Human, Organizational and Technological Factors of IT...
Transcript of Human, Organizational and Technological Factors of IT...
Human, Organizational andTechnological Factors of IT
SecurityKasia Muldner
The HOTAdmin Project
LERRSE Lab, Department of Electrical and Computer Engineering
University of British Columbia
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)2
When is a System “Secure”?
“A computer is secure if you can dependon it and its software to behave as youexpect.”
Garfinkel and Spafford, “Practical Internet Security”
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)3
Who is the Weakest Link?
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)4
Security
Usable Security (HCISec)
HumanComputerInteraction
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)5
Usable Security Challenges
Security is a secondary task how to motivateusers?
Wide range of users how do to supportdifferent types of users?
Negative impact of errors how to minimizethe damage?
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)6
HCISec is a growing field
To date, focus has been on ways to support the singleend-user• Password managers (e.g. Chiasson, Biddle et. al )• Prevention of phishing attacks (e.g. Wu, Miller et. al)
What about IT professionals that are responsible forupholding security in their organizations?
Usable Security for All Users
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)7
Hypothetical Example
Jenny SmithABC’s senior security administrator
ABC Inc.large companywith 5 divisions
Business policy: All e-mail messages between seniormanagement must be end-to-end secure
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)8
Blackberry Enterprise ServerManagement
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)9
Configuring BES to Enforce the Policy
1. Turn MIME (S/MIME) encryption on2. Enable S/MIME encryption for the user
Set alpha-numeric rules:3. Cert. Status Cache Timeout4. Cert. Status Maximum Expiry Time5. FIPS Level6. S/MIME Allowed Content Ciphers7. Trusted Certificate Thumbprints
Set to False8. Allow Other Email Services
Set to True:9. Disable Email Normal Send
10. Attachment Viewing
11. S/MIME Force Digital Signature
12. S/MIME Force Encrypted Email
13. Disable Invalid Certificate Use
14. Disable Revoked Certificate Use
15. Disable Stale Status Use
16. Disable Untrusted Certificate Use
17. Disable Unverified Certificate Use
18. Disable Unverified CRLs
19. Disable Weak Certificate Use
Total 19 steps!
First:
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)10
That’s Not All!
Now do (most of) the same for othersenior managers
Now do the same on the other fourservers
Is this security technology “usable”?
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)11
Limitations of the GUI
Which of the 140 rules need to be set?
How to remember which values to setthe rules to?
Difficult to determine the results ofchanges?
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)12
Motivation
Protecting organizations is becomingincreasingly challenging for securityprofessionals:• The perimeter is dissolving
• IT attacks are becoming more pervasive andadvanced
Usable security solutions are lagging behindthe bad guys
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)13
Outline
HOTAdmin project: introduction
Field study
Results
Conclusions & future work
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)14
HOTAdmin
HOT: Human, Organizational andTechnological
Goal: advance the state of usable securitysolutions for security professionals
Challenge: little real-word data exists onsecurity professionals: how they work & whattools they need
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)15
HotAdmin Team
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)16
HOTAdmin Overview
Field Study
Analysis & ModelDevelopment
Guidelines forTool Design
Validation of theResults
“Towards Understanding IT Security Professionals and Their Tools”,SOUPS’07.
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)17
Field Study Participants
IT Manager (6)
SecuritySpecialist (12)
General IT (13)
Security Manager (3)
34 Professionals
Across 16 different organizations• Academic, manufacturing, financial services, consulting, technology,
insurance, scientific services, government, non-profit, retail,telecommunications
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)18
Field Study Methodology
1 - 1.5 hours in duration
Variety of questions:• What kinds of challenges do you face?• What differentiates security from
general IT?
• What tools do you use? What do youlike / dislike about your tools?
in situ semi-structured interviews
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)19
HOTAdmin Overview
Analysis & ModelDevelopment
Field Study
Guidelines forTool Design
Validation of theResults
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)20
Data Analysis
Transcription + sanitization Qualitative description [Sandolowski]
Open Coding Axial Coding
selection of categoriesthat arise from the dataanalysis
synthesis and refinement of thedata, to make explicit theconnections between thecategories
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)21
Coding ExampleDo you think that there's a difference between security-related tasks and other IT tasks? Can you talk about whatmakes security different?
