Infringo Ergo Sum

摘要

Once upon a time a professor of computing and a father was complaining at a radiology ward. A CD with the X-rays of his son's chest had garbled images. Unfortunately, the CD burning process has been outsourced and, in compliance with e-health security policies, technicians could not see the images on the system. Only doctors could. The nurse had a decision to make: sidestep the father (send him away with empty hands to the pneumology ward) or sidestep the system (give the technician the doctor's password and thus the ability to access all images and not just this one). As a father he was happy of her decision. As a professor, this knowledge was of meager and unsatisfactory kind. Any human decision maker who experienced the need of a local IT infringement in order to achieve her business goals knows that she is offered only the choice between strict compliance (and failure of business goals) or global violation (and failure of security goals). Software engineers do not simply know how to deal with infringements. I believe that a different alternative should be possible. The goal of this paper is to sketch the challenges of such unexplored scientific alternative. Access Control, Infringement management, Human Factors, Requirements, Security, Socio-Technical Systems