Secure information sharing in Integrated Operations
MetadataShow full item record
The oil and gas industry in Norway is moving towards Integrated Operations (IO) to provide better, safer and more cost-effective operations. IO, as it is envisioned, will rely on extensive sharing of information and resources within, and across company borders. The industry is at the same time very competitive, and combined with extensive sharing of information it unfortunately can increase the potential for misuse of shared information. Usage control is a concept to let companies restrict and control how information is used, and retain the control of information beyond their systemsÕ boundaries. While other security mechanisms such as firewalls, intrusion detection systems and anti-virus software are commonplace in the industry, protection of shared information from misuse remains limited. The goal of this PhD has therefore been to better understand the (lack of) uptake of usage control technology to protect and control shared information in the Norwegian oil and gas industry. The work presented in this thesis includes an overview of proposed enforcement schemes for usage control, including a summary of empirical evidence to support its appropriateness. We have investigated through a case study how industry representatives view the risk involved when sharing information, and the benefits and challenges of adopting usage control to mitigate such risk. Based on this, we have reviewed the main theories on technology adoption, the cognitive process and decision under uncertainty, and proposed a model identifying the factors affecting intention to use usage control technology. The findings suggest that there is a lack of real-world empirical evidence for the appropriateness of the any of the usage control enforcement schemes we have identified. There is a need for the research community to intensify the efforts to conduct empirical research on usage control in addition to the theoretical evaluations already conducted. From a practitioner’s viewpoint, our case study indicates that the greatest fear regarding misuse of shared information, is loss of competitive advantage and market share. To this end, practitioners consider espionage and unintentional disclosure to be the main threats. Security measures to protect shared information are considered inadequate and usage control is believed to bring improved control. However, practitioners fear problems of information being unavailable as a result of poor policy specification will only increase if usage control is deployed. The work presented here found no support for risk as a significant factor affecting intention to adopt usage control technology. In fact, we found that adoption of usage control technology is similar to adoption of general ICT solutions. Affective response, or feelings towards, usage control was found have a significant indirect effect on intentions to adopt usage control technology. This PhD project contributes empirical research on perceptions of usage control in the oil and gas industry in Norway, and could provide a starting point for similar work with other technologies and contexts.