest amount of information that exists in the system and the likelihood of an attack happening. This is a difficult process to establish and it will vary based on the types of information available in the system. The costs associated with securing this information needs to be weighed carefully while providing the most secure system that is still profitable for the organization.

The most popular model, which uses risk neutral situation and is based on an economically based framework is called the Gordon-Loeb Model (2002). This model explains that the investment in security should not exceed 37 percent of the expected breach loss because spending more than this percentage on a security breach does not make the organization any less vulnerable to attack. The model illustrates that organizations should make greatest investment in information sets with medium vulnerability rather than in areas of high vulnerability. Why?

Because in the areas of the highest vulnerability, the cost to protect the system would exceed the benefit to the organization. Given the example from above, securing the information with the credit card information makes the most sense because this is the most likely area where a breach may occur and installing a SSL certificate would suffice to secure the information rather than perhaps a finger print identification system which could be more costly.