Incident command systems are management tools for organizing emergency response and ..... organization's Microsoft Windows Server enterprise architecture.
Emergency Response Systems and Biometrics: Assessing Firefighter Privacy Concerns
Alexander McLeod University of Nevada, Reno Darrell, Jan Guynes Clark Carpenter University of Texas at San Antonio
ABSTRACT Two persistent resource management issues that arise in coordinated emergency response efforts are the timely delivery of accurate resource data to decision makers and effective methods for maintaining personnel accountability. Most emergency response agencies rely on manual systems to address each of these issues separately. These manual systems are often inefficient and hinder the effectiveness of the emergency response effort. In this research, we develop and deploy a pilot test system that integrates biometric authentication with incident command data to provide increased capability in both areas as well as enabling new functionality through integration. We also develop an instrument to capture privacy concerns associated with using biometric systems and survey target users of the system to assess their potential concerns. This research effort is supported through funding from the Building and Fire Research Laboratory, a division of the National Institute of Standards and Technology. Keywords:Emergency response, Incident Command, Biometrics, Personnel Accountability, Privacy, Decision Support Systems, Human-Computer Interaction, Resource Management Introduction Since 9/11, firefighting as a governmental service has increased its awareness of management and security issues to meet national directives and gain improved control of fire ground resources while performing its primary missions of saving lives and property. In order to meet these imperatives, fire departments across the nation have turned to a variety of managerial systems to support the incident commanders who coordinate emergency workers and resources at the disaster site.
In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-2 Fire fighting resource management systems follow the doctrine established in The National Fire Protection Association (NFPA) Standards for fire ground safety. NFPA 1500 – Firefighter Occupational Safety and Health describes the goals and requirements related to accountability systems. NFPA 1561 – Standard for the Fire Ground Incident Management System establishes the conceptual framework and principles necessary to establish effective incident command systems . These standards require fire departments to establish standard operating procedures to track and account for emergency workers at an emergency site. Lessons learned from previous large scale emergencies indicate that all personnel who may operate together on a single incident must use the same system (Jakubowski and Morton 2001). However, the vast majority of fire departments experience problems in tracking and accounting for individual members who respond to fires and other types of emergency incidents (Coleman 2001). Personnel accountability has become increasingly important in the fire industry over the last 15 years because of a series of firefighter deaths (U.S. Department of Homeland Security 2007). Personnel accountability systems are manual or electronic management tools for maintaining accurate information about who is present at an emergency scene. In addition to improving firefighter safety, accurate and timely information concerning who is present is needed to strategically manage any emergency While national standards require that all fire departments develop and maintain personnel accountability systems, they do not dictate what type of system must be used. Thus, there is a wide array of manual systems. Most fire departments use a manual tag or token that identifies individuals. These tokens are collected and organized so that units of workers (termed companies) may be tracked or assigned to work areas (termed sectors) (Coleman 2003; Morris 2000). More advanced manual systems use barcode readers and color keyed tags to handle personnel accountability (Teele 1993). Unfortunately, tag systems are inadequate due to a number of deficiencies (Coleman 2003). They are cumbersome (Bertrand 1998) and often are not used until an unexpected event occurs and accountability becomes a safety issue (Jakubowski and Morton 2001). Shortcomings of tags systems include 1) tags kept on specific apparatus where the firefighter is assigned thus identifying the individual’s normal assignment rather than their current working position and 2) lost or misplaced tags. Perhaps a more serious implication is related to the time honored tradition of “trading time” and its impact on the tag system. Because of these deficiencies, personnel accountability systems must rely on more than just simple manual systems. Organizations must combine well-practiced use of incident management systems as well as reliable and effective communications between command and sectors (Schurr et al. 2006). Incident command systems are management tools for organizing emergency response and resources into a unified strategic operation. These systems typically keep track of resource allocation during emergency events. As incident command systems and accountability systems become more pervasive, the integration of these systems is necessary to improve usability and accountability (Kristensen et al. 2006). In addition, newer technologies can enhance accountability management and security by supplying “virtual accountability” to incident management systems thus relieving the incident commander of some performance pressures (Paton 1999). In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-3