Well a very glib answer would be that they are different because security involves making things more difficultfor people rather than not. Like I said, that's a glib answer and not necessary completely true but the element oftruth in that is that typically if there is a security problem, the solution is to get people to stop doing that -whatever it might be. If someone wants to run a file-sharing program on the computer - well, no, don't do this
because it opens us up to X Y and Z. That leaves them bored and frustrated. Or, don't go to that website, well butthey want it, and like I said those are very glib answers and only cover certain cases where you are telling peopledon't do the thing that involves exposing us to problems.
A lot of the time the other IT stuff, the non-security related IT stuff tends to be helping people gettheir work done in a more or less immediately visible way. I can't get my e-mail or, here's how. I can't print,here's how. Checking mail this way sucks. Well let me take three months and get a good web mail program. Theserver went down for the third time today, okay; let me spend three months getting a better server and redundantservers and things like this.
More generally I would say they are different because - partly because security problems caninvolve potential privacy issues, so you are scanning mail for spam or for viruses - yes it's done by a computerbut at some point you will probably have to go check it about a porn (?) case. And that will involve saying can Ilook at your e-mail, can I look at your files. I am always conscious of asking permission to do that sort of thing,and giving people the option to say no. …
Security hindersusers
IT helps users
Security vs.Usability
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)22
Field Study
Analysis & ModelDevelopment
Guidelines forthe Design ofTechniques
Validation of theResults
Challenges
Errors
Interactions
Tasks & Tools
Management Model
Results
Security vs. IT
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)23
Theme: Security vs. IT
Research question:• What differentiates security and general IT
professionals?
Motivation:• To date, related work has focused on studying
system administrators without isolating securityaspects
• This makes it difficult to design support tailored tosecurity professionals’ (SP) needs
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)24
Results
Differences between security and IT along the followingdimensions:
Usability vs. Security
Stakeholder Perception
Environment
Scope
Troubleshooting Complexity
“Identifying security professionals' needs: a qualitative analysis”, submittedto HAISA’08.
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)25
Results (con’t)
Security professionals are constantly balancingusability and security
“I think it [security and general IT] is differentbecause you have to balance the usability of thesystem [with its] security. You can have a foolproofsecurity system but it's not going to be veryusable… the most secure system is when it's turnedoff, and behind locked doors”
Usability vs. Security
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)26
Results (con’t)
Security professionals (SPs) are perceived in a lesspositive light by organizational stakeholders
Changing technological landscape
Threats: only SPs have to contend with active andcontinuous threats
“IT is a fast changing field and security is even faster”
Stakeholder Perception
Environment
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)27
Results (con’t)
SPs need broader internal scope than general IT
“you really need to be able to look quite wide and deep. Youneed to be able to look within the packet in a lot of detail tounderstand how an intrusion detection system works… And at thesame time you need to take a wide look to an organization to beable to determine … the risks…. And that differs from IT whereother groups can really be focused in one particular area”
SPs need broader external scope than general IT
Legislation (Patriot Act, Sarbanes Oxley)
Scope
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)28
Model of Differences
UsabilityTradeoff
Scope
Nature ofSecurity Fast-paced
Environment
TroubleshootingComplexity
Response Time
Need to be up toDate
NegativePerception of SP
PersuasionTactics
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)29
Summary
Differences between security and general ITprofessionals increase the overall complexitySPs have to contend with
Implications?• Reduce the burden, e.g.:
• Via innovative usable solutions to mitigate need tobalance security
• Via tools that integrate organizational information tofacilitate wide overview (scope)
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)30
Results
Field Study
Analysis & ModelDevelopment
Guidelines forthe Design ofTechniques
Validation of theResults
SP vs.. IT
Challenges
Errors
Interactions
Tasks & Tools
Management Model
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)31
Theme: Challenges
Research question:• What are the key challenges SPs face and how do they
interplay?
Motivation:
• Related work has studied challenges in isolation
• This fails to provide a holistic account of thehuman, organizational and technological forces
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)32
Results
Challenges classified among the followingdimensions:
Human
Organizational
Technological
“Human, Organizational and Technological Challenges of Implementing IT Security inOrganizations”, submitted to HAISA’08.
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)33
Challenges: Human
Culture
Communication
Training
Poor security practices difficult to implementsecurity controls
Security practitioners lack the necessary training
Lack of common view among stakeholders difficultfor SP’s to communicate risks and security issues
.
