The Quarterly Workshop on Security Information Workers

This is an archived version of the Quarterly WSIW Workshop from November 2020. You can find the current WSIW website here.

The human element is often considered the weakest element in security. Although many kinds of humans interact with systems that are designed to be secure, one particular type of human is especially important, the security information workers who develop, use, and manipulate security-related information and data as a significant part of their jobs. Security information workers include:
  • Software developers, who design and build software that manages and protