Bringing Anthropology into Cybersecurity - Literature Study
- An integrated view of human, organizational, and technological challenges of IT security management. [PDF][BibTex]
Summary: The paper identifies different challenges that affect IT security practitioners in their daily job such as human, organizational, and technological. The paper starts off with citing related works that identify each of the factors individually as an important component in IT security enforcement. This work tries to relate all the challenges together to understand how the challenges interact with each other. They tried do this by three means, work shadowing, contextual interviews, and semi-structured interviews. They were not able to convince any practitioners for work shadowing or contextual interviews and hence resorted to semi-structured interviews. They conduct 36 interviews of practitioners from 17 different organizations (3 academic, 14 non-academic). They used qualitative techniques with constant comparison and inductive analysis methods to analyze the interview data. Instances in the interview were coded using open and axial coding. Posterior analysis was performed by further elaboration of "memos" written during coding process. Their study specifically identified the following problems in each category.
The rest of the paper talks about suggestions to address each of the issues mentioned above. They conclude with their limitations and future work where they refer to more interviews as a way to generalize their findings.
- Human factors
- lack of security training
- lack of a security culture
- communication of security issues
- Organizational factors
- risk management
- open environments and academic freedom
- lack of budge
- security as a secondary priority
- tight schedules
- business relationships with other organizations
- distribution of IT responsibilities
- access control to sensitive data
- size of the organization
- top management support
- Technological factors
- complexity of systems
- vulnerabilities in systems and applications
- mobile and distributed access
- lack of efficient security tools
- Guidelines for Designing IT Security Management Tools.
Summary: In this paper the authors present guidelines for tool developers who produce tools to be used in IT security management. They do this by two means: (1) Survey of related literature (2) Interview of IT security practitioners. The guidelines are grouped by different criteria such as technological complexity, organizational complexity, and deployment oriented complexities. The paper mainly relies on the methodology used by different literature to come up with a specific guideline.
- Security Practitioners in Context:Their Activities and Interactions with Other Stakeholders within Organizations
Summary: This paper focuses on how interactions between different people that includes IT practitioners and various other stakeholders pose a significant challenge in IT security management. The study is based on semi-structured interviews of practitioners from security management centers in different sectors and one participant observation study of 78 hours of a security operations center. The paper mainly highlights the lack of support from current tools in enabling this interaction between diverse work groups. The authors also identify and model different factors that add to the complexity of interaction. The paper briefly mentions tacit knowledge and acknowledges that it is required by analysts to perform their day to day job. This paper lists a number of findings that we have identified through our field work. E.g. a networking person manages the firewall due to the fact that he built the network, there needs to be an ability for analysts to run arbitrary queries on data sources to efficiently retrieve required information, the need for different types of input and output channels for security tools etc.
- Work Practices of System Administrators: Implications for Tool Design
Summary: This paper talks about the observations made by the authors by shadowing a system administrator for two days and interviewing a few administrators. Their observations are mainly on the tools used by administrators to accomplish various system administration tasks, the reason why they prefer one tool over the other. They consolidate a list of guidelines for developers to consider when developing system administration tools. They also propose a hybrid method to evaluate the usefulness of their proposed guidelines.
- The Challenges of Using an Intrusion Detection System: Is It Worth the Effort?
Summary: This work tries to ask specific questions about deployment of an intrusion detection system (IDS):
The data they collected is from 9 interviews of IT analysts and participation observation at a SOC for 15 hours. The paper talks about different challenges the interviewees faced with current IDS systems like GUI vs command line, configuration complexity, false positives, organizational impacts on deploying IDS etc. It concludes with arguments on whether it is worth spending time setting up an IDS at all in a SOC.
- What do security practitioners expect from an IDS?
- What difficulties do they encounter when installing and configuring an IDS?
- How can the usability of an IDS be improved?
- Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms
Summary: In this work the authors use the concepts of cues (signals that trigger an analyst into action) and norms (adopted standards in IT security practice) to explain distributed cognition in SOC environments through interviews. They conduct 34 interviews of IT analysts from different institutions and explain three scenario where the cues and norms played an important role in causing inefficient SOC operations. They also identify different types of cues and norms specific to SOC environments from their interview data.
- Towards Understanding IT Security Professionals and Their Tools
Summary: The paper talks about a dozen interviews the authors conducted of IT analysts from different organizations. They specifically tried to understand the following factors in IT security management.
They used a modified version of grounded theory to perform the analysis of their interview data.
- Nature of security management teams
- Workplace characteristics
- Types of tasks performed by analysts
- Usage of different skills like inferential analysis, pattern recognition, and bricolage
- Recommendations for usable tools
- Preparation, detection, and analysis: the diagnostic work of IT security incident response[PDF][BibTex]
Summary: The paper studies the diagnostic process during incident response in SOCs through 16 semi-structured interviews. Their findings are intriguing as they are similar to some of the findings we found in our fieldwork so far.
- Analysts greatly rely on tacit knowledge to accomplish their tasks
- Current tools lack enough customization and hence analysts had to develop their own tools
- The above fact also illustrates how difficult it is to develop standard security tools for the SOC
- Customization of tools enables transfer of tacit knowledge
- They also acknowledge that it is an open problem as to how to develop customizable tools for the SOC so that it does not place too much load on the analysts