skip to main content
10.1145/1477973.1477983acmconferencesArticle/Chapter ViewAbstractPublication PageschimitConference Proceedingsconference-collections
research-article

Guidelines for designing IT security management tools

Published: 14 November 2008 Publication History

Abstract

An important factor that impacts the effectiveness of security systems within an organization is the usability of security management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional interviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools.

References

[1]
K. Abdullah, C. Lee, G. Conti, J. A. Copeland, and J. Stasko. IDS RainStorm: Visualizing ids alarms. In VIZSEC '05: Proceedings of the IEEE Workshops on Visualization for Computer Security, pages 1--10, Minneapolis, MN, USA, 2005. IEEE Computer Society.
[2]
P. A. A. Amanda Jane Coffey. Making Sense of Qualitative Data: Complementary Research Strategies. SAGE Publications, 1996.
[3]
C. Andrew. The five ps of patch management: Is there a simple way for businesses to develop and deploy an advanced security patch management strategy? Computers & Security, 24(5):362--363, 8 2005.
[4]
M. Q. W. Baldonado, A. Woodruff, and A. Kuchinsky. Guidelines for using multiple views in information. In AVI '00: Proceedings of the working conference on Advanced visual interfaces, pages 110--119, Palermo, Italy, 2000. ACM.
[5]
R. Ball, G. A. Fink, and C. North. Home-centric visualization of network trafic for security administration. In VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 55--64, Fairfax, VA, USA, 2004. ACM.
[6]
R. Barrett, P. P. Maglio, E. Kandogan, and J. Bailey. Usable autonomic computing systems: The system administrators perspective. Advanced Engineering Informatics, 19(3):213--221, 2005.
[7]
R. Barrett, M. Prabaker, and L. Takayama. Field Studies of Computer System Administrators: Analysis of System Management Tools and Practices. In CSCW '04, pages 388--395, Chicago, IL, USA, 2004.
[8]
B. Beal. IT security: the product vendor landscape. Network Security, 2005(5):9--10, 5 2005.
[9]
D. Botta, R. Werlinger, A. Gagné, K. Beznosov, L. Iverson, S. Fels, and B. Fisher. Towards understanding IT security professionals and their tools. In SOUPS '07: Proceedings of the 2007 Symposium On Usable Privacy and Security, pages 100--111, Pittsburgh, Pennsylvania, July 18--20 2007. ACM.
[10]
C. M. Burns, J. Kuo, and S. Ng. Ecological interface design: a new approach for visualizing network management. Comput. Netw., 43(3):369--388, 2003.
[11]
K. Charmaz. Constructing Grounded Theory. SAGE publications, 2006.
[12]
S. Chiasson, P. C. van Oorschot, and R. Biddle. Even experts deserve usable security: Design guidelines for security management systems. In SOUPS Workshop on Usable IT Security Management (USM), Pittsburgh, PA, July 2007.
[13]
J. W. Creswell. Qualitative Inquiry and Research Design: Choosing among Five Traditions. SAGE Publications, July 1997.
[14]
P. DiGioia and P. Dourish. Social navigation as a model for usable security. In SOUPS '05: Proceedings of the 2005 Symposium On Usable Privacy and Security, pages 101--108, Pittsburgh, Pennsylvania, 2005. ACM.
[15]
B. Dijker. A day in the life of system administrators. http://sageweb.sage.org, June 2006.
[16]
M. Elliott and R. Kling. Organizational usability of digital libraries: Case study of legal research in civil and criminal courts. American Society for Information Science, 4(11):1023--1035, 1997.
[17]
A. Gagné, K. Muldner, and K. Beznosov. Identifying differences between security and other IT professionals: a qualitative analysis. In HAISA '08: Human Aspects of Information Security and Assurance, pages 69--80, Plymouth, England, July 8--9 2008.
[18]
R. Garigue and M. Stefaniu. Information security governance reporting. EDPACS, 31(6):11--17, 2003.
[19]
T. Grunwald and C. Corsbie-Massay. Guidelines for cognitively efficient multimedia learning tools: educational strategies, cognitive load, and interface design. Academic medicine, 83(3):213--223, 2006.
[20]
E. M. Haber and J. Bailey. Design Guidelines for System Administration: Tools Developed through Ethnographic Field Studies. In CHIMIT '07: Proceedings of the 2007 symposium on Computer Human Interaction for the Management of Information Technology, pages 1--9. ACM, 2007.
[21]
C. A. Halverson. The value of persistence: A study of the creation, ordering and use of conversation archives by a knowledge worker. In HICSS '04: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, pages 1--10, Washington, DC, USA, 2004. IEEE Computer Society.
[22]
K. Hawkey, D. Botta, R. Werlinger, K. Muldner, A. Gagne, and K. Beznosov. Human, Organizational, and Technological Factors of IT Security. In CHI'08 extended abstract on Human factors in computing systems, pages 3639--3644, Florence, Italy, 2008.
[23]
K. Hawkey, K. Muldner, and K. Beznosov. Searching for the Right Fit: Balancing IT Security Model Trade-offs. Special Issue on Useful Computer Security, IEEE Internet Computing, 12(3):22--30, 2008.
[24]
A. Herzog and N. Shahmehri. User help techniques for usable security. In CHIMIT '07: Proceedings of the 2007 symposium on Computer Human Interaction for the Management of Information Technology, pages 93--102, Cambridge, Massachusetts, 2007. ACM.
