Towards Understanding Diagnostic Work During the Detection and Investigation of Security Incidents

This study investigates how security practitioners perform diagnostic work during the identification of security incidents. Based on empirical data from 16 interviews with security practitioners, we identify the tasks, skills, strategies and tools that security practitioners use to diagnose security incidents. Our analysis shows that diagnosis is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. Our results also show that diagnosis during incident response is complicated by practitioners" need to rely on tacit knowledge, as well as usability issues with security tools. We offer recommendations to improve technology that supports the diagnosis of security incidents.

[1]  Eoghan Casey Error, Uncertainty and Loss in Digital Evidence , 2002, Int. J. Digit. EVid..

[2]  C. P. Goodman,et al.  The Tacit Dimension , 2003 .

[3]  Wayne G. Lutters,et al.  I know my network: collaboration and expertise in intrusion detection , 2004, CSCW.

[4]  Julian E. Orr,et al.  Narratives at work: story telling as cooperative diagnostic activity , 1986, CSCW '86.

[5]  Kasia Muldner,et al.  Identifying Differences between Security and other IT Professionals: a Qualitative Analysis , 2008, HAISA.

[6]  Christine Halverson,et al.  Behind the help desk: evolution of a knowledge management system in a large organization , 2004, CSCW.

[7]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[8]  Daniel G. Bobrow,et al.  Information use of service technicians in difficult cases , 2003, CHI '03.

[9]  Robert Biddle,et al.  Even Experts Deserve Usable Security: Design guidelines for security management systems , 2007 .

[10]  Eoghan Casey,et al.  Case study: Network intrusion investigation - lessons in forensic preparation , 2005, Digit. Investig..

[11]  Eben M. Haber Security Administration Tools and Practices , 2005 .

[12]  Janice Ginny Redish,et al.  Expanding usability testing to evaluate complex systems , 2007 .

[13]  Wayne G. Lutters,et al.  The Work of Intrusion Detection: Rethinking the Role of Security Analysts , 2004, AMCIS.

[14]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[15]  Kasia Muldner,et al.  Human, organizational, and technological factors of IT security , 2008, CHI Extended Abstracts.

[16]  Kasia Muldner,et al.  The challenges of using an intrusion detection system: is it worth the effort? , 2008, SOUPS '08.

[17]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, Int. J. Hum. Comput. Stud..

[18]  Christos Douligeris,et al.  On Incident Handling and Response: A state-of-the-art approach , 2006, Comput. Secur..

[19]  Eser Kandogan,et al.  Activity-based management of IT service delivery , 2007, CHIMIT '07.

[20]  Eugene H. Spafford,et al.  A failure to learn from the past , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[21]  Peter Stephenson Application Of Formal Methods To Root Cause Analysis of Digital Incidents , 2004, Int. J. Digit. EVid..

[22]  E. Eugene Schultz,et al.  Computer forensics challenges in responding to incidents in real-life settings , 2007 .

[23]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[24]  William Yurcik,et al.  Network Intrusion Detection Cognitive Task Analysis: Textual and Visual Tool Usage and Recommendations , 2006 .

[25]  M. Sandelowski Focus on Research Methods Whatever Happened to Qualitative Description? , 2022 .

[26]  Sidney Fels,et al.  Studying IT Security Professionals: Research Design and Lessons Learned , 2007 .

[27]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.