M. Eric Johnson offers managers a new way of governing employee access to data that allows for both greater flexibility and control.
In a business world ever more dependent on information, access to data presents both opportunity and liability. Managers in data-rich enterprises need better tools to allow flexibility and mitigate risk. In a new study, Tuck professor M. Eric Johnson and Xia Zhao of the University of North Carolina have come up with a model that balances an employee's need for greater access to information with a firm's interest in ensuring that such data are not misused. The researchers use game theory to show that a system of access escalation, audits, and incentives can help managers navigate the uncertain territory between control, profitability, and risk.
"Information security is typically seen as a friction or barrier," says Johnson, the Benjamin Ames Kimball Professor of the Science of Administration and the director of Tuck's Center for Digital Strategies. "We're looking at the flip side of that—how to present people with the information they need in a way that makes it easy and intuitive for them to access."
Most firms rely on privilege-based schemes to control information. The rule of least access, for example, stipulates that employees are given only the minimum level of access required to carry out their role within the firm. This approach limits creativity and initiative in precisely the place where those qualities can generate the greatest profits in data-rich enterprises: the effective use of information. This dynamic often leads firms to ignore or relax controls. A 2008 study of an investment bank found that between 50 and 90 percent of employees were over-entitled with respect to data access.
"Least access is the industry aspirational practice, but in reality it's broken everywhere," Johnson says. "Organizations waste incredible amounts of resources and time trying to implement this approach which falls down all the time."
Xia and Johnson's research shows that a program including escalation and incentives is a more effective way to govern information access than privilege controls alone. Starting from a base level of access, employees are able to escalate into controlled data without a time-consuming approval process. Though such escalation schemes increase the likelihood of data loss or abuse, the authors show that firms can mitigate those risks by later auditing escalation decisions and penalizing employees who are found to have abused the privilege.
The authors caution that an escalation model should not be used with a firm's most sensitive information. However, says Johnson, "There are vast sections of information access where, rather than trying to screw down every piece of data, it works better to use an incentive and audit approach."
The research was inspired by Johnson's month-long study of a large investment bank. Knowing that the analysis would rely extensively on game theory and economic principles, he enlisted the help of Xia. An assistant professor of information systems at UNC's Bryan School of Business and Economics, Xia is also a research fellow at Tuck's Center for Digital Strategies, which Johnson directs.
The collaboration yielded an elegant economic model expressed in a seven-page mathematical proof, the core tenet of which is simple: Information access is not a computer science problem. It is a question of business management, the goal of which should not be to limit access to information but rather to facilitate it.
X Zhao and ME Johnson, "Managing Information Access in Data-Rich Enterprises with Escalation and Incentives," International Journal of Electronic Commerce
Xia Zhao is an assistant professor of information systems at the Bryan School of Business and Economics at the University of North Carolina at Greensboro