Towards Understanding and Improving IT Security Management Konstantin (Kosta) Beznosov

Similar documents
Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

COUNTRY: Questionnaire. Contact person: Name: Position: Address:

Formal Report. Assignment

Pan-Canadian Trust Framework Overview

EMERGING ISSUES IN SUSTAINABLE INDUSTRIAL DESIGN PRACTICE: IMPLICATIONS FOR DESIGNERS, MANUFACTURERS AND EDUCATORS

ISO ISO is the standard for procedures and methods on User Centered Design of interactive systems.

250 Introduction to Applied Programming Fall. 3(2-2) Creation of software that responds to user input. Introduces

Safety related product corrective action

Ethics Guideline for the Intelligent Information Society

Information Communication Technology

FOREWORD. [ ] FAO Home Economic and Social Development Department Statistics Division Home FAOSTAT

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Case studies on specific organizations will include, but are not limited to, the following elements:

8 th Annual Meeting of OECD-CESEE Senior Budget Officials

Belgian Position Paper

Interoperable systems that are trusted and secure

Programme Title: BSc (Hons) Business Management (Full Time and Part Time) On Campus Division. URL None

VISUAL ARTS COLLECTION COORDINATOR

This list supersedes the one published in the November 2002 issue of CR.

2018 NISO Calendar of Educational Events

UK Film Council Strategic Development Invitation to Tender. The Cultural Contribution of Film: Phase 2

Week Theory Topic In Class Readings Weekly Applied Project work

Notes from a seminar on "Tackling Public Sector Fraud" presented jointly by the UK NAO and H M Treasury in London, England in February 1998.

Protection of Privacy Policy

5 TH MANAGEMENT SEMINARS FOR HEADS OF NATIONAL STATISTICAL OFFICES (NSO) IN ASIA AND THE PACIFIC SEPTEMBER 2006, DAEJEON, REPUBLIC OF KOREA

Innovative Approaches in Collaborative Planning

Instrumentation and Control

Leading the Agenda. Everyday technology: A focus group with children, young people and their carers

SMART PLACES WHAT. WHY. HOW.

Privacy and the EU GDPR US and UK Privacy Professionals

Rosatom Approach to IPR Management in Collaborative Projects on Innovations

Final Project Report. Abstract. Document information

Transferring knowledge from operations to the design and optimization of work systems: bridging the offshore/onshore gap

Research and Innovation Strategy and Action Plan UPDATE Advancing knowledge and transforming lives through education and research

e-care Living Lab - 5 avenue du Grand Sablon La Tronche - FRANCE Tel: +33 (0)

Testimony of Professor Lance J. Hoffman Computer Science Department The George Washington University Washington, D.C. Before the

Digital Built Britain David Philp Digital Built Britain (DBB): BIM Working Group

RESEARCH AND INNOVATION STRATEGY. ANZPAA National Institute of Forensic Science

IFIP 13.6 HWID Human Work Interaction Design

EXTRAORDINARY EVENTS CALL FOR EXTRAORDINARY DESIGNERS

Job description. Main duties Digital Technologies. Post title and post number Lapworth Museum Digital Technologies Officer

SERBIA. National Development Plan. November

Knowledge Exchange Strategy ( )

THE CONSTRUCTION- AND FACILITIES MANAGEMENT PROCESS FROM AN END USERS PERSPECTIVE - ProFacil

Evaluation of the Three-Year Grant Programme: Cross-Border European Market Surveillance Actions ( )

Country Paper : Macao SAR, China

Global citizenship at HP. Corporate accountability and governance. Overarching message

Smart Grid Maturity Model: A Vision for the Future of Smart Grid

Quality assurance in the supply chain for pharmaceuticals from the WHO perspective

S&T Stakeholders Conference

Orkney Electricity Network Reinforcement Stakeholder Consultation Response. August 2014

Understanding User Needs in Low-Resource Settings for Diagnostics Development

MOTOBRIDGE IP Interoperable Solution

Colombia s Social Innovation Policy 1 July 15 th -2014

Design Science Research Methods. Prof. Dr. Roel Wieringa University of Twente, The Netherlands