The present research effort focuses on a novel application that integrates an electronic incident command system with a biometric-based accountability system in an organization referred to as Fire 911. Fire 911 is a large municipal fire service located in the Southwest serving over 1.32 million citizens. The city operates 49 fire stations covering a 368 square mile area. There are over 1041 paid fulltime firefighters staffing 49 engines, 19 ladder trucks and 18 first responder squads. The firefighting division also operates a hazardous materials response team, a technical rescue team and an airport crash-rescue team. Firefighting operations are comprised of three shifts working 24 hours on and 48 hours off. An Assistant Chief supervises each shift. Personnel on duty are segmented into seven districts, each supervised by a District Chief. The seven districts maintain approximately 286 firefighters on duty during each shift. In fiscal year 2005-2006, the fire companies responded to 93,277 calls for assistance. A “still alarm” describes small-scale incidents that are manageable by a single company. Single or multiple alarms, depending upon the severity, signify emergencies requiring greater manpower and resources. For single alarm fires, a District Chief with an Aide responds to supervise three engine companies and a ladder truck with a total of 13-17 firefighters. This District Chief becomes the designated incident commander. If these units are insufficient to control the situation additional resources can be called “piecemeal” or an additional alarm can be initiated providing three more engine companies and another ladder truck. A second alarm would typically double the number of units resulting in a total dispatch of six engines, two ladder trucks and an additional District Chief to assist the incident commander. Typically, 26-34 firefighters are available during a second alarm. The number of responders continues to escalate with the number of alarms, depending on the degree of damage, risk and resources needed. Following a fifth alarm, a general alarm consumes all firefighting resources except those sparsely covering other areas of the city. The incident management system currently in use is a manual system developed “in house”. It is composed of white boards specifically designed to handle resource allocation and sector assignment. The white board serves as a proxy for the incident scene. Individual companies create pre-plans of building occupancies and area attributes for use during emergencies. These plans are available to assist the incident commander in allocating resources. The Aide assists the District Chief in coordinating and controlling resources assigned to sectors. Typical sectors might include several tactical units advancing hose lines, search and rescue, roof sector for ventilation, staging sector, rehab sector, medical sector, technical rescue, and any other needed tactical activity. If the incident grows sufficiently large, the District Chief must ensure any additional support functions are manned and controlled. The incident commander may rely upon District Chiefs as sector officers to control these functions or to manage advanced units. Police, emergency medical services, and external agencies may be required to assist. The incident commander usually requests a liaison from these agencies at the command post for direct communication and control. Finally, if the incident last several hours, the commander must cycle personnel through rehab for hydration and cooling. Blood In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-4 pressure and heart rate are periodically monitored in rehab as an additional safety measure. Personnel accountability is one of the most serious stressors encountered. As the number of sectors grows, managing the incident becomes more complex and difficult (Morris 2000). Accountability issues become critical and often siphon much needed manpower to manage the personnel accountability system. Obviously, keeping track of these resources is mentally challenging and incident commanders may suffer serious stress which can ultimately affect their decision-making abilities (Paton 1999). Firefighter injury and death are ever-present risks during large-scale incidents. Reducing the burden of maintaining personnel accountability might help the decision maker produce better tactical decisions. This paper reports on a research in progress for reducing the stresses introduced by accountability requirements at large-scale emergencies. Specifically, we are conducting a pilot study incorporating biometric technology with an incident command system to improve the fire ground commander’s knowledge of tactical resources and personnel available for sector assignment. This system is currently being implemented at Fire 911 for feasibility testing. Both incident commanders and firefighters will evaluate the system to assess suitability and determine the system’s impact on current fire ground practices. Literature review Successful deployment of organizational information systems requires consideration of a multitude of factors. Careful analysis of information flows and meticulous specification of requirements can help ensure the system meets organizational needs. However, it is often much more difficult to gauge employee reactions to new systems. Users often react based on their perceptions of the change the information system will bring (Lapointe and Rivard 2005) and their assessment of procedural fairness (Eddy et al. 1999). Procedural fairness is the notion that the organization’s methods and motives with respect to the system are fair to the individual (Greenberg 1987). Users who sense that a system poses a threat to their status within the organization, their