Towards understanding IT security professionals and their tools

We report preliminary results of our ongoing field study of IT professionals who are involved in security management. We interviewed a dozen practitioners from five organizations to understand their workplace and tools. We analyzed the interviews using a variation of Grounded Theory and predesigned themes. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a unit and responsible for different aspects of it. The workplace of our participants can be characterized by their responsibilities, goals, tasks, and skills. Three skills stand out as significant in the IT security management workplace: inferential analysis, pattern recognition, and bricolage.

[1]  Thomas W. Malone,et al.  Coordination Theory and Collaboration Technology , 2001 .

[2]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[3]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[4]  Merriam Webster Merriam-Webster's Collegiate Dictionary , 2016 .

[5]  Eser Kandogan,et al.  Distributed Cognition and Joint Activity in Collaborative Problem Solving , 2003 .

[6]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[7]  Gerhard Fischer,et al.  Meta-design: design for designers , 2000, DIS '00.

[8]  F. Bjorck Discovering Information Security Management , 2005 .

[9]  Eser Kandogan,et al.  Field studies of computer system administrators: analysis of system management tools and practices , 2004, CSCW.

[10]  Eben M. Haber Security Administration Tools and Practices , 2005 .

[11]  U. Holmström User-centered design of secure software , 1999 .

[12]  H. H. Clark,et al.  Asking questions and influencing answers. , 1992 .

[13]  Mary Ellen Zurko,et al.  A user-centered, modular authorization service built on an RBAC foundation , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[15]  Jean Hartley,et al.  Case study research , 2004 .

[16]  Rob Kling,et al.  Organizational usability of digital libraries: case study of legal research in civil and criminal courts , 1997 .

[17]  K. J. Vicente,et al.  Cognitive Work Analysis: Toward Safe, Productive, and Healthy Computer-Based Work , 1999 .

[18]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[19]  Judith M. Tanur,et al.  Questions About Questions: Inquiries into the Cognitive Bases of Surveys , 1993 .

[20]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.