Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:VANDERBILT UNIVERSITY MEDICAL CENTER
Doing Business As Name:Vanderbilt University Medical Center
PD/PI:
  • Daniel Fabbri
  • (615) 936-6867
  • daniel.fabbri@vanderbilt.edu
Co-PD(s)/co-PI(s):
  • Bradley A Malin ~000502423
  • Laurie Novak ~000651853
Award Date:07/06/2015
Estimated Total Award Amount: $ 300,000
Funds Obligated to Date: $ 300,000
  • FY 2015=$300,000
Start Date:10/01/2015
End Date:09/30/2018
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:EAGER: Managing Information Risk and Breach Discovery
Federal Award ID Number:1536871
DUNS ID:079917897
Parent DUNS ID:024199668
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Nina Amla
  • (703) 292-8910
  • namla@nsf.gov

Awardee Location

Street:1161 21st Ave. South
City:Nashville
State:TN
ZIP:37232-5545
County:
Country:US
Awardee Cong. District:05

Primary Place of Performance

Organization Name:Vanderbilt University Medical Center
Street:1400 18th Avenue South
City:Nashville
State:TN
ZIP:37212-2809
County:Nashville
Country:US
Cong. District:05

Abstract at Time of Award

Increasing demands for data access dominate privacy concerns, putting both data and organizations at risk. However, there is currently a shortage of research on how organizations develop and maintain practices to ensure information privacy. Small scale, preliminary investigations suggest there is variation in organizational practices and those that have been studied only minimally reflect documented organizational policies. While technologies exist to help monitor accesses to data, they are rarely deployed, such that manual audits remain the norm. This project aims to improve security measures in organizations by better understanding risk management and breach discovery life cycles. Traditional technological solutions lack grounding in real organizational routines, resulting in poor fit with existing work practices and limited adoption. The problem demands a multi-disciplinary effort to represent organizational risks and practices, theory to quantify the risk, and methods to translate the findings for privacy and security practices and technologies that seek to mitigate the risk. This work will influence the development and deployment of technological cybersecurity tools in multiple industries. Specifically, it will provide concrete assessments of breach management routines, how they are structured, and the uptake that can reasonably be expected of breach management technologies given industry-specific constraints. This project uses a sociotechnical approach, integrating qualitative data on privacy practices, and perceived constraints and influences within the process, into a computational model that will be used to represent constraints and influences on the deployment of privacy and security measures. This model will account for various actors within the privacy and security hierarchy, such as compliance officers, security officers and executives. It allows for conceptualization of organizational practices and the areas of potential adaptation for the practices. In particular, the computational contributions are two-fold: (i) an optimization problem formulation of the risk management and breach discovery life cycle, and (ii) a taxonomy of perceived organizational risks and their mapping to mitigating technological measures. In addition, these computational methods will inform changes in life cycle process, and gaps among current technological offerings. Results include tools for analyzing an organization's security routines and risk perspectives, and output organization guidance to better manage risk.

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.