autonomy, or privacy may exhibit resistance through a variety of behaviors (Lapointe and Rivard 2005). Organizations should consider potential objects of resistance related to new systems and develop appropriate mitigation strategies to enhance the likelihood of success. A potential object of resistance related to our pilot system is the use of biometric devices for accountability and privacy concerns associated with such a system. We address this issue by discussing the extant literature and developing an instrument appropriate for measuring end user perceptions of system privacy concerns. Biometric authentication as an accountability measure In recent years, biometric systems have become a viable alternative to traditional authentication mechanisms. Biometric technologies positively identify people by fingerprints, iris scans, retinal scans, voiceprints, or even the manner in which they walk. In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-5 In other words, biometric samples are representative of physiological or behavioral attributes of the individual (Chandra and Calderon 2003). They are highly distinct and difficult to fake (Prabhakar et al. 2003). These unique properties of biometrics provide a means of assuring that a specific individual is actually present. In contrast, accurate accountability in other manual systems can be thwarted if individuals share passwords or inadvertently pick up someone else’s ID badge or equipment. This distinction becomes important given the realities of the fire-fighting environment. Fire fighters in many locales can informally trade time with their peers under the terms of their employment contract. This flexibility can introduce uncertainty into the resource management process, making it difficult to track the entire skill set of an individual. Manual accountability systems usually lack the capability of tracking individual qualifications beyond primary firefighting skills. Some of these additional qualifications, such as swift water rescue, rappelling / high angle technical rescue, or hazardous material handling may be of critical importance at the incident scene. As the complexity of largescale incident scenes continues to grow, incident commanders need to know who is actually there, what skill set each person possesses, and the task or unit sector to which they are assigned. Biometric authentication of fire fighters can enable this increased level of resource information and, when combined with an appropriate incident command system, deliver it to the on-scene commander. At first glance, deployment of a biometric system that delivers timely, accurate information to incident commanders appears to have positive implications for both the organization and the employee. The technology is maturing and biometrics are deployed in an ever-increasing number of applications where access control or positive identification of an individual is desired. Generally, biometrics have been well accepted with users reporting a fairly low level of privacy concerns (Wayman 2000). However, reactions to biometrics in the employment realm have been considerably more mixed. This equivocal reaction means employers may face allegations of unfair labor practices (Kelly and Herbert 2004) or other potential legal repercussions if they fail to consider user concerns. Courts may even force organizations to renegotiate labor contracts when deploying biometric systems (Kelly and Herbert 2004). Thus, it is important to consider the underlying factors that may precipitate adverse employee reactions prior to a largescale system implementation. Privacy issues associated with biometrics Perhaps the difference between using biometrics in the employment setting and other arenas lies in the definition of privacy itself. Privacy can be defined as “the ability to personally control information about one’s self” (Stone et al. 1983). This definition encompasses three concepts that describe the various facets of the relation between an individual and personal information, These concepts are 1) the ability to control information about one’s self, 2) the ability to control one’s interactions with others, and 3) the ability to be free from control by others (Stone and Stone 1990). When an individual controls information about himself, he can selectively choose who receives the information and thus manage impressions made from that information. Controlling In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-6 interactions with others provide a means of structuring the individual’s social environment. This structure includes regulating the stimuli associated with social contact and establishing a comfortable personal space. Finally, by maintaining personal control over information, an individual limits opportunities for other entities to exert control by misuse of personal information. Considering the definition of privacy and its underlying concepts, it becomes evident that the issues related to biometrics and privacy in the workplace result from a perceived lack of ability to control the flow of information to the employer and its subsequent uses. This situation is exacerbated because privacy laws have not yet matured with respect to biometrics (Woodward 1997a; York and Carty 2006). One way to examine the privacy issue with respect to biometrics is to look at potential concerns associated with the general concept of authentication. Regardless of the mechanism used, individuals who are required to prove their identity may feel that they are at risk for 1) covert identification, 2) excessive use of identification technology, 3) excessive aggregation of personal information, and 4) chilling effects (Kent and Millet 2003). Covert identification is the notion that