Guidelines for designing IT security management tools

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Guidelines for designing IT security management tools

Full text

Pdf (274 KB)

Source

Computer Human Interaction for the Management of Information Technology archive
Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology table of contents

San Diego, California

SESSION: Security table of contents

Article No. 7

Year of Publication: 2008

ISBN:978-1-60558-355-6

Authors

Pooya Jaferian	University of British Columbia, Vancouver, Canada
David Botta	University of British Columbia, Vancouver, Canada
Fahimeh Raja	University of British Columbia, Vancouver, Canada
Kirstie Hawkey	University of British Columbia, Vancouver, Canada
Konstantin Beznosov	University of British Columbia, Vancouver, Canada

Sponsor

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 53, Downloads (12 Months): 376, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1477973.1477983 What is a DOI?

ABSTRACT

An important factor that impacts the effectiveness of security systems within an organization is the usability of security management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional interviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Kulsoom Abdullah , Chris Lee , Gregory Conti , John A. Copeland , John Stasko, IDS RainStorm: Visualizing IDS Alarms, Proceedings of the IEEE Workshops on Visualization for Computer Security, p.1, October 26-26, 2005 [doi>10.1109/VIZSEC.2005.8]
	2	P. A. A. Amanda Jane Coffey. Making Sense of Qualitative Data: Complementary Research Strategies. SAGE Publications, 1996.
	3	C. Andrew. The five ps of patch management: Is there a simple way for businesses to develop and deploy an advanced security patch management strategy? Computers & Security, 24(5):362--363, 8 2005.
	4	Michelle Q. Wang Baldonado , Allison Woodruff , Allan Kuchinsky, Guidelines for using multiple views in information visualization, Proceedings of the working conference on Advanced visual interfaces, p.110-119, May 2000, Palermo, Italy [doi>10.1145/345513.345271]
	5	Robert Ball , Glenn A. Fink , Chris North, Home-centric visualization of network traffic for security administration, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029208.1029217]
	6	R. Barrett, P. P. Maglio, E. Kandogan, and J. Bailey. Usable autonomic computing systems: The system administrators perspective. Advanced Engineering Informatics, 19(3):213--221, 2005.
	7	Rob Barrett , Eser Kandogan , Paul P. Maglio , Eben M. Haber , Leila A. Takayama , Madhu Prabaker, Field studies of computer system administrators: analysis of system management tools and practices, Proceedings of the 2004 ACM conference on Computer supported cooperative work, November 06-10, 2004, Chicago, Illinois, USA [doi>10.1145/1031607.1031672]
	8	B. Beal. IT security: the product vendor landscape. Network Security, 2005(5):9--10, 5 2005.
	9	David Botta , Rodrigo Werlinger , André Gagné , Konstantin Beznosov , Lee Iverson , Sidney Fels , Brian Fisher, Towards understanding IT security professionals and their tools, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania [doi>10.1145/1280680.1280693]
	10	Catherine M. Burns , Johnson Kuo , Sylvia Ng, Ecological interface design: a new approach for visualizing network management, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.43 n.3, p.369-388, 22 October 2003 [doi>10.1016/S1389-1286(03)00287-1]
	11	K. Charmaz. Constructing Grounded Theory. SAGE publications, 2006.
	12	S. Chiasson, P. C. van Oorschot, and R. Biddle. Even experts deserve usable security: Design guidelines for security management systems. In SOUPS Workshop on Usable IT Security Management (USM), Pittsburgh, PA, July 2007.
	13	J. W. Creswell. Qualitative Inquiry and Research Design: Choosing among Five Traditions. SAGE Publications, July 1997.
	14	Paul DiGioia , Paul Dourish, Social navigation as a model for usable security, Proceedings of the 2005 symposium on Usable privacy and security, p.101-108, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073011]
	15	B. Dijker. A day in the life of system administrators. http://sageweb.sage.org, June 2006.
	16	Margaret Elliot , Rob Kling, Organizational usability of digital libraries: case study of legal research in civil and criminal courts, Journal of the American Society for Information Science, v.48 n.11, p.1023-1035, Nov. 1997 [doi>10.1002/(SICI)1097-4571(199711)48:11<1023::AID-ASI5>3.0.CO;2-Y]
	17	A. Gagné, K. Muldner, and K. Beznosov. Identifying differences between security and other IT professionals: a qualitative analysis. In HAISA '08: Human Aspects of Information Security and Assurance, pages 69--80, Plymouth, England, July 8--9 2008.
	18	R. Garigue and M. Stefaniu. Information security governance reporting. EDPACS, 31(6):11--17, 2003.
	19	T. Grunwald and C. Corsbie-Massay. Guidelines for cognitively efficient multimedia learning tools: educational strategies, cognitive load, and interface design. Academic medicine, 83(3):213--223, 2006.
	20	Eben M. Haber , John Bailey, Design guidelines for system administration tools developed through ethnographic field studies, Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, March 30-31, 2007, Cambridge, Massachusetts [doi>10.1145/1234772.1234774]
	21	Christine A. Halverson, The Value of Persistence: A Study of the Creation, Ordering and Use of Conversation Archives by a Knowledge Worker, Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 4, p.40108.1, January 05-08, 2004
	22	Kirstie Hawkey , David Botta , Rodrigo Werlinger , Kasia Muldner , Andre Gagne , Konstantin Beznosov, Human, organizational, and technological factors of IT security, CHI '08 extended abstracts on Human factors in computing systems, April 05-10, 2008, Florence, Italy [doi>10.1145/1358628.1358905]
