Kirstie Hawkey

An integrated view of human, organizational, and technological challenges of IT security management

Purpose – The purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors.Design/methodology/approach – The data set consisted of 36 semi‐structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to identify the challenges that security practitioners face.Findings – A total of 18 challenges that can affect IT security management within organizations are indentified and described. This analysis is grounded in related work to build an integrated framework of security challenges. The framework illustrates the interplay among human, organizational, and technological factors.Practical implications – The framework can help organizations identify potential challenges when implementing security standards, and...

Do windows users follow the principle of least privilege?: investigating user account control practices

The principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) and user account control (UAC) in Windows Vista and Windows 7 are two practical implementations of this principle. To be successful, however, users must apply due diligence, use appropriate accounts, and respond correctly to UAC prompts. With a user study and contextual interviews, we investigated the motives, understanding, behaviour, and challenges users face when working with user accounts and the UAC. Our results show that 69% of participants did not apply the UAC approach correctly. All 45 participants used an administrator user account, and 91% were not aware of the benefits of low-privilege user accounts or the risks of high-privilege ones. Their knowledge and experience were limited to the restricted rights of low-privilege accounts. Based on our findings, we offer recommendations to improve the UAC and LUA approaches.

Requirements gathering with alzheimer's patients and caregivers

Technology may be able to play a role in improving the quality of life for Alzheimers patients and their caregivers. We are evaluating the feasibility of an information appliance with the goal of alleviating repetitive questioning behaviour, a contributing factor to caregiver stress. Interviews were conducted with persons with Alzheimers disease and their caregivers to determine the nature of the repetitive questioning behaviour, the information needs of patients, and the interaction abilities of both the patients and the caregivers. We report results of these interviews and discuss the challenges of requirements gathering with persons with Alzheimers disease and the feasibility of introducing an information appliance to this population.

The proximity factor: impact of distance on co-located collaboration

Groups collaborating around a large wall display can do so in a variety of arrangements, positioning themselves at different distances from the display and from each other. We examined the impact of proximity on the effectiveness and enjoyment of co-located collaboration. Our results revealed collaborative benefits when participants were positioned close together, and interaction with the display was felt to be more effective when participants were close to the display. However, clear tradeoffs were evident for these configurations. When at a distance to the display, the choice of direct versus indirect interaction revealed that interactions were easier when using direct input but the effectiveness of the collaboration was compromised.

The challenges of using an intrusion detection system: is it worth the effort?

An intrusion detection system (IDS) can be a key component of security incident response within organizations. Traditionally, intrusion detection research has focused on improving the accuracy of IDSs, but recent work has recognized the need to support the security practitioners who receive the IDS alarms and investigate suspected incidents. To examine the challenges associated with deploying and maintaining an IDS, we analyzed 9 interviews with IT security practitioners who have worked with IDSs and performed participatory observations in an organization deploying a network IDS. We had three main research questions: (1) What do security practitioners expect from an IDS?; (2) What difficulties do they encounter when installing and configuring an IDS?; and (3) How can the usability of an IDS be improved? Our analysis reveals both positive and negative perceptions that security practitioners have for IDSs, as well as several issues encountered during the initial stages of IDS deployment. In particular, practitioners found it difficult to decide where to place the IDS and how to best configure it for use within a distributed environment with multiple stakeholders. We provide recommendations for tool support to help mitigate these challenges and reduce the effort of introducing an IDS within an organization.

Security practitioners in context: Their activities and interactions with other stakeholders within organizations

This study investigates the context of interactions of information technology (IT) security practitioners, based on a qualitative analysis of 30 interviews and participatory observation. We identify nine different activities that require interactions between security practitioners and other stakeholders, and describe in detail two of these activities that may serve as useful references for security-tool usability scenarios. We propose a model of the factors contributing to the complexity of interactions between security practitioners and other stakeholders, and discuss how this complexity is a potential source of security issues that increase the risk level within organizations. Our analysis also reveals that the tools used by our participants to perform their security tasks provide insufficient support for the complex, collaborative interactions that their duties involve. We offer several recommendations for addressing this complexity and improving IT security tools.

Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures

OpenID 2.0 is a user-centric Web single sign-on protocol with over one billion OpenID-enabled user accounts, and tens of thousands of supporting websites. While the security of the protocol is clearly critical, so far its security analysis has only been done in a partial and ad-hoc manner. This paper presents the results of a systematic analysis of the protocol using both formal model checking and an empirical evaluation of 132 popular websites that support OpenID. Our formal analysis reveals that the protocol does not guarantee the authenticity and integrity of the authentication request, and it lacks contextual bindings among the protocol messages and the browser. The results of our empirical evaluation suggest that many OpenID-enabled websites are vulnerable to a series of cross-site request forgery attacks (CSRF) that either allow an attacker to stealthily force a victim user to sign into the OpenID supporting website and launch subsequent CSRF attacks (81%), or force a victim to sign in as the attacker in order to spoof the victims personal information (77%). With additional capabilities (e.g., controlling a wireless access point), the adversary can impersonate the victim on 80% of the evaluated websites, and manipulate the victims profile attributes by forging the extension parameters on 45% of those sites. Based on the insights from this analysis, we propose and evaluate a simple and scalable mitigation technique for OpenID-enabled websites, and an alternative man-in-the-middle defense mechanism for deployments of OpenID without SSL.

A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings

We used an iterative process to design firewall warnings in which the functionality of a personal firewall is visualized based on a physical security metaphor. We performed a study to determine the degree to which our proposed warnings are understandable for users, and the degree to which they convey the risks and encourage safe behavior as compared to text warnings based on those from a popular personal firewall. The evaluation results show that our warnings facilitate the comprehension of warning information, better communicate the risk, and increase the likelihood of safe behavior. Moreover, they provide participants with a better understanding of both the functionality of a personal firewall and the consequences of their actions.

Guidelines for designing IT security management tools

An important factor that impacts the effectiveness of security systems within an organization is the usability of security management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional interviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools.

Web browsing today: the impact of changing contexts on user activity

Although web browsing behaviour was studied in detail in the mid-to-late 1990s, few recent results have been reported. The nature of web browsing has changed significantly since these early studies, both in the profile of the typical web user and in the context of their browsing (e.g. location, connection speed, web browser features). This paper reports on per-session and per-browser window usage, such as the number of pages visited and the speed of browsing. Some of our findings differ from previously published results that continue to motivate research in this area. Our research indicates that changes in user behaviour, such as the magnitude of web browsing activity, may place restrictions on web-browser related applications.