Guidelines for designing IT security management tools

An important factor that impacts the effectiveness of security systems within an organization is the usability of security management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional interviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools.

[1]  Paul Williams Information Security Governance , 2001, Inf. Secur. Tech. Rep..

[2]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[3]  George Buchanan,et al.  Design Guidelines and User-Centred Digital Libraries , 1999, ECDL.

[4]  Rob Kling,et al.  Organizational usability of digital libraries: case study of legal research in civil and criminal courts , 1997 .

[5]  Kirstie Hawkey,et al.  Human, Organizational and Technological Challenges of Implementing IT Security in Organizations , 2007, International Symposium on Human Aspects of Information Security and Assurance.

[6]  Rayford B. Vaughn,et al.  An empirical study of industrial security-engineering practices , 2002, J. Syst. Softw..

[7]  Pauline Ratnasingam,et al.  A knowledge architecture for IT security , 2007, CACM.

[8]  Allison Woodruff,et al.  Guidelines for using multiple views in information visualization , 2000, AVI '00.

[9]  William Yurcik,et al.  Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection , 2007, CHI.

[10]  Catherine M. Burns,et al.  Ecological interface design: a new approach for visualizing network management , 2003, Comput. Networks.

[11]  P. Carayon,et al.  Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. , 2007, Applied ergonomics.

[12]  Regan L. Mandryk,et al.  System Guidelines for Co-located, Collaborative Work on a Tabletop Display , 2003, ECSCW.

[13]  Marcus Nohlberg,et al.  User-centred security applied to the development of a management information system , 2007, Inf. Manag. Comput. Secur..

[14]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[15]  Christine Halverson,et al.  The value of persistence: a study of the creation, ordering and use of conversation archives by a knowledge worker , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[16]  John R. Goodall,et al.  A user-centered look at glyph-based security visualization , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[17]  John A. Copeland,et al.  Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers , 2006, VizSEC '06.

[18]  Tiffany Grunwald,et al.  Guidelines for cognitively efficient multimedia learning tools: educational strategies, cognitive load, and interface design. , 2006, Academic medicine : journal of the Association of American Medical Colleges.

[19]  Kasia Muldner,et al.  The challenges of using an intrusion detection system: is it worth the effort? , 2008, SOUPS '08.

[20]  Kim J. Vicente,et al.  Ecological interface design: theoretical foundations , 1992, IEEE Trans. Syst. Man Cybern..

[21]  Eser Kandogan,et al.  Field studies of computer system administrators: analysis of system management tools and practices , 2004, CSCW.

[22]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, CHI Extended Abstracts.

[23]  Eben M. Haber Security Administration Tools and Practices , 2005 .

[24]  Eser Kandogan,et al.  Usable autonomic computing systems: The system administrators' perspective , 2005, Adv. Eng. Informatics.

[25]  Eben M. Haber,et al.  Design guidelines for system administration tools developed through ethnographic field studies , 2007, CHIMIT '07.

[26]  Paul Dourish,et al.  Social navigation as a model for usable security , 2005, SOUPS '05.

[27]  William Yurcik,et al.  Maintaining Perspective on Who Is The Enemy in the Security Systems Administration of Computer Networks , 2003 .

[28]  Chris North,et al.  Home-centric visualization of network traffic for security administration , 2004, VizSEC/DMSEC '04.

[29]  S. McGann An Analysis of Security Threats and Tools in SIP-Based VoIP Systems , 2005 .

[30]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[31]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[32]  Kasia Muldner,et al.  Human, organizational, and technological factors of IT security , 2008, CHI Extended Abstracts.

[33]  Ben Shneiderman,et al.  Research-Based Web Design & Usability Guidelines [2006 edition] , 2006 .

[34]  Kasper Hornbæk,et al.  Reading of electronic documents: the usability of linear, fisheye, and overview+detail interfaces , 2001, CHI.

[35]  Yvonne Rogers,et al.  Ghosts in the network: distributed troubleshooting in a shared working environment , 1992, CSCW '92.

[36]  C. Andrew The five Ps of patch management: Is there a simple way for businesses to develop and deploy an advanced security patch management strategy? , 2005, Comput. Secur..

[37]  B. Beal Vendor Analysis: IT security: the product vendor landscape , 2005 .

[38]  J. Creswell Qualitative inquiry and research design: choosing among five traditions. , 1998 .

[39]  Kasia Muldner,et al.  Searching for the Right Fit: Balancing IT Security Management Model Trade-Offs , 2008, IEEE Internet Computing.

[40]  Nahid Shahmehri,et al.  User help techniques for usable security , 2007, CHIMIT '07.

[41]  P. Atkinson,et al.  Making sense of qualitative data , 1996 .

[42]  P. Atkinson,et al.  Making Sense of Qualitative Data: Complementary Research Strategies , 1996 .

[43]  William Yurcik,et al.  If you can't beat 'em, join 'em: combining text and visual interfaces for security-system administration , 2007, INTR.

[44]  Wayne G. Lutters,et al.  Midweight collaborative remembering: wikis in the workplace , 2007, CHIMIT '07.

[45]  Bill Curtis,et al.  Applying Discount Usability Engineering , 1995, IEEE Softw..

[46]  Robin M. Ruefle,et al.  Organizational Models for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[47]  Sidney L. Smith,et al.  Guidelines for Designing User Interface Software , 1986 .

[48]  Robert Biddle,et al.  Even Experts Deserve Usable Security: Design guidelines for security management systems , 2007 .

[49]  Robert Garigue,et al.  A Structured Approach to Incident Postmortems , 2002, Inf. Secur. J. A Glob. Perspect..

[50]  Kasia Muldner,et al.  Identifying Differences between Security and other IT Professionals: a Qualitative Analysis , 2008, HAISA.