someone will use authentication information to identify an individual without his or her knowledge. This activity deprives the individual of the ability to control information flows. The covert observer may draw conclusions about the individual without that person having an opportunity to project a desired impression. Excessive use of identification technology is concerned with using a small number of identifiers across a large number of systems. As the number of records with the same identifier grows, there is an increased probability that individual records will relate to each other in unanticipated ways. This phenomenon can lead to excessive aggregation of personal information from these systems. This aggregation may provide a ready source of information that was not available from any individual record. Credit reports provide an excellent example of how individual financial institution records can be combined to develop a complete, and potentially undesirable, view of an individual’s overall financial situation. Eventually, an entity that controls a large number of connected information systems may be able to exert social control over an individual by manipulating data connections or simply invalidating the person’s identity marker. This is the chilling effect of authentication gone awry. A second privacy perspective views concerns through the lens of organizational privacy practices. Smith et al. (1996) describe four organizational practices that elicit concern about individual privacy. These practices are 1) collection, 2) unauthorized secondary use (both internal and external), 3) improper access, and 4) errors. Along with these four primary organizational practices, the authors contend that organizational information handling practices can also lead to reduced judgment when humans are removed from the decision making process. They also express concern over organizational practices that enable unfettered data aggregation (Smith et al. 1996). A third method of examining privacy concerns is to focus on the technical feasibility of various invasion tactics specifically related to biometrics. From this standpoint, there are three potential threats that should be considered. These threats are 1) covert identification, 2) unintended functional scope, and 3) unintended application scope In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-7 (Woodward 1997b). Examples of other functions that are technically possible with certain biometric traits include screening individuals for signs of stress and testing for genetic markers such as sickle cell trait. While unintended functional scope involves uses other than authentication, unintended application scope involves authenticating a person in a manner other than originally intended. This might include using a biometric supplied as a computer access token to conduct criminal background checks or credit checks. The combination of general authentication privacy issues, organizational practices and technical privacy attacks against biometric systems provides the basis for developing a user-centric view of privacy concerns specifically associated with biometric systems. We integrate these perspectives to produce three constructs that capture the user’s view of security issues associated with biometric authentication systems. We label these user perceptions perceived accountability, perceived vulnerability, and perceived trust. Perceived accountability is the notion that users will be more accountable for their actions when they log in with a biometric sample than when they log into a system via other means, such as ID and password. The number of alternative plausible explanations for a disputed login is substantially lower when biometrics are employed and thus the users may feel that they are being held to a higher level of accountability. Perceived vulnerability describes the user’s feelings that the entity storing his or her biometric data may not be completely secure. Regardless of the users’ trust in the entity, they may question the entity’s ability to protect the stored biometric samples from unintentional disclosure or compromise. Both perceived accountability and perceived vulnerability are based on the assumption that the users implicitly trust the organization to act with due diligence. Conversely, perceived trust relates to the user’s belief that the organization controlling the biometric system will use it only for the functions and applications disclosed to the user. If the user believes that the organization will use the biometric information for other purposes, they are likely to be concerned about the impact of those other uses. The level of privacy concern, as captured by the three constructs described above, is expected to affect user attitude toward using the biometric system. We will test this model to determine if the level of privacy concerns and the corresponding affect on attitude warrant additional measures such as training or development of specific system governance mechanisms to mitigate threats to system use. Methodology The primary components of the integrated incident command and personnel accountability system are a “commercial off the shelf” incident command software package and biometric authentication platform. These components will interface with existing mainframe-based dispatch and fire fighting personnel systems via web services. Fire fighters will use existing personal computers within the fire station and mobile computers mounted on apparatus to complete the biometric authentication process. We will install a custom biometric authentication application specifically designed for the operational environment on all systems. These systems will also be fitted with an assortment of optical