[25]
K. Hornbaek and E. Frokjaer. Reading of electronic documents: the usability of linear, fisheye, and overview+detail interfaces. In CHI '01: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 293--300, New York, NY, USA, 2001. ACM.
[26]
E. Kandogan and E. M. Haber. Security administration tools and practices. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, chapter 18, pages 357--378. O'Reilly Media, Inc., 2005.
[27]
S. Kesh and P. Ratnasingam. A knowledge architecture for it security. Commun. ACM, 50(7):103--108, 2007.
[28]
G. Killcrece, K.-P. Kossakowski, R. Ruefle, and M. Zajicek. Organizational models for computer security incident response teams (CSIRTS). Technical Report CMU/SEI-2003-HB-001, 2003.
[29]
A. Komlod, P. Rheingans, U. Ayachit, J. Goodall, and A. Joshi. A user-centered look at glyph-based security visualization. In VIZSEC '05: Proceedings of the IEEE Workshops on Visualization for Computer Security, pages 21--28, Minneapolis, MN, USA, 2005.
[30]
S. J. Koyani, R. W. Bailey, and J. R. Nall. Research-Based Web Design & Usability Guidelines. U.S. Dept. of Health and Human Services, 2006.
[31]
S. Kraemer and P. Carayon. Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38:143--154, 2007.
[32]
C. P. Lee and J. A. Copeland. Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers. In VizSEC '06: Proceedings of the 3rd international workshop on Visualization for computer security, pages 103--108, Alexandria, VA, USA, 2006. ACM.
[33]
S. McGann and D. C. Sicker. An analysis of security threats and tools in SIP-based VoIP systems. In 2nd VoIP Security Workshop, pages 1--8, Washington DC, USA, June 2005.
[34]
J. Nielsen. Applying discount usability engineering. IEEE Software, 12(1):98--100, 1995.
[35]
M. Nohlberg and J. Backstrom. User-centred security applied to the development of a management information system. Information Management & Computer Security, 15(5):372--381, 2007.
[36]
R. H. Rayford B. Vaughn Jr. and K. Fox. An empirical study of industrial security-engineering practices. The Journal of Systems and Software, 61:225--232, 2001.
[37]
Y. Rogers. Ghosts in the network: distributed troubleshooting in a shared working environment. In CSCW '92: Proceedings of the 1992 ACM conference on Computer-supported cooperative work, pages 346--355, Toronto, ON, Canada, 1992. ACM.
[38]
S. D. Scott, K. D. Grant, and R. L. Mandryk. System guidelines for co-located, collaborative work on a tabletop display. In ECSCW'03: Proceedings of the eighth European Conference on Computer Supported Cooperative Work, pages 159--178, Norwell, MA, USA, 2003. Kluwer Academic Publishers.
[39]
S. L. Smith and J. N. Mosier. Guidelines for designing user interface software. Technical Report ESD-TR-86-278, The MITRE Corporation Bedford MA, August 1986.
[40]
Y. L. Theng, E. Duncker, N. Mohd-Nasir, G. Buchanan, and H. W. Thimbleby. Design guidelines and user-centred digital libraries. In ECDL '99: Proceedings of the Third European Conference on Research and Advanced Technology for Digital Libraries, pages 167--183, London, UK, 1999. Springer-Verlag.
[41]
R. S. Thompson, E. M. Rantanen, W. Yurcik, and B. P. Bailey. Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 1205--1214, San Jose, California, USA, 2007. ACM.
[42]
K. Vicente and J. Rasmussen. Ecological interface design: theoretical foundations. Systems, Man and Cybernetics, IEEE Transactions on, 22(4):589--606, Jul/Aug 1992.
[43]
B. von Solms and R. von Solms. The 10 deadly sins of information security management. Computers security, 23(5):371, 2004.
[44]
R. Werlinger, K. Hawkey, and K. Beznosov. Human, Organizational and Technological Challenges of Implementing IT Security in Organizations. In HAISA'08: Human Aspects of Information Security and Assurance, pages 35--48, Plymouth, England, July 8--9 2008.
[45]
R. Werlinger, K. Hawkey, and K. Beznosov. Security practitioners in context: their activities and interactions. In CHI '08 extended abstracts on Human factors in computing systems, pages 3789--3794, Florence, Italy, 2008.
[46]
R. Werlinger, K. Hawkey, K. Muldner, P. Jaferian, and K. Beznosov. The challenges of using an intrusion detection system: Is it worth the effort? In SOUPS '08: Proceedings of the 2008 Symposium On Usable Privacy and Security, pages 107--116, Pittsburgh, Pennsylvania, July 23--25 2008.
[47]
K. F. White and W. G. Lutters. Midweight collaborative remembering: wikis in the workplace. In CHIMIT '07: Proceedings of the 2007 symposium on Computer Human Interaction for the Management of Information Technology, pages 111--112, Cambridge, MA, USA, 2007. ACM.
[48]
W. Yurcik, J. Barlow, and J. Rosendale. Maintaining perspective on who is the enemy in the security systems administration of computer networks. In ACM CHI Workshop on System Administrators Are Users, Too. Proceedings of the Tenth Americas Conference on Information Systems, 2003.
[49]
W. Yurcik, R. S. Thompson, M. B. Twidale, and E. M. Rantanen. If you can't beat 'em, join 'em: combining text and visual interfaces for security-system administration. Interactions, 14(1):12--14, 2007.

