Pooya Jaferian

The challenges of using an intrusion detection system: is it worth the effort?

An intrusion detection system (IDS) can be a key component of security incident response within organizations. Traditionally, intrusion detection research has focused on improving the accuracy of IDSs, but recent work has recognized the need to support the security practitioners who receive the IDS alarms and investigate suspected incidents. To examine the challenges associated with deploying and maintaining an IDS, we analyzed 9 interviews with IT security practitioners who have worked with IDSs and performed participatory observations in an organization deploying a network IDS. We had three main research questions: (1) What do security practitioners expect from an IDS?; (2) What difficulties do they encounter when installing and configuring an IDS?; and (3) How can the usability of an IDS be improved? Our analysis reveals both positive and negative perceptions that security practitioners have for IDSs, as well as several issues encountered during the initial stages of IDS deployment. In particular, practitioners found it difficult to decide where to place the IDS and how to best configure it for use within a distributed environment with multiple stakeholders. We provide recommendations for tool support to help mitigate these challenges and reduce the effort of introducing an IDS within an organization.

Guidelines for designing IT security management tools

An important factor that impacts the effectiveness of security systems within an organization is the usability of security management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional interviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools.

Heuristics for evaluating IT security management tools

The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics are hard to apply as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. We propose a set of ITSM usability heuristics that are based on activity theory, are supported by prior research, and consider the complex and cooperative nature of security management. In a between-subjects study, we compared the employment of the ITSM and Nielsens heuristics for evaluation of a commercial identity management system. Participants who used the ITSM set found more problems categorized as severe than those who used Nielsens. As evaluators identified different types of problems with the two sets of heuristics, we recommend employing both the ITSM and Nielsens heuristics during evaluation of ITSM tools.

A case study of enterprise identity management system adoption in an insurance organization

This case study describes the adoption of an enterprise identity management(IdM) system in an insurance organization. We describe the state of the organization before deploying the IdM system, and point out the challenges in its IdM practices. We describe the organizations requirements for an IdM system, why a particular solution was chosen, issues in the deployment and configuration of the solution, the expected benefits, and the new challenges that arose from using the solution. Throughout, we identify practical problems that can be the focus of future research and development efforts. Our results confirm and elaborate upon the findings of previous research, contributing to an as-yet immature body of cases about IdM. Furthermore, our findings serve as a validation of our previously identified guidelines for IT security tools in general.

Helping users review and make sense of access policies in organizations

This work addresses the problem of reviewing complex access policies in an organizational context using two studies. In the first study, we explored the access review activity and identified its challenges using semi-structured interviews. Interviews revealed that access review involves challenges such as scale, technical complexity, the frequency of reviews, human errors, and exceptional cases. We also modeled access review in the activity theory framework. The model shows that access review requires an understanding of the activity context including information about the users, their job, and their access rights, and the history of them. We then used activity theory guidelines to design a new user interface named AuthzMap. We conducted a user study with 340 participants to compare the use of AuthzMap with two of the existing commercial systems for access review. The results show that AuthzMap improved the efficiency of access review in 5 of the 7 tested scenarios compared to the existing systems.

A multi-method approach for user-centered design of identity management systems

Identity management (IdM) comprises the processes and infrastructure for the creation, maintenance, and use of digital identities [1]. This includes designating who has access to resources, who grants that access, and how accountability and compliance is maintained [3, 8, 4]. IdM has become an important aspect of IT security infrastructure in organizations, and some consider it to be the most important solution for enabling compliance [9]. To facilitate identity management, usable technological solutions are important. In this ongoing research, we plan to study the practice of identity management from a socio-technical point of view, and study how technology can improve IdM. Our final goal is to develop recommendations for user-centered design of IdM systems. We’ve devised a multi-method approach to address this problem. To begin with, we performed a case study of IdM adoption and use in an insurance organization. The case study provides us with a high level understanding about the problem domain and directions for the rest of our research. We plan to continue our research in two phases: (1) evaluate the usability of an IdM system using heuristic evaluation, and (2) perform a field study to further our understanding about IdM practices and technologies, validate the results of our heuristic evaluation, and develop recommendations for user-centered design of IdM systems. In this poster we present an overview of each phase of our ongoing research. At the time of writing, we finished the case study and developed a list of heuristics for heuristic evaluation of IT security tools. We plan to conduct a heuristic evaluation on an IdM system, and then a field study.