Scaling API-first – The story of a global engineering organization
Elin Wihlborg, Mariana S. Gustafsson: Organizing safe on-line interaction and trust in governmental services
1. Electronic identification in
practice
– a case study of use and organization
of eID in public e-services in schools
Elin Wihlborg & Mariana S. Gustafsson
IEI, Departement of Management and Engineering
Linköping University
2. • To analyse from different perspectives the development of e-
identification (eID) systems at policy level and in practice
• From a social, organizational and technical perspective follow and
critically analyse development processes, implementation and use of
secure eID systems.
• Analyse development processes from early solutions for eID though
currently used eID-systems towards complex federation solutions.
• By analysing e-ID policy-making and practice to develop knowledge
about the meaning of eID for factual and preceived information
security in the private and public e-services.
FUSe:
22.05.13
Our study
3. Based on the presentation and the paper:
Q1 Methodological
a) What assumptions do you perceive I have had in this empirical study?
b) What assumptions are common when studying information security
matters
Q2 Conceptual
a) Discuss what implies the construction of the concept of ’security’ among
the people (citizens) in an organisational set-up (schools), using technical
artefacts (e-ID, ICT, e-services):
o Matter of TRUST (Wihlborg 2011, Melin & Wihlborg 2011, Rothstein 2009 )
o Private/public relation
o Perceived/factual security (Oscarson 2007)
o Matter of IDENTITY (Castells 1997, Wihlborg 2012)
4. eID in Sweden
• Introduced in 2002, 10 years of practice
• Used by the citizens in e-services provided by the
The Swedish Tax Authority, Försäkringskassan,
Landstinget, the local municipality, the banks.
• Security software + BankID or ID card and a device,
based on personal security number, issued by the
BankID, Telia, SEB, Posten, Nordea
• Swedish e-Identification, requirements and symbolic
meaning
5. e aim for the study:
Ø … to present a case study of use of electronic identification to
access ICT platforms in schools in order to analyze security
aspects, organization and potential development of the
platforms.
Ø e user/actor groups:
Ø e Management (school principals)
Ø e Teachers
Ø e Administrators
Ø e Pupils
Ø e Parents
Ø LK Officials
Ø LK IT-coordinators
Ø Other stakeholders (ex. eID agency, other authorities)
22.05.13
6. e Research Questions
Ø What are the experiences of use of secure log in to the ICT
plattfroms and e-services in the schools today?
Ø How is secure log in implemented in the schools today?
Ø How is secure log in to the e-services and the plattforms
perceived by the different users?
Ø What development potential do the users perceive
connected to the secure identification systems in general
and security in particular?
22.05.13
7. Background
• Why study schools
– A large ammount of information, including sensitive information,
passes through, is processed and exchanged among actors in schools.
– ere is a long history of use of ICT plattforms in schools.
– e New Education Act (Skollagen 2011) requires continous follow
up of the student performance and imposes written reporting and
digital Individual Development Plans (skriftliga omdömen, SO och
digital IUP)
– Increasing administration in schools.
• e municipality authonomy
– e municipality administration/organisation vs the schools
administration/organization
22.05.13
8. About 145 000 inhabitants
4th largest city region in Sweden
Base for high technology industries in Aviation, IT and environment
84 schools: 66 primary and 18 secondary schools
Linköpings eVision (2006)
eServices shall faciliatate for everybody to live and work in Linköping
municipality
Digital Agenda (2012)
9. ICT and e-services in schools
FRONTER
DEXTER
SKOLA
24
Schoolso5
Heroma
Extens
LINSAM
X,
Y,
Z
TRIO
• Learning
pla/orm
• SO,
IUP
• E-‐service:
applica<on
for
healthcare,
repor<ng
of
income,
Presence/absence
registra<on,
Skolvalet
• E-‐service
• SO,
IUP
• Presence/abs.
registra<on,
• Personnel
administra<on
• Learning
pla/rom
• SO,
IUP
Pedagogics,
administraFon
&
communicaFon
The
Municipality
core
database
X,
Y,
Z
X,
Y,
Z
• Intranet
10. The Sample
• Based on a preliminary mapping of schools using ICT plattfroms in
the municipality (A total of 84 undergraduate schools: 55 public + 11
private, ’free schools’)
5
schools
(undergraduate
+
secondary)
from
different
geografical
school
areas,
out
of
which:
• 4
public
+
1
free
school
• 3
large
(˃
300
p.)
+
2
small
(˂
300
p.)
