2nd Workshop on Security Information Workers

Programmers’ lack of knowledge and ability in secure development threatens everyone who uses mobile apps. There’s no consensus on how to empower app programmers to get that knowledge. Based on interviews with twelve industry experts we argue that the discipline of secure app development is still at an early stage. Only once industry and academia have produced effective app developer motivation and training approaches shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.

Many software vendors conduct or commission penetration testing of their products. In a penetration test security experts identify entry points for attacks in a software product. The audits can be an eye-opener for development teams: they realize that security requires much more attention. However, it is unclear what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test and its aftermath at a major software vendor, and ask how an agile development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but long-lasting change of development practices is hampered if security is not properly reflected in the communicative and collaborative structures of the organization, e.g. by a dedicated stakeholder. Based on our findings we suggest improvements to current penetration test consultancies by addressing communication and organizational factors in software development.

Security of information technology (IT) has become a critical issue for organizations as they must protect their information assets from unauthorized access and quickly resume business activities after security breaches. In order for technological solutions to provide effective support to IT security practitioners, tool developers need to understand better not only the technical, but also the human and organizational dimensions of IT security. This talk gives an overview of a multi-year empirically-driven investigation towards understanding and improving IT security management.

Question and answer session to follow.

Authentication on mobile devices is a research priority for the development of usable and trustworthy platforms. However, users may struggle to understand how to balance security and usability for the broad range of important data-driven social and financial transactions on their devices. This concern is especially prevalent in security information workers sensitized to mobile technology vulnerabilities by information about security risk. The purpose of this study is to better understand the mental models and practices of those security conscious users from academia, industry, and government, from an explorative qualitative approach, noting that mobile authentication studies have largely overlooked the mindset of users who have considered their behavior in terms of detailed knowledge of risk. A preliminary analysis of findings is presented in this paper. Participants described usability and situational impairment issues, and concern for data security arising from highly contextual combinations of technology and situational risk. Implications for development of security methods derived from these views are discussed, such as the need for authentication rigor to be driven by more contextualized understanding of task and location-based risk.

In this paper, we present the Cyber Analyst Real-Time Integrated Notebook Application (CARINA). CARINA is a collaborative investigation system that aids in decision making by co-locating the analysis environment with centralized cyber data sources, and providing next generation analysts with increased visibility to the work of others. In current generation cyber work, tools limit analyst’s ability to collaborate, often relying on individual record keeping which hinders their ability to reflect on their own work and transition analytic insights to others. While online collaboration technologies have been shown to encourage and facilitate information sharing and group decision making in multiple contexts, no such technology exists today in cyber. Using visualization and annotation, CARINA leverages conversation and ad hoc thought to coordinate decisions across an organization. CARINA incorporates features designed to incentivize positive information-sharing behaviors, and provides a framework for incorporating recommendation engines and other analytics to guide analysts in the discovery of related data or analyses. In this paper, we present the user research that informed the development of CARINA, discuss the functionality of the system, and outline potential use cases. We also discuss future research trajectories and implications for cyber researchers and practitioners.