Technology Plan

Meshwork methodology for multistakeholder design and needs assesment

PARTNERSHIPS for INNOVATION

Product Development Strategy

STUDY ON INTRODUCING GUIDELINES TO PREPARE A DATA PROTECTION POLICY

Allied Radio Matrix for Emergency Response (ARMER) Standards, Protocols, Procedures

Assessing the Welfare of Farm Animals

Issues in Emerging Health Technologies Bulletin Process

Co-funded by the I Erasmus+ Programme of the European Union

Final technical report on Improvement of the use of administrative sources (ESS.VIP ADMIN WP6 Pilot studies and applications)

This version has been archived. Find the current version at on the Current Documents page. Scientific Working Groups on.

Consultation Paper on Public Safety Radio Interoperability Guidelines

SOFT 423: Software Requirements

Can the Success of Mobile Games Be Attributed to Following Mobile Game Heuristics?

EXECUTIVE SUMMARY. St. Louis Region Emerging Transportation Technology Strategic Plan. June East-West Gateway Council of Governments ICF

HOUSE OF COMMONS JOB DESCRIPTION

Doing, supporting and using public health research. The Public Health England strategy for research, development and innovation

Technology forecasting used in European Commission's policy designs is enhanced with Scopus and LexisNexis datasets

A. Project title: Design and Development of an Open-Source Enterprise Network

MEDIA AND INFORMATION

Communication and Culture Concentration 2013

Draft executive summaries to target groups on industrial energy efficiency and material substitution in carbonintensive

November 18, 2011 MEASURES TO IMPROVE THE OPERATIONS OF THE CLIMATE INVESTMENT FUNDS

MSC Project Workplan

1. Redistributions of documents, or parts of documents, must retain the SWGIT cover page containing the disclaimer.

CS 889 Advanced Topics in Human- Computer Interaction. Experimental Methods in HCI

JOINT CTF-SCF/TFC.15/3 November 2, Joint Meeting of the CTF and SCF Trust Fund Committees Washington, D.C. Monday, November 9, 2015

Iowa State University Library Collection Development Policy Computer Science

The Geotechnical Data Journey How the Way We View Data is Being Transformed

ANU COLLEGE OF MEDICINE, BIOLOGY & ENVIRONMENT

Cisco IPICS Dispatch Console

MSc Organisational Psychology CityChat session

Computer Challenges to emerge from e-science

IDENTITY REPAIR IN THE GOV.UK VERIFY FEDERATION

Remuneration Report

Digitisation Plan

Best Practice and Minimum Standards in Digital Preservation. Adrian Brown, UK Parliament Oracle PASIG, London, 5 April 2011

Enabling ICT for. development

Robert A. Greising Partner

INVOLVING USERS TO SUCCESSFULLY MEET THE CHALLENGES OF THE DIGITAL LIBRARY: A 30 YEAR PERSONAL REFLECTION

Item 4.2 of the Draft Provisional Agenda COMMISSION ON GENETIC RESOURCES FOR FOOD AND AGRICULTURE

KT for TT Ensuring Technologybased R&D matters to Stakeholders. Center on Knowledge Translation for Technology Transfer University at Buffalo

STRATEGIC FRAMEWORK Updated August 2017

Agile Non-Agile. Previously on Software Engineering

Enabling Trust in e-business: Research in Enterprise Privacy Technologies

Transcription:

Towards Understanding and Improving IT Security Management Konstantin (Kosta) Beznosov Department of Electrical and Computer Engineering