and silicone-capacitive biometric fingerprint sensors for the pilot In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-8 test. Incident commanders will access data via ruggedized laptops located in command vehicles. Both the fire fighting apparatus and command vehicles will connect to backend systems via the department’s existing wireless network. The pilot test system is funded by a grant from the Building and Fire Research Laboratory, a division of the National Institute of Standards and Technology. During the pilot test, we will develop and deploy the integrated incident command and personnel accountability system at a single station within the Fire 911 organization. The site for the pilot study was determined during discussions with senior department leadership. The selected location provides a wide variety of apparatus and specialized functions as well as many administrative functions. During system planning, the senior leaders also voiced several concerns that were addressed in the final system design. Among those concerns were 1) a desire to limit changes to existing fire fighting information systems, 2) a preference for inter-system communications based on open standards such as XML / SOAP, 3) a system that is scalable to accommodate a very large organization, 4) a system that could integrate multiple agencies at a future date, and 5) a system that would not tie the department to a single hardware vendor. Based on the organization’s preferences, we selected SAFLink Corporation’s SAFSolution Enterprise Edition as the biometric authentication platform for the personnel accountability component. The SAFLink product can integrate with an organization’s Microsoft Windows Server enterprise architecture. Biometric information is stored in the Windows Server system’s Active Directory database. This solution provides a convenient single point of control for managing all network application access including the program used for the accountability component. Further, the SAFSolution Enterprise Edition product is highly scalable and accepts hardware biometric devices from a variety of vendors that support the BIOAPI open standard. While the SAFSolution product is designed to integrate with Microsoft’s Active Directory database, the organization was understandably hesitant to commit to changes the software would make to the enterprise network domain. Thus, for the purpose of the pilot study, we installed the biometric authentication software on a separate server that will authenticate fire fighters through a custom authentication application. This authentication application will rely on the vendor’s software development kit to provide the functionality that allows authentication to this separate server. We will install biometric fingerprint readers via USB ports on personal computers throughout the fire station and on ruggedized laptops within each apparatus. Fire 911 selected and purchased Salamander Technologies’ FireTrax incident command software to fulfill the command component requirement. The FireTrax system is capable of supporting a large organization and integrating multiple agencies (police, emergency medical services, etc.) into the system. Additionally, it supports the open standard communication protocols necessary for the integrated system to function. This communication capability will allow the incident command program to receive information from existing fire fighting systems. The system is primarily designed for use by District Chiefs. They will access the system via ruggedized laptops located in their response vehicle. In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-9
Figure 1 depicts operation of the system. When fire fighters report for duty, they will log on to a computer within the fire station or on the apparatus using their assigned computer access account. They will launch the biometric authentication application, select the apparatus and position they are filling on the shift from the interface, and provide a fingerprint image to authenticate. The biometric server will authenticate the individual and return the authentication status to the application. The application will then forward user information including apparatus assignment, position assignment and authentication status to the mainframe-based Fire Fighting Personnel System (FFPS). At this point, the FFPS will update the status to show that the individual is on-duty in a particular position. System rules prevent the assignment of more than one person to a single position or the same individual to more than one position. When a caller requests assistance by dialing 911, a dispatcher receives the call and enters the appropriate data into a mainframe-based Computer-Aided Dispatch (CAD) system. The CAD system initiates an alarm to dispatch a unit. Once the incident begins, a District Chief can launch the incident command software in a mobile command vehicle as appropriate. The incident command program will query the CAD system and FFPS via a web service to retrieve information on the call and the personnel who are responding. An XML document will display the results as a group of objects arranged in a hierarchical structure of sectors and units. Incident commanders can click on a specific unit to see detailed information about individuals such as qualifications and authentication status. The result is a single interface that provides real time consolidated resource management and accountability information.
In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-10
Figure 1. Integrated system conceptual diagram
