Information Risk in Financial Institutions: Field Study and Research Roadmap

  • Sara Sinclair
  • Sean W. Smith
  • Stephanie Trudeau
  • M. Eric Johnson
  • Anthony Portera
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 4)


Large financial firms with thousands of employees face many challenges ensuring workers have access to the right information, yet controlling access to unneeded data. We examine the problems of role lifecycle management and entitlement review processes in the context of large financial institutions. We describe observations from field study research in both retail and investment banks. We examine technologies to enable role and entitlement management and present a roadmap for future research.


Access control information risk entitlement provisioning matrixed organizations organizational complexity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Johnson, M.E.: A Broader Context for Information Security. Financial Times 4 (September 16, 2005)Google Scholar
  2. 2.
    Scott, D., Andrijcic, E., Johnson, M.E.: Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data. In: Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge University (June 2006)Google Scholar
  3. 3.
    Johnson, M.E., Goetz, E.: Embedding Information Security Risk Management into the Extended Enterprise. IEEE Security and Privacy, pp. 16–24 (May–June, 2007)Google Scholar
  4. 4.
    Anderson, R.E.: Matrix Redux. Business Horizons, pp. 6–10 (November–December, 1994)Google Scholar
  5. 5.
    Burns, L.R., Wholey, D.R.: Adoption and Abandonment of Matrix Management Programs: Effects on Organizational Characteristics and Interorganizational Networks. Academy of Management Journal 36(1), 106–139Google Scholar
  6. 6.
    Ferraiolo, D., Kuhn, R.: An Introduction to Robe-Based Access Control. NIST/ITL Bulletin (December 1995),
  7. 7.
    Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  8. 8.
    Li, N., Mitchell, J.C.: RT: A Role-Based Trust-management Framework. In: Proceedings of The Third DARPA Information Survivability Conference and Exposition (DISCEX III) (April 2003)Google Scholar
  9. 9.
    Kunreuther, H., Heal, G.: Interdependent Security. The Journal of Risk and Uncertainty 26(2), 231–249 (2003)CrossRefGoogle Scholar
  10. 10.
    Kunreuther, H.: Risk Analysis and Risk Management in an Uncertain World. Risk Analysis 22(4), 655–664 (2002)CrossRefGoogle Scholar
  11. 11.
    Smith, S.W.: Humans in the Loop: Human-Computer Interaction and Security. IEEE Security and Privacy 1(3), 75–79 (2003)CrossRefGoogle Scholar
  12. 12.
    Smith, S.W., Masone, C., Sinclair, S.: Expressing Trust in Distributed Systems: the Mismatch Between Tools and Reality. In: Forty-Second Annual Allerton Conference on Communication, Control, and Computing (September 2004)Google Scholar
  13. 13.
    Bridgestream, Products (2006),
  14. 14.
    Donner, M., Nochin, D., Shasha, D., Walasek, W.: Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations. In: Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security, Kluwer, Dordrecht (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sara Sinclair
    • 1
  • Sean W. Smith
    • 1
  • Stephanie Trudeau
    • 1
  • M. Eric Johnson
    • 2
  • Anthony Portera
    • 2
  1. 1.Department of Computer ScienceDartmouth College 
  2. 2.Center for Digital StrategiesTuck School of Business at Dartmouth 

Personalised recommendations