selected publications P. Jaferian, H. Rashtian, K. Beznosov, To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations, in Proceedings of the Symposium on Usable Privacy and Security (SOUPS), July 2014, pp. 301-320. P. Jaferian, K. Hawkey, A. Sotirakopoulos, M. Velez-Rojas, K. Beznosov, Heuristics for Evaluating IT Security Management Tools, in Human Computer Interaction, July 2013. D. Botta, K. Muldner, K. Hawkey, and K. Beznosov, Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms, in the International Journal of Cognition, Technology & Work, Springer, September 2010, pp. 1-14. R. Werlinger, K. Muldner, K. Hawkey, K. Beznosov, Examining Diagnostic Work Practices during Security Incident Response in the Journal of Information Management & Computer Security, Emerald, v. 18 n. 1, 2010, pp.26-42. R. Werlinger, K. Hawkey, K. Beznosov, An Integrated View of Human, Organizational, and Technology Challenges in IT Security Management, in the Journal of Information Management & Computer Security, Emerald, v. 17, n. 1, January 2009, pp. 4-19. R. Werlinger, K. Hawkey, K. Muldner, P. Jaferian, K. Beznosov The Challenges of Using an Intrusion Detection System: Is It Worth the Effort? in Proceedings of the SOUPS, Pittsburgh, PA, 23-25 July 2008. A. Gagné, K. Muldner, K. Beznosov, Identifying Security Professionals' Needs: a Qualitative Analysis, in Symposium on Human Aspects in Information Security and Assurance (HAISA), Plymouth, UK, 8-10 July 2008. K. Hawkey, K. Muldner, K. Beznosov, Searching for the Right Fit: A case study of IT Security Management Models, in IEEE Internet Computing Magazine, May/June 2008. D. Botta, R. Werlinger, A. Gagné, K. Beznosov, L. Iverson, S. Fels, and B. Fisher, Towards understanding IT security professionals and their tools, in SOUPS, pp. 100-111, Pittsburgh, PA, July 18-20 2007. K. Beznosov and O. Beznosova, On the Imbalance of the Security Problem Space and its Expected Consequences, Journal of Information Management & Computer Security, Emerald, vol. 15 n.5, September 2007, pp.420-431.

outline understanding methodology summary who manage IT security? what skills they practice? how are they different from others in IT? what challenges IDSs face? how they interact, responding to incidents? what challenges they face? how breakdowns in cues and norms affect ITSM? improving heuristics for ITSM tools design improving access review and certification

HOT Admin: Human Organization and Technology Centred Improvement of IT Security Administration Purpose Tool evaluation: methodology Tool design: guidelines & techniques Data Collection Models Techniques & Methodologies Validation & Evaluation sponsors and partners

Human Organization and Technology Centred Human Organizational Technological

methods summary data collection online questionnaire demographics in situ semi-structured interviews data analysis qualitative description constant comparison, inductive analysis coding: selective, open, axial, theoretical two interviewers participatory observations 75 hours in academic organization IT department policy development and IDS deployment

recruitment challenges overworked secrecy culture backstage approaches professional contacts practical benefits gradual recruitment gatekeepers Hello... I m sorry but I must decline this opportunity. We don t discuss our security administration with anyone other than with the owners of the resources we re securing. IT security manager who declined access to his department 36 interviews with 36 participants between July 2006 and May 2008

industry sectors 36 interviews 16 organizations 1 1 1 1 2 3 1 1 1 1 3 2 20 1 3 2 2 2 1 1 1 2 Academic Finance Insurance Scientific services Manufacturing Retail/Wholesale Government Agency Telecommunications Non-for-profit Organization High-Tech IT Consulting

job types 5 11 5 14 IT Manager Security Manager Security Specialist IT (with security tasks)

findings

no security admins! system analysts application analysts business analysts technical analysts system administrators application programmers auditors IT managers security leads network leads `` what makes me [a security] analyst is that I'm also involved in developing the policies and procedures an analyst is also someone who's doing a certain amount of troubleshooting and someone who's, I guess, a little bit more portable in terms of what their daily responsibilities are going to be like.' Study Participant More details in: D. Botta, R. Werlinger, A. Gagné, K. Beznosov, L. Iverson, S. Fels, and B. Fisher, Towards understanding IT security professionals and their tools, in the Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pp. 100-111, Pittsburgh, PA, July 18-20 2007.

loosely coordinated teams Security Workstations Security User Mgmt Security Database Security Servers IT security Security Firewall So what? security is secondary Coordinator for those who manage it Security Wireless Security Applications Security Network I have a security team that I work with. They don't report to me but I actually work with them and they sort of are represented by the different areas. Study Participant More details in: D. Botta, R. Werlinger, A. Gagné, K. Beznosov, L. Iverson, S. Fels, and B. Fisher, Towards understanding IT security professionals and their tools, in the Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pp. 100-111, Pittsburgh, PA, July 18-20 2007.

skills they practice pattern recognition inferential analysis use of tacit knowledge bricolage Dictionary: construction or creation from a diverse So what? range of available things finding gaps in tool support Origin: mid 20th century: French, from bricoler do odd tool improvement jobs, repair. new usability testing methods More details in: D. Botta, R. Werlinger, A. Gagné, K. Beznosov, L. Iverson, S. Fels, and B. Fisher, Towards understanding IT security professionals and their tools, in Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pp. 100-111, Pittsburgh, PA, July 18-20 2007.

model of differences Scope Troubleshooting Complexity Usability vs. Security Tradeoff Nature of IT Security Fast-paced Environment Perception by Stakeholders Response Time Persuasion Tactics Need to be up to Date More details in: A. Gagné, K. Muldner, K. Beznosov, Identifying Security Professionals' Needs: a Qualitative Analysis, in Proceedings of the Symposium on Human Aspects in Information Security and Assurance (HAISA), Plymouth, UK, 8-10 July 2008.

the need for broader scope SPs need broader internal scope than general IT... you really need to be able to look quite wide and deep. You need to be able to look within the packet in a lot of detail to understand how an intrusion detection system works And at the same time you need to take a wide look to an organization to be able to determine the risks. And that differs from IT where other groups can really be focused in one particular area Study Participant SPs need broader external scope than general IT Legislation (e.g., Sarbanes Oxley) More details in: A. Gagné, K. Muldner, K. Beznosov, Identifying Security Professionals' Needs: a Qualitative Analysis, in Proceedings of the Symposium on Human Aspects in Information Security and Assurance (HAISA), Plymouth, UK, 8-10 July 2008.

challenges throughout IDS deployment Considerations Before Deploying Configuration & Validation Ongoing Use Show economic benefit to get buy-in Minimize overhead costs (stakeholders) Broad knowledge of organization & systems Distributed environment Initial configuration hurdle Determine appropriate test bed Collaboration features A bit of smarts Reports for different stakeholders More details in: R. Werlinger, K. Hawkey, K. Muldner, P. Jaferian, K. Beznosov The Challenges of Using an Intrusion Detection System: Is It Worth the Effort? in the Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, USA, pp. 23-25 July 2008.

interactions during incident response Managers -Coordinate next steps during the investigation -Ask SP to take action on alarms Notifications Requirements Discussion of next steps Notifications Requirements External IT organizations - ISPs/ICP administration - Monitor Internet - Provide security consultancy - Share security knowledge (community of practice) Notifications Requirements Security practitioners (SP) Respond to security incident Requirements Notifications Notifications Analysis of the incident IT specialists -Administrate network or systems -Administrate data bases -Forward alarms Notifications Discussion of action plan Requirements Other Stakeholders - Redefine product - Contact clients or end-users -Revise contracts with customers End-Users -Experience security incident -Suspect of a security incident More details in: R. Werlinger, K. Hawkey, D. Botta, K. Beznosov, Security practitioners in context: Their activities and interactions with other stakeholders within organizations, International Journal of Human Computer Studies, Elsevier, v.6, n.7, March 2009, pp 584-606.

technological factors human factors Mobile Access Training Culture Vulnerabilities Risk Perception System Complexity Communication of Security Issues Risk Task Distribution Assessment Open Environment organizational factors Data Access Business Relationships Priority Lack of Budget Tight Schedules More details in: R. Werlinger, K. Hawkey, K. Beznosov, An Integrated View of Human, Organizational, and Technology Challenges in IT Security Management, Journal of Information Management & Computer Security, Emerald, v. 17, n. 1, January 2009, pp. 4-19.

distributed cognition & transactive memory distributed cognition is concerned with solving problems by collaboration, where none of the collaborators individually can have a full appreciation of the problem. (Busby 2001) distributed cognition involves (Busby 2001) cues: signals or clues, which participants use to determine when to act and how to act norms: standards or patterns regarded as typical, which help make participants subtasks consistent with each other Transactive memory is a type of mutual understanding where people in a group know who is responsible for what, and is based on the idea that individual members can serve as external memory aids to each other (Wegner, 1986). More details in: D. Botta, K. Muldner, K. Hawkey, and K. Beznosov, Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms, in the International Journal of Cognition, Technology & Work, Springer, September 2010, pp. 1-14.

distributed cognition in ITSM: the role of cues and norms cues not explicitly directed (e.g., quick views, proofs of reliability, and reminders & hints) explicitly directed (e.g., scripted notifications, notes to self, and escalated notifications) norms notification procedures methods to maintain consistency (e.g., templates, audits, policies, and standards) establishment of mutual understanding by means of risk assessment, promotion of security awareness, and professional collaboration employment of transactive memory to activate the specialized knowledge and skills of others in a group More details in: D. Botta, K. Muldner, K. Hawkey, and K. Beznosov, Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms, in the International Journal of Cognition, Technology & Work, Springer, September 2010, pp. 1-14.

distributed cognition in ITSM: challenges culminate in adverse effects adverse effects under-use of cues and norms challenges reliance on tacit knowledge distributed security management complexity of technology and organization goal-oriented human behaviour More details in: D. Botta, K. Muldner, K. Hawkey, and K. Beznosov, Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms, in the International Journal of Cognition, Technology & Work, Springer, September 2010, pp. 1-14.

guidelines for designing ITSM tools Task Specific Guidelines Configuration and Deployment Guidelines Make configuration manageable [3,20] Support rehearsal and planning [3,6,7,20,44] Make configuration easy to change [20,46] Provide meaningful errors [20, 34,46] Intensive Analysis Guidelines Provide customizable alerting [20] Provide automatic detection [26,41] Provide data correlation and filtering [1,26] Organizational Complexity Guidelines Diverse Stakeholders Guidelines Provide flexible reporting [9,18,33,35] Provide an appropriate UI for stakeholders [9,35] Communication Guidelines Provide communication integration [6,7,28,45] Facilitate archiving [17,21] Distributed ITSM Guidelines Support collaboration [6,7,20] Work in a large workflow [8,9,20] Specificity Technological Complexity Guidelines Make tools combinable [8,9,20,26] Use multiple levels of information abstraction [1,4,5,10,12,25,41,42,45] Help task prioritization [15,44] Use different presentation / interaction methods [1,4,5,29,41,48,49] Provide customizability [9,33] Support knowledge sharing [9,12,14,27,32,37,47] General Usability Guidelines More details in: P. Jaferian, D. Botta, F. Raja, K. Hawkey, K.Beznosov, Guidelines for design of IT Security Management Tools in ACM Computer Human Interaction for Management of Information Technology (CHIMIT) Symposium, November 2008, 10 p.

heuristics for evaluating ITSM tools Make Tools Combinable Support knowledge sharing Use different presentation/interaction methods Use multiple levels of information abstraction Provide Customizability Help Task Prioritization Provide Communication Integration Facilitate Archiving Provide an Appropriate UI for Stakeholders Provide Flexible Reporting Work in a Large Workflow Support Collaboration Make Configuration Manageable Support Rehearsal and Planning Make Configuration Easy to Change Provide Meaningful Errors Provide Customizable Alerting Provide Automatic Detection Provide Data Correlation and Filtering Visibility of activity status History of actions and changes on artifacts Flexible representation of information Rules and constraints Planning and dividing work between users Capturing, sharing, and discovery of knowledge Verification of knowledge More details in: P. Jaferian, K. Hawkey, A. Sotirakopoulos, M. Velez-Rojas, K. Beznosov, Heuristics for Evaluating IT Security Management Tools, in Human Computer Interaction, July 2013.