Linköpings
municipality
• Educa<on
Adminsitra<on
unit
• IT-‐sub-‐unit
12. Data collection: interviews and focus groups
Ak<vity
Place
Role
Date
Interview
School
1
Principal
2012.11.27
Focus
group
School
1
Teacher
(4)
2012.11.27
Focus
group
School
1
Pupil
(9)
2012.11.27
Interview
School
2
Principal
2012.11.14
Focus
group
School
2
Teacher
(4)
2012.11.14
Interview
School3
Principal
2012.10.30
Focus
group
School3
Teacher
(5)
2012.10.30
Interview
School
4
Principal
2012.12.05
Focus
group
School
4
Teacher
(3)
2012.12.04
Focus
group
School
4
Pupil
(3)
2012.12.04
Interview
School
4
Teacher
(6)
2012.11.06
Interview
School
4
Fronter
administrator
2012.12.04
Interview
School
5
Fronter
administrator
2012.12.05
Interview
The
Municipality
IT-‐coordinator
(2)
2012.10.22
Interview
The
Municipality
System
administrator
(2)
2012.11.07
Focus
group
The
Municipality
Officials
(4)
2012.10.23
13. Data collection: documents
Documents
• Municipal official documents: policy documents,
anual reports, activity reports, school boards
meeting protocols (a selection).
• Public records published on the municiaplity’s
website.
• Brochures on Dexter and Fronter
16. Statistics on the use of Fronter
•
55
776
–
total
log
ins,
7
821
ac<ve
user
/oct,
2012
Källa:
Linköpings
kommun
17. Experiences of use/ a selection
• e schools differ in how long they have come using
Fronter, depending on:
• the principal attitude towards Fronter,
• e school’s internal organization,
• work methods for IUP,
• leadership
• IT competence among teachers.
• eID is tested for some e-services. Technical problems
are discovered at the moment. An important question
– eID - a hinder?
18. The organizational set up for implementation of secure
log in to ICT plattforms and e-services in schools
Ø Unclear ogranisation of implementation. Unclear picture on
usability of Fronter for some principals and teachers.
Ø e id & password log in system is perceived as easy, but not
secure enough. eID is perceived as complicated by certain groups
of users.
Ø e complicated picture of eID agency, with different actors
involved (BankID, Telia etc) raises questions of user support
responsibility and efficiency.
Ø eID is perceived as a private attribute by some teachers that
should not be used in their regular log in at work.
19. Users perceptions of ICT plattforms’- and e-services’ security
• Security is perceived differently by the users:
– Most users rely on the municipality responsibility to deal with security issues,
– e Municipality perceives the Plattforms and the e-services as secure.
– Fronter shall fullfill more security requirements if SO and IUP are to be processed
and stored on the plattfrom, according to the users.
• eID is perceived as a possible but still ’unripe’ solution by the IT-
coordinators, officials and Fronter-administrators in schools.
• eID is perceived as a private attribute, not to be used at work, according to
the teachers.
• Unclear strategies:
– Sensitive infromation is stored on paper, on shelves.
– Sensitive work material is processed unsecurily, but saving it in Fronter is not an
obvious solution.
• e schools raise demands for a flexible plattform that would match the
schools work models and not vice versa.
20. Analytical findings 1(3)
• e value of information/sensitivity stored
– Different actors perceived the information as
having different value for themselves (ex, logbook,
IUP, work material)
– Heterogenous information (’we don’t have sensitive
information in school’)
(technical-, organisational, security challenges)
21. Analytical findings 2(3)
• ere is an element of TRUST involved
– Trust in LM to deal with security
– Trust in eID as an artefact (social?/technical)
– Trust in own competence to manage eID and ICT
22. Analytical findings 3(3)
• Security is PRIVATE
– eID is private (ex. teachers use of eID at work, public realm)
– Control of the individual by the organisation, by the state
(ex. logg of the activities)
– Private matters, thoughts and other information included in
work material at school (SO and IUP, loggbooks)
– Security is subjective
23. Analytical findings and further questions:
• Two important aspects: safety of operation and och data
security – differences in perceptions between the users and
the administrators´.
• The need for secure ICT systems increases due to
inccreasing amount of sensitive data flows in the schools and
the rquirements of the Education Act.
• Security – an issue of trust (Wihlborg 2012)
• Private vs public: eID as a private attribute to be used in the
public sphere?
• eID - legitimizing identity, legitimacy (Castells, 2007, Wihlborg
2012, Melin & Wihlborg 2011)
• eID – perceived and actual security (Oscarson 2007)
24. Empirical findings:
• Unclear organisational set-up for inplementation of
Fronter and Dexter.
• There is a need to integrate the current plattforms
and e-services that are used in school.
• There is a need to clarify roles and responsibilities
for user-support of Fronter
• Fonter – not an obvious solution for SO and IUP
25. Potential Development
• A technical challenge: the need for an integrated, flexible,
simple, intuitive AND secure system – is it possible?
• Organisations challenge: the need for a clear
organiziational set-up
• Competence development and trust for the system
• Security challenge: current solutions do not match schools’
work methods.