Privacy concerns testing We will assess firefighter privacy concerns via surveys using a pre-test and post-test design. Prior to the pre-test survey, the twenty-item survey instrument will be validated using approximately 200 fire fighters from within the Fire 911 organization not stationed at the pilot test site. These responses will ensure the validity and reliability of the instrument. Following validation but prior to system activation, we will administer the validated instrument to all fire fighters at the pilot test site. Once the pre-test surveys are complete, we will activate the system and concurrently enroll and train the firefighters on the use of the authentication application. We will record usage data over a period of approximately three months following implementation. At the end of the three-month period, we will conduct a post-use survey of subjects at the pilot test site. We will compare the pre- and post- surveys to determine 1) the level of privacy concerns prior to using the biometric authentication system, 2) the change in privacy concerns after a period of system use, and 3) the correlation between reported privacy concerns and actual system usage patterns. In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-11
Current status and discussion The integrated incident command and personnel accountability system is currently undergoing integration testing. We have individually tested most components including the incident command application, biometric authentication application, and required web services in a controlled environment. We are now testing the systems on the operational network. Following this phase, we will install hardware and software in fire fighting apparatus assigned to the pilot test site process, the system will be ready for operational use. The privacy concerns survey instrument has been developed and reviewed by domain experts in fire fighting, privacy, biometrics and survey design. The institutional review board approved the instrument for use in human subject research and it is ready for validation testing. We expect both the pilot system test and privacy concerns measurement to be complete by August 2008. References Bertrand, M. "Planning for a Personnel Accountability System," National Fire Academy, Beaumont, TX. Chandra, A., and Calderon, T.G. "Toward a Biometric Layer in Accounting Systems," Journal of Information Systems (17:2) 2003, pp 51-70. Coleman, J.F. Managing Major Fires Penn Well Books, 2001. Coleman, L.S.J. "Comprehensive Study of Personnel Accountability Systems in the Fire Service," Eastern Michigan University School of Fire Staff & Command Program, Dearborn, MI, pp. 1-36. Eddy, E.R., Stone, D.L., and Stone-Romero, E.F. "The Effects of Information Management Policies on Reactions to Human Resource Information Systems: An Integration of Privacy and Procedural Justice Perspectives," Personnel Psychology (52) 1999. Greenberg, J. "A Taxonomy of Organizational Justice Theories," Academy of Management Review (18) 1987. Jakubowski, G., and Morton, M. Rapid Intervention Teams Fire Protection Publications, Stillwater, OK, 2001. Kelly, D., Jr., and Herbert, W.A. "When James Bond Enters the Workplace: Use and Abuses of Technology—A Guide for In-House Counsel and Litigators," 2004. Kent, S.T., and Millet, L.I. Who Goes There? Authentication Through the Lens of Privacy The National Academies Press, Washington, D.C., 2003. Kristensen, M., Kyng, M., and Palen, L. "Participatory Design in Emergency Medical Service: Designing for Future Practice," Conference on Human Factors in Computing Systems Montreal, Canada, 2006, pp. 161-170. Lapointe, L., and Rivard, S. "A Multilevel Model of Resistance to Information Technology Implementation," MIS Quarterly (29:3) 2005. Morris, G.P. "The Sector Officer: The "Workhourse" of Command," Fire Engineering (153:9) 2000, p 70. Paton, D. "Disaster stress: an emergency management perspective Douglas Paton, Rhona Flin The Authors," Disaster Prevention and Management (8:4) 1999, pp 261-267. Perry, R.W. "Incident management systems in disaster management," Disaster Prevention and Management (12:5) 2003, pp 405-412. Prabhakar, S., Pankanti, S., and Jain, A.K. "Biometric Recognition : Security and Privacy Concerns," IEEE Security & Privacy) 2003.
In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
Pg 8-12 Schurr, N., Patil, P., Pighin, F., and Tambe, M. "Using multiagent teams to improve the training of incident commanders," Proceedings of the Fifth International Joint Conference on Autonomous Agents and Multiagent Systems, 2006, pp. 1490-1497. Smith, J.H., Milberg, S.J., and Burke, S.J. "Information Privacy: Measuring Individuals' Concerns about Organizational Practices," MIS Quarterly (20:2) 1996. Stone, E.F., Gardner, D.G., Gueutal, H.G., and McClure, S. "A Field Experiment Comparing InformationPrivacy Values, Beliefs, and Attitudes Across Several Types of Organizations," Journal of Applied Psychology (68:3) 1983. Stone, E.F., and Stone, D.L. "Privacy in Organizations: Theoretical Issues, Research Findings, and Protection Mechanisms," Research in Personnel and Human Resources Management (8) 1990. Teele, B.W. NFPA 1500 handbook National Fire Protection Association, Quincy, MA, 1993, p. 343. U.S. Department of Homeland Security "Firefighter Fatalities in 2005," FA-306, pp. 1-112. Wayman, J.L. "National Biometric Test Center Collected Works," San Jose State University. Woodward, J.D. "Biometric Scanning, Law & Policy: Identifying the concerns -- Drafting the Biometric Blueprint," University of Pittsburg Law Review (59:1) 1997a, pp 97-155. Woodward, J.D. "Biometrics: Privacy's Foe or Privacy's Friend?," Proceedings of the IEEE (85:9) 1997b, pp 1480-1492. York, A., and Carty, L. "Privacy: Biometric Technology and Privacy in the Workplace," 2006.
In Proceedings of the 7th Annual Security Conference, June 2 - 4 , 2008, Las Vegas, NV www.security-conference.org
