CHAPTER TWO - ABOUT IDENTITY

CHAPTER TWO:
ABOUT IDENTITY

CHAPTER TWO:

ABOUT IDENTITY

Identity

Defining identity is somewhat of a controversial topic. Different dictionaries give identity distinct definitions (Cambridge English Dictionary, 2020; Merriam-Webster, 2020b). The commonalities lie in associating human behavior to personas or personalities that are uniquely associated with individuals. Associating behaviors, actions, and interactions attributed to what can be associated with an individual uniquely identifies a person and is part of his or her identity.

Identity can be divided into two categories: physical and digital identities, as illustrated in the diagram below. They are the two essential identity aspects identified in the literature (Alashoor, Baskerville, & Zhu, 2016). Associating the physical with the digital is very important to increase the trust and authenticity of digital interactions (Camp, 2004).

Figure 1. The Two Major Categories of Identity.

Digital identity encompasses online personal data and digital interactions described in the diagram below. Digital identity contains personal identifiers, attributes, and digital relationships and interactions (Alashoor et al., 2016).

Figure 2. Digital Identity Composition.

Due to the continuous improvements and discoveries as part of the evolution of technologies, the definition of digital identity is continuously changing with technology enhancements. What is valid currently might not be valid in the near future; it may likely evolve or morph into a different definition. Likewise, the description of digital identity will probably change with time (Sullivan, 2018).

From an academic perspective, researchers have tried different approaches to identify the online attributes of digital identity and their economic impacts (Mueller, Park, Lee, & Kim, 2006).

Sullivan, a renowned researcher in the digital identity space, explored digital identity from a legal perspective and highlighted the necessity of the right to have a digital identity for everyone from an international perspective (2018).

Trust is very important in online interactions. Establishing trust is critical when bridging the gap that associates digital and physical identity together. Researchers have tried to define digital identity, its problems, and the issue of trusting it in cyberspace while considering the different aspects of digital identity when authenticating the digital with the physical (Katzan, 2011).

Privacy

Privacy is defined by the Merriam Webster English dictionary as the “freedom from unauthorized intrusion” (Merriam-Webster, 2020a). It is the right of a person to be let alone if the individual requests it. To understand how privacy relates to the individual, understanding personal data privacy is essential.

Personal data privacy is construed to be the freedom of personal data from unauthorized intrusion (International Association of Privacy Professionals, 2020). When personal data privacy gets mentioned in social circles, most people refer to the massive data breaches that affect large organizations. The intrusion of wearable technologies, including Apple’s Siri and Amazon’s Alexa, as well as the intrusion to privacy that online social networks cause amplify the effect of data privacy intrusion (Srivastava & Geethakumari, 2013). Thus, it is important to understand data privacy risks.

Data Privacy Risks

Facebook, Target, Experian, Marriott, Amazon, and many other Fortune 100 organizations were victims of cyber-attacks or were involved in leaking personal data unintentionally or intentionally to third-party organizations. These fortune 100 breaches are among the cases of personal data compromises that have led to personal identifiable information (PII) being exposed to unwanted parties. One of the most recent breaches that exposed millions of records is the Marriott breach from 2018 (Perlroth, Satariano, & Tsang, 2018). The New York Times featured this breach on its front page on December, 2018, because of its severity and implications to millions of people globally where Marriott had a presence. The abstract of the front page article is below:

The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers hadbreached its Starwood reservation system and had stolen the personal data of upto 500 million guests. (Perlroth et al., 2018)

Internet users run into the problem of having control and losing track of their personal data used and disclosed online. Losing control of online data creates a high risk and increases the probability of data being found in the hands of unwanted parties. There is also an emerging riskattributed to a multitude of websites, applications, and software requiring login credentials and personal information that cause users to lose track of what data they stored on what platform (Florencio & Herley, 2007).

Professionals are busy and have a short memory span; they cannot remember whatinformation they stored on what website (Florencio & Herley, 2007). The necessity to stay on top of the information provided to different web applications becomes essential with every new application used to maintain visibility over digital personal data and reduce risks as recommended by the National Institute of Science and Technology’s Cybersecurity Framework (National Institute of Standards and Technology [NIST], 2018a). Similar to NIST, governments around the world started to take action to pass privacy-related laws and regulations.

Privacy Laws, Regulations, and Frameworks

Different countries, like the United States and the European Union, passed laws to address the gap in regulations. They have all been segregated initiatives to try to protect digital information and identities. With the emergence of these rules and regulations, people lack the awareness of what these rules do and what kind of risks they help protect them against (Sullivan, 2018). One recently published law that had a significant impact internationally on digital personal information is the enforcement of the General Data Protection Regulation in the European Union (European Union, 2016).

The National Institute of Standards and Technology (NIST) put together a framework, NIST 800-63-3, explaining digital identity and its attributes. In essence, the framework was geared towards enterprises and United States government agencies, to be used as a guideline to manage digital identity and authentication mechanisms. This framework defines digital identity as well as its attributes and minimum technological use standards (NIST, 2017).

The NIST cybersecurity framework (NIST CSF) defines and serves as an overarching model for the cybersecurity readiness of an enterprise. It includes modules that assess the cybersecurity readiness of an organization but can also be applied to individuals, specifically the awareness and training modules, which applies to individuals being aware of risks and being trained to identify cyber risks (NIST, 2018a).

Digital Identity Management

Digital identity management includes the use of cybersecurity tools, as well as training and awareness, in order to help with managing cyber risks.

Cybersecurity training, available on the market, attempts to establish a baseline of awareness among its recipients. Phishing training and awareness were created as a way to make people more aware of known hackers techniques that are utilized to steal people’s information and compromise their personal data (Higashino, Kawato, Ohmori, & Kawamura, 2019).

Several tools and solutions to manage aspects of digital identity, similar to LifeLock and LastPass, emerged in the last ten years. The tools on the market that help in managing digital identity and enhance people’s awareness and visibility over their digital identity are lacking; they need to be more user friendly in order to increase their adoption (Choi, Wang, & Lowry, 2020).

Several aspects covered in this chapter leave a lot of intriguing ideas to be further explored in detail from the lens of academics and practitioners in the literature review chapter that follows.