	23	Kirstie Hawkey , Kasia Muldner , Konstantin Beznosov, Searching for the Right Fit: Balancing IT Security Management Model Trade-Offs, IEEE Internet Computing, v.12 n.3, p.22-30, May 2008 [doi>10.1109/MIC.2008.61]
	24	Almut Herzog , Nahid Shahmehri, User help techniques for usable security, Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, March 30-31, 2007, Cambridge, Massachusetts [doi>10.1145/1234772.1234787]
	25	Kasper Hornbæk , Erik Frøkjær, Reading of electronic documents: the usability of linear, fisheye, and overview+detail interfaces, Proceedings of the SIGCHI conference on Human factors in computing systems, p.293-300, March 2001, Seattle, Washington, United States [doi>10.1145/365024.365118]
	26	E. Kandogan and E. M. Haber. Security administration tools and practices. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, chapter 18, pages 357--378. O'Reilly Media, Inc., 2005.
	27	Someswar Kesh , Pauline Ratnasingam, A knowledge architecture for IT security, Communications of the ACM, v.50 n.7, p.103-108, July 2007 [doi>10.1145/1272516.1272521]
	28	G. Killcrece, K.-P. Kossakowski, R. Ruefle, and M. Zajicek. Organizational models for computer security incident response teams (CSIRTS). Technical Report CMU/SEI-2003-HB-001, 2003.
	29	Anita Komlodi , Penny Rheingans , Utkarsha Ayachit , John R. Goodall , Amit Joshi, A User-centered Look at Glyph-based Security Visualization, Proceedings of the IEEE Workshops on Visualization for Computer Security, p.3, October 26-26, 2005 [doi>10.1109/VIZSEC.2005.1]
	30	Research-Based Web Design & Usability Guidelines, U.S. Dept. of Health and Human Services, 2006
	31	S. Kraemer and P. Carayon. Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38:143--154, 2007.
	32	Christopher P. Lee , John A. Copeland, Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA [doi>10.1145/1179576.1179597]
	33	S. McGann and D. C. Sicker. An analysis of security threats and tools in SIP-based VoIP systems. In 2nd VoIP Security Workshop, pages 1--8, Washington DC, USA, June 2005.
	34	Bill Curtis , Jakob Nielsen, Applying Discount Usability Engineering, IEEE Software, v.12 n.1, p.98-100, January 1995 [doi>10.1109/52.363161]
	35	M. Nohlberg and J. Backstrom. User-centred security applied to the development of a management information system. Information Management & Computer Security, 15(5):372--381, 2007.
	36	Rayford B. Vaughn, Jr. , Ronda Henning , Kevin Fox, An empirical study of industrial security-engineering practices, Journal of Systems and Software, v.61 n.3, p.225-232, April 2002 [doi>10.1016/S0164-1212(01)00150-9]
	37	Yvonne Rogers, Ghosts in the network: distributed troubleshooting in a shared working environment, Proceedings of the 1992 ACM conference on Computer-supported cooperative work, p.346-355, November 01-04, 1992, Toronto, Ontario, Canada [doi>10.1145/143457.143546]
	38	Stacey D. Scott , Karen D. Grant , Regan L. Mandryk, System guidelines for co-located, collaborative work on a tabletop display, Proceedings of the eighth conference on European Conference on Computer Supported Cooperative Work, p.159-178, September 14-18, 2003, Helsinki, Finland
	39	S. L. Smith and J. N. Mosier. Guidelines for designing user interface software. Technical Report ESD-TR-86-278, The MITRE Corporation Bedford MA, August 1986.
	40	Yin Leng Theng , Elke Duncker , Norliza Mohd-Nasir , George Buchanan , Harold W. Thimbleby, Design Guidelines and User-Centred Digital Libraries, Proceedings of the Third European Conference on Research and Advanced Technology for Digital Libraries, p.167-183, September 22-24, 1999
	41	Ramona Su Thompson , Esa M. Rantanen , William Yurcik , Brian P. Bailey, Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA [doi>10.1145/1240624.1240807]
	42	K. Vicente and J. Rasmussen. Ecological interface design: theoretical foundations. Systems, Man and Cybernetics, IEEE Transactions on, 22(4):589--606, Jul/Aug 1992.
	43	B. von Solms and R. von Solms. The 10 deadly sins of information security management. Computers security, 23(5):371, 2004.
	44	R. Werlinger, K. Hawkey, and K. Beznosov. Human, Organizational and Technological Challenges of Implementing IT Security in Organizations. In HAISA'08: Human Aspects of Information Security and Assurance, pages 35--48, Plymouth, England, July 8--9 2008.
	45	Rodrigo Werlinger , Kirstie Hawkey , Konstantin Beznosov, Security practitioners in context: their activities and interactions, CHI '08 extended abstracts on Human factors in computing systems, April 05-10, 2008, Florence, Italy [doi>10.1145/1358628.1358931]
	46	Rodrigo Werlinger , Kirstie Hawkey , Kasia Muldner , Pooya Jaferian , Konstantin Beznosov, The challenges of using an intrusion detection system: is it worth the effort?, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania [doi>10.1145/1408664.1408679]
	47	Kevin F. White , Wayne G. Lutters, Midweight collaborative remembering: wikis in the workplace, Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, March 30-31, 2007, Cambridge, Massachusetts [doi>10.1145/1234772.1234793]
	48	W. Yurcik, J. Barlow, and J. Rosendale. Maintaining perspective on who is the enemy in the security systems administration of computer networks. In ACM CHI Workshop on System Administrators Are Users, Too. Proceedings of the Tenth Americas Conference on Information Systems, 2003.
	49	William Yurcik , Ramona Su Thompson , Michael B. Twidale , Esa M. Rantanen, If you can't beat 'em, join 'em: combining text and visual interfaces for security-system administration, interactions, v.14 n.1, January + February 2007 [doi>10.1145/1189976.1189988]