evaluating the heuristics 3 Severity < 4 2 Severity < 3 1 Severity < 2 0 < Severity < 1 Hard Easy ITSM Nielsen PPPPPPPPPPPPPPPPPPPPPPPPPPPPA1 Strong Weak Strong Weak More details in: P. Jaferian, K. Hawkey, A. Sotirakopoulos, M. Velez-Rojas, K. Beznosov, Heuristics for Evaluating IT Security Management Tools, in Human Computer Interaction, July 2013.

access certification Review of users access rights Access rights Users Auditor Application owner Application owner Security Administrator Manager More details in: P. Jaferian, H. Rashtian, K. Beznosov, To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations, in Proceedings of the Symposium on Usable Privacy and Security (SOUPS), USA, July 9-11, 2014, pp. 301-320.

aiding in access review and certification Sorting users or files based on different parameters Zoom Control User's First and Last Name User's Job Clicking the magnifier icon shows the details of a user's access (See Level 2) Darla has access to R01 Manager certified Billie's access to R03 Manager revoked Zachary's access to R03 Zachary does not have access to R00 List of files/roles/ permissions Name of the application that uses the file User information File name User's job history Certify or Revoke Access to Multiple Files A user should not have access to R04 and R11 at the same time (separation of duties violation) Allen had access to R19 while he was a Business Analyst. But he does not currently have access to R19. History of User's access to the file (e.g., Allen have had access to R11 while he has been a Consultant) The small circles shows that a manager previously reviewed user's access. More details in: P. Jaferian, H. Rashtian, K. Beznosov, To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations, in Proceedings of the Symposium on Usable Privacy and Security (SOUPS), USA, July 9-11, 2014, pp. 301-320.

David Botta Rodrigo Werlinger Kirstie Hawkey Kasia Muldner research team Kosta Beznosov Sid Fels Pooya Jaferian André Gagné Fahimeh Raja Brian Fisher

selected publications P. Jaferian, H. Rashtian, K. Beznosov, To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations, in Proceedings of the Symposium on Usable Privacy and Security (SOUPS), July 2014, pp. 301-320. P. Jaferian, K. Hawkey, A. Sotirakopoulos, M. Velez-Rojas, K. Beznosov, Heuristics for Evaluating IT Security Management Tools, in Human Computer Interaction, July 2013. D. Botta, K. Muldner, K. Hawkey, and K. Beznosov, Toward Understanding Distributed Cognition in IT Security Management: The Role of Cues and Norms, in the International Journal of Cognition, Technology & Work, Springer, September 2010, pp. 1-14. R. Werlinger, K. Muldner, K. Hawkey, K. Beznosov, Examining Diagnostic Work Practices during Security Incident Response in the Journal of Information Management & Computer Security, Emerald, v. 18 n. 1, 2010, pp.26-42. R. Werlinger, K. Hawkey, K. Beznosov, An Integrated View of Human, Organizational, and Technology Challenges in IT Security Management, in the Journal of Information Management & Computer Security, Emerald, v. 17, n. 1, January 2009, pp. 4-19. R. Werlinger, K. Hawkey, K. Muldner, P. Jaferian, K. Beznosov The Challenges of Using an Intrusion Detection System: Is It Worth the Effort? in Proceedings of the SOUPS, Pittsburgh, PA, 23-25 July 2008. A. Gagné, K. Muldner, K. Beznosov, Identifying Security Professionals' Needs: a Qualitative Analysis, in Symposium on Human Aspects in Information Security and Assurance (HAISA), Plymouth, UK, 8-10 July 2008. K. Hawkey, K. Muldner, K. Beznosov, Searching for the Right Fit: A case study of IT Security Management Models, in IEEE Internet Computing Magazine, May/June 2008. D. Botta, R. Werlinger, A. Gagné, K. Beznosov, L. Iverson, S. Fels, and B. Fisher, Towards understanding IT security professionals and their tools, in SOUPS, pp. 100-111, Pittsburgh, PA, July 18-20 2007. K. Beznosov and O. Beznosova, On the Imbalance of the Security Problem Space and its Expected Consequences, Journal of Information Management & Computer Security, Emerald, vol. 15 n.5, September 2007, pp.420-431.

Konstantin (Kosta) Beznosov looking for new graduate students! konstantin.beznosov.net/professional

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback