Abstract
Understanding the human in computer security through Qualitative Research aims at a conceptual repositioning. The aim is to leverage individual human experience to understand and improve the impact of humans in computer security. Embracing what is particular, complex and subtle in the human social experience means understanding precisely what is happening when people transgress protocols. Repositioning transgression as normal, by researching what people working in Computer Network Defense do, how they construct an understanding of what they do, and why they do it, facilitates addressing the human aspects of this work on its own terms. Leveraging the insights developed through Qualitative Research means that it is possible to envisage and develop appropriate remedies using Applied Psychology, and thereby improve computer security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albanese, M., et al.: Computer-aided human centric cyber situation awareness. In: Liu, P., Jajodia, S., Wang, C. (eds.) Theory and Models for Cyber Situation Awareness. LNCS, vol. 10030, pp. 3–25. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61152-5_1
Basin, D.A., Radomirovic, S., Schmid, L.: Modeling human errors in security protocols. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, 27 June–1 July 2016, pp. 325–340 (2016). https://doi.org/10.1109/CSF.2016.30
Baxter, L.A.: Voicing Relationships. Sage Publications, London (2011)
Baxter, L.A., Braithwaite, D.O.: Relational dialectics theory. In: Baxter, L.A., Braithwaite, D.O. (eds.) Engaging Theories in Interpersonal Communication: Multiple Perspectives, pp. 349–361. Sage Publications, London (2008)
Bella, G., Coles-Kemp, L.: Layered analysis of security ceremonies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 273–286. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_23
Charmaz, K.: Constructing Grounded Theory. Sage Publications, London (2006)
Darwiche, A., et al.: Samiam: Sensitivity analysis, modeling, inference and more. UCLA Automated Reasoning Group. http://reasoning.cs.ucla.edu/samiam. Accessed on 05 Aug 2019
Ellison, C.M.: Ceremony design and analysis. IACR Cryptology ePrint Archive 2007, 399 (2007). http://eprint.iacr.org/2007/399
Festinger, L.: A Theory of Cognitive Dissonance. Stanford University Press, Palo Alto (1957)
Foley, S.N.: A nonfunctional approach to system integrity. IEEE J. Sel. Areas Commun. 21(1), 36–43 (2003). https://doi.org/10.1109/JSAC.2002.806124
Foley, S.N., Rooney, V.M.: Qualitative analysis for trust management. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 298–307. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36213-2_33
Foley, S.N., Rooney, V.M.: A grounded theory approach to security policy elicitation. Inf. Comput. Secur. 26(4), 454–471 (2018). https://doi.org/10.1108/ICS-12-2017-0086
Johansen, C., Jøsang, A.: Probabilistic modelling of humans in security ceremonies. In: Garcia-Alfaro, J., et al. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 277–292. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17016-9_18
Johansen, C., Pedersen, T., Jøsang, A.: Towards behavioural computer science. In: Habib, S.M.M., Vassileva, J., Mauw, S., Mühlhäuser, M. (eds.) IFIPTM 2016. IAICT, vol. 473, pp. 154–163. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41354-9_12
Johnson, C., Badger, L., Waltermire, D., Snyder, J., Skorupka, C.: Guide to cyber threat information sharing. Technical report. NIST Special Publication 800–150. National Institute of Standards and Technology, MD, USA (2016). https://csrc.nist.gov/publications/detail/sp/800-150/final
Kvale, S.: InterViews. An Introduction to Qualitative Research Interviewing. Sage Publications, London (1996)
Lallemanda, C., Groniera, G., Koenig, V.: User experience: a concept without consensus? Exploring practitioners’ perspectives through an international survey. Comput. Hum. Behav. 43, 35–48 (2015). https://doi.org/10.1016/j.chb.2014.10.048
Paul, C.L., Whitley, K.: A taxonomy of cyber awareness questions for the user-centered design of cyber situation awareness. In: Marinos, L., Askoxylakis, I. (eds.) HAS 2013. LNCS, vol. 8030, pp. 145–154. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39345-7_16
Rooney, V.M., Foley, S.N.: What you can change and what you can’t: human experience in computer network defenses. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 219–235. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_14
Sundaramurthy, S., McHugh, J., Ou, X., Wesch, M., Bardas, A., Rajagopalan, S.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Symposium on Usable Privacy and Security (SOUPS). USENIX (2016)
Tajfel, H., Turner, J.: An integrative theory of intergroup conflict. In: Austin, W.G., Worchel, S. (eds.) The Social Psychology of Intergroup Relations, pp. 33–47. Brooks/Cole publishing, Monterey (1979)
Twining, P., Heller, R.S., Nussbaum, M., Tsai, C.C.: Some guidance on conducting and reporting qualitative studies. Comput. Educ. 106, A1–A9 (2017). https://doi.org/10.1016/j.compedu.2016.12.002
Acknowledgement
This work was initiated at IMT Atlantique and completed at NTNU. It was supported, in part, the Norwegian National Security Authority and by the Cyber CNI Chair of Institute Mines-Télécom which is held by IMT Atlantique in Rennes, France.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
A Some Categories and Codes From the Use Case
A Some Categories and Codes From the Use Case
The following provides examples of some of the uncovered categories and codes that are relevant to the phenomena of cyber-threat information sharing that emerged during Grounded Theory analysis, as part of a study on cyber network defenders.
1.1 A.1 Category: Procedures
-
Line by Line code (number of occurrences)
-
procedures/Absence/Creativity (2)
-
procedures/ImportanceOf (5)
-
proceduresSlowYouDown (1)
1.2 A.2 Category: Crisis Resolution and Team Work
-
Line by Line code (number of occurrences)
-
crisis/WholeTeamWork (3)
-
work/CrisisBeingAlone (3)
-
workaround/NotInProcedures (2)
1.3 A.3 Category: Inherent Goods/Those Gaining Approval
-
Line by Line code (number of occurrences)
-
crisis/Solved (5)
-
crisis/Solved/Speed (2)
-
intuition/roleInTheWork (2)
-
procedures/Absence/Creativity (2)
1.4 A.4 Category: Crises Described in Detail
-
Line by Line code (number of occurrences)
-
crisis/Solved/Relief (3)
-
crisis/Solving/TakesTime (1)
-
crisis/Solved/Speed (2)
-
crisis/TimeLine (3)
-
identifyingTheCrisis (2)
-
identifyingTheCrisisEnd (8)
-
work/CrisisBeingAlone (3)
1.5 A.5 Category: Tension Between Differing Agendas
-
Line by Line code (number of occurrences)
-
communicatingWithNonTeam (4)
-
regulatorsLegalAgenda (8)
-
tension/QualityServiceCommercialGoal (5)
1.6 A.6 Category: The Company Commercial Matters
-
Line by Line code (number of occurrences)
-
askingForHelpOutsideTeam (2)
-
crisis/AssigningResponsibility (3)
1.7 A.7 Category: Being Part of Community
-
Line by Line code (number of occurrences in the data)
-
cyberDefendersCommunity (3)
-
cyberDefendersTension (2)
-
cyberDefendersUnited (6)
-
cyberThreatsGlobal (16)
-
externalContextImportant (5)
-
externalLinksImportant (8)
-
firefighterMercenariesRole (13)
-
informationSharingImportant (13)
-
informationToConfirmIncident (4)
-
linksWithOther[deleted]sImportant (6)
1.8 A.8 Category: Information on Cyber Security and Defense
-
Line by Line code (number of occurrences in the data)
-
informationRequired [deleted] (11)
-
informationRequired[deleted]Burden (1)
-
informationSecurityImportant (8)
-
informationSharingManaged (11)
-
informationSortingImportant (13)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Foley, S.N., Rooney, V.M. (2020). Social Constructionism in Security Protocols. In: Anderson, J., Stajano, F., Christianson, B., Matyáš, V. (eds) Security Protocols XXVII. Security Protocols 2019. Lecture Notes in Computer Science(), vol 12287. Springer, Cham. https://doi.org/10.1007/978-3-030-57043-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-57043-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57042-2
Online ISBN: 978-3-030-57043-9
eBook Packages: Computer ScienceComputer Science (R0)