Cited By

View all
  • (2023)Personalized Guidelines for Design, Implementation and Evaluation of Anti-Phishing Interventions2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)10.1109/ESEM56168.2023.10304861(1-12)Online publication date: 26-Oct-2023
  • (2022)Nalanda: a socio-technical graph platform for building software analytics tools at enterprise scaleProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3558949(1246-1256)Online publication date: 7-Nov-2022
  • (2021)"I'm literally just hoping this will work"Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563586(263-280)Online publication date: 9-Aug-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CHiMiT '08: Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology
November 2008
82 pages
ISBN:9781605583556
DOI:10.1145/1477973
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2008

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

CHiMiT08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 15 of 43 submissions, 35%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)3
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Personalized Guidelines for Design, Implementation and Evaluation of Anti-Phishing Interventions2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)10.1109/ESEM56168.2023.10304861(1-12)Online publication date: 26-Oct-2023
  • (2022)Nalanda: a socio-technical graph platform for building software analytics tools at enterprise scaleProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3558949(1246-1256)Online publication date: 7-Nov-2022
  • (2021)"I'm literally just hoping this will work"Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563586(263-280)Online publication date: 9-Aug-2021
  • (2020)Evaluación Heurística de Usabilidad utilizando Indicadores Cualitativos para Sistemas Detectores de IntrusiónEntre ciencia e ingeniería10.31908/19098367.201514:28(46-51)Online publication date: 31-Dec-2020
  • (2019)“it's a generally exhausting field” A Large-Scale Study of Security Incident Management Workflows and Pain Points2019 17th International Conference on Privacy, Security and Trust (PST)10.1109/PST47121.2019.8949012(1-12)Online publication date: Aug-2019
  • (2018)Security During Application DevelopmentProceedings of the 2018 CHI Conference on Human Factors in Computing Systems10.1145/3173574.3173836(1-12)Online publication date: 21-Apr-2018
  • (2018)Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes2018 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2018.00003(374-391)Online publication date: May-2018
  • (2017)Systematic Literature Review on Usability of Firewall ConfigurationACM Computing Surveys10.1145/313087650:6(1-35)Online publication date: 6-Dec-2017
  • (2016)Turning contradictions into innovations orProceedings of the Twelfth USENIX Conference on Usable Privacy and Security10.5555/3235895.3235916(237-251)Online publication date: 22-Jun-2016
  • (2015)A human capital model for mitigating security analyst burnoutProceedings of the Eleventh USENIX Conference on Usable Privacy and Security10.5555/3235866.3235894(347-359)Online publication date: 22-Jul-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media