Folk Risk Analysis: Factors Influencing Security Analysts' Interpretation of Risk

There are several standard approaches to risk analysis recommended for use in information security, however, the actual application of risk analysis by security analysts follows an opaque mix of standard risk analysis procedures and adaptations based on an analyst’s understanding of risk. We refer to these approaches as Folk Risk Analysis. To understand folk risk analysis, we present the results of a study where Distributed Cognition and Grounded Theory were used to elicit factors influencing risk interpretation by security analysts, and the constrained conditions to risk decision making they encounter.

[1]  Daniel R. Tesone,et al.  Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts , 2005 .

[2]  Kasia Muldner,et al.  Preparation, detection, and analysis: the diagnostic work of IT security incident response , 2010, Inf. Manag. Comput. Secur..

[3]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[4]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[5]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[6]  Mathew P. White,et al.  Risk interpretation and action: A conceptual framework for responses to natural hazards , 2012 .

[7]  Gary Klein,et al.  Streetlights and Shadows: Searching for the Keys to Adaptive Decision Making , 2009 .

[8]  Sharon M. Kolb Grounded theory and the constant comparative method : valid research strategies for educators , 2012 .

[9]  Christopher Andrews,et al.  Space to think: large high-resolution displays for sensemaking , 2010, CHI.

[10]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[11]  M. Angela Sasse,et al.  Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science , 2009, Int. J. Hum. Comput. Stud..

[12]  Ann Blandford,et al.  DiCoT: A Methodology for Applying Distributed Cognition to the Design of Teamworking Systems , 2005, DSV-IS.

[13]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[14]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[15]  Ann Blandford,et al.  Understanding infusion administration in the ICU through Distributed Cognition , 2012, J. Biomed. Informatics.

[16]  Kasia Muldner,et al.  Toward understanding distributed cognition in IT security management: the role of cues and norms , 2011, Cognition, Technology & Work.

[17]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[18]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[19]  M. Douglas,et al.  Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers , 1983 .

[20]  Celeste Lyn Paul,et al.  A Taxonomy of Cyber Awareness Questions for the User-Centered Design of Cyber Situation Awareness , 2013, HCI.

[21]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[22]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[23]  Shashikant Rai,et al.  BRING YOUR OWN DEVICE (BYOD): SECURITY RISKS AND MITIGATING STRATEGIES , 2013 .

[24]  J. Bradbury The Policy Implications of Differing Concepts of Risk , 1989 .

[25]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, CHI Extended Abstracts.

[26]  Marcel Hoffmann,et al.  A Tale of Three Security Operation Centers , 2014, SIW '14.

[27]  Russ Miles,et al.  Learning UML 2.0 , 2006 .

[28]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[29]  James D. Hollan,et al.  Distributed cognition: toward a new foundation for human-computer interaction research , 2000, TCHI.

[30]  Kathy Schwalbe,et al.  Information Technology Project Management , 1999 .

[31]  P Gossman,et al.  All change for research , 1987, British medical journal.