David Botta
Konstantin Beznosov
Brian Fisher
ABSTRACT
We report preliminary results of our ongoing field study of IT professionals who are involved in security management. We interviewed a dozen practitioners from five organizations to understand their workplace and tools. We analyzed the interviews using a variation of Grounded Theory and predesigned themes. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a unit and responsible for different aspects of it. The workplace of our participants can be characterized by their responsibilities, goals, tasks, and skills. Three skills stand out as significant in the IT security management workplace: inferential analysis, pattern recognition, and bricolage.
- Argus intrusion detection and prevention. http://www.qosient.com/argus/, February 2007.Google Scholar
- R. Barrett, E. Haber, E. Kandogan, P. Maglio, M. Prabaker, and L. Takayama. Field studies of computer system administrators: Analysis of system management tools and practices. In Proceedings of the Conference on Computer Supported Collaborative Work, 2004. Google ScholarDigital Library
- A. Bartels, B. J. Holmes, and H. Lo. Global IT spending and investment forecast, 2006 to 2007. Forrester Research, 2006.Google Scholar
- F. J. Börck. Discovering Information Security Management. Doctoral thesis, Stockholm University, Royal Institute of Technology, 2005.Google Scholar
- S. Bodker. Human activity and human-computer interaction. In S. Bodker, editor, Through the Interface: A Human Activity Approach to User Interface Design, pages 18--56. Lawrence Erlbaum Associates, Publishers, Hillsdale, NJ, 1991.Google Scholar
- H. H. Clark. Using Language. Cambridge University Press, Cambridge, England, 1996.Google Scholar
- H. H. Clark and M. F. Schober. Asking questions and influencing answers. In J. M. Tanur, editor, Questions about questions: Inquiries into the cognitive bases of surveys. Russell Sage, New York, NY, 1992.Google Scholar
- M. Elliott and R. Kling. Organizational usability of digital libraries: Case study of legal research in civil and criminal courts. American Society for Information Science, 4(11):1023--1035, 1997. Google ScholarDigital Library
- G. Fischer and E. Scharff. Meta-design: design for designers. In Proceedings of the Conference on Designing Interactive Systems (DIS), pages 396--405, New York, NY, USA, 2000. ACM Press. Google ScholarDigital Library
- B. Glaser and A. L. Strauss. The Discovery of Grounded Theory, Strategies for Qualitative Research. Aldine Publishing Company, Chicago, Illinois, 1967.Google Scholar
- U. Holmstrom. User-centered design of secure software. In the 17th Symposium on Human Factors in Telecommunications, Denmark, 1999.Google Scholar
- E. Hutchins. Cognition in the Wild. MIT Press, Cambridge, MA, 1995.Google Scholar
- Internet relay chat (irc) help archive. http://www.irchelp.org/, February 2007.Google Scholar
- E. Kandogan and E. M. Haber. Security administration tools and practices. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, chapter 18, pages 357--378. O'Reilly Media, Inc., Sebastapol, 2005.Google Scholar
- K. Kark, C. McClean, L. Koetzle, J. Penn, and S. Bernhardt. 2007 security budgets increase: The transition to information risk management begins. Forrester Research, 2007.Google Scholar
- P. P. Maglio, E. Kandogan, and E. Haber. Distributed cognition and joint activity in collaborative problem solving. In Proceedings of the Twenty-fifth Annual Conference of the Cognitive Science Society, 2003.Google Scholar
- T. Malone, K. Lai, and K. Grant. Two design principles for collaboration technology: Examples of semiformal systems and radical tailorability. Coordination Theory and Collaboration Technology, pages 125--160, 2001.Google Scholar
- Merriam-Webster. Merriam-webster's collegiate dictionary, 1994.Google Scholar
- Nessus security scanner. http://www.nessus.org/, February 2007.Google Scholar
- J. Nielsen. Usability Engineering. Morgan Kaufmann, San Francisco, 1994. Google ScholarDigital Library
- Idea works: Qualrus software. http://www.ideaworks.com/qualrus/index.html, February 2007.Google Scholar
- K. J. Vicente. Cognitive Work Analysis: Toward Safe, Productive, and Healthy Computer-Based Work. Mahwah, NJ: Lawrence Erlbaum Associates, Publishers, 1999. Google ScholarDigital Library
- A. Wool. A quantitative study of firewall configuration errors. Computer, 37(6):62--67, 2004. Google ScholarDigital Library
- R. Yin. Case study research: Design and methods (2nd ed.). Sage Publishing, Beverly Hills, CA, 1994.Google Scholar
- M. Zurko, R. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. In IEEE Symposium on Security and Privacy, pages 57--71, Oakland, CA, USA, 1999.Google ScholarCross Ref
- M. E. Zurko and R. T. Simon. User-centered security. In New Security Paradigms Workshop, pages 27--33, Lake Arrowhead, California, 1996. ACM Press. Google ScholarDigital Library
Index Terms
- Towards understanding IT security professionals and their tools
Recommendations
Understanding career commitment of IT professionals: Perspectives of push-pull-mooring framework and investment model
Using push-pull-mooring framework and investment model as theoretical lenses, this study provides a compelling theoretical model that helps understand the important antecedents of career commitment of IT professionals. Especially, we examined the ...
The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness
Although most behavioral security studies focus on organizational in-role behaviors such as information security policy ISP compliance, the role of organizational extra-role behaviors-security behaviors that benefit organizations but are not specified ...
IT Professionals: An Iberian Snapshot
Nowadays, Universities and other Training Institutions need to clearly identify the Information Technology IT skills that companies demand from IT practitioners. This is essential not only for offering appropriate and reliable university degrees, but ...
Comments