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)34
Challenges: OrganizationalDifficult to estimate IT security risksRisk Assessment
Security Low Priority
Business Relationships
Task Distribution
Security is not a priority for many stakeholders
Misaligned security policies make it challenging toenforce standards within an organization
Data Access
Open Environment
Tight Schedules
Budget
Distribution of responsibilities was an issue: “thedecentralized nature does not help”…
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)35
Challenges: Technological
System Complexity
Mobile Access
A typical network could have firewalls, DMZs, proxies,switches behind the firewall, routers in front of thefirewalls, mail servers and not enough people to lookafter the overall security of these interconnecteddevices
.
.
Mobile user access makes it challenging to secureresources
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)36
Model of Challenges
Mobile Access
SystemComplexity
Task Distribution
OpenEnvironment
Risk
Assessment Business
Relationships
Data
Access
TightSchedules
TrainingCulture
Communicationof Security Issues
Priority
Lack of Budget
RiskPerception
TechnologicalFactors
OrganizationalFactors
Human Factors
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)37
Summary
We provide an integrated framework of thedifferent human, organizational, andtechnological challenges• High interplay of human, organizational and
technological challenges
Framework intended as a guide to supportidentification of limitations to implementingsecurity
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)38
Project Overview
Field Study
Analysis & ModelDevelopment
Guidelines forthe Design ofTechniques
Validation of theResults
SP vs.. IT
Challenges
Errors
Interactions
Tasks & Tools
Management Model
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)39
Interactions
Research Questions:
• When and how do security practitioners interact withother stakeholders?
• What tools do they need to interact effectively?
• What factors are responsible for miscommunications?
Motivation:
• Little related work on how security practitioners interactin real contexts within their organizations
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)40
Results
Perform / respond tosecurity audits
Design / revise securityservices
Solve IT security issues ofend users
Implement securitycontrols
Educate and train otheremployees
Mitigate new vulnerabilities
Respond to securityincidents
Develop security policies
IT specialists Auditors Organization'scommittees
IT vendors
Other Organizationalunits
Managers /executives
End users
External organizationalspecialists
Coordinate / Cooperate / Collaborate
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)41
Tools used during interactions
Communication:
• Text
• Incident tracking system
• Phone, video chat
Nessus (vulnerability visualization)
McAffee ePolicy Orchestrator
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)42
Recommendations to Improve Tools
Decrease complexity of interactions
Support SPs in knowledge dissemination
Flexible reporting
Integration of security & communication tools
Reduce communication overhead
e.g., support to interpretinformation fromdifferent channels
e.g., knowledge managementtools for policy
e.g., automatic tailored reportgeneration
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)43
Summary
Analysis shows that SPs work in a complexenvironment:• they not only perform security-specific tasks, but
also interact with stakeholders with differentbackgrounds and needs
We provide guidelines to improve tools
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)44
Results
Field Study
Analysis & ModelDevelopment
Guidelines forthe Design ofTechniques
Validation of theResults
SP vs.. IT
Challenges
Errors
Interactions
Tasks & Tools
Management Model
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)45
Theme: Errors
Research Question:
• What leads to errors in security processes?
Motivation:
• Breakdowns during ITSM can putorganizations at risk
• To reduce breakdowns, we need tounderstand the causes
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)46
Terminology
Error:
“a failure of a structure or process is an indication oferror only to the extent that it prevents maximizing theoutcomes of interest to the patient” [hofer]
IT security:• the patient = organization• Error = security practices that do not maximize outcomes
of interest, i.e., sub-optimal situations
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)47
Suboptimal Situations
Distributed and complex nature of IT security management
Busby’s framework for errors in a distributed system thatincludes:• Cues: an occurrence which ``participants use to determine when to act
and how to act”• Norms: rules of some sort that help make the participants' subtasks
consistent with each other• Transactive memory: is a type of mutual understanding, in which
people in a group mutually know who is responsible for what
Errors arise as a result of breakdowns in mutualunderstanding, cues, norms and transactive memory
Suboptimal situations, i.e., errors
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)48
Field Study
Analysis & ModelDevelopment
Guidelines forthe Design ofTechniques
Validation of theResults
SP vs.. IT
Challenges
Errors
Interactions
Tasks & Tools
Management Model
Tasks & Tools
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)49
Putting It All Together
Complexity of IT security management hasbeen a common thread
Each of our research themes hascontributed to community’s understandingof security professionals
Our research has provided a set ofguidelines for tool refinements anddirections for future research
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)50
Future Challenges
How to create testable models tovalidate and extend findings?
How to transform guidelines intoconcrete tool refinements?
How to evaluate the success of toolrefinements given the complex anddistributed nature of ITSM?
Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)51
Thank-you for your attention!
Web: www.hotadmin.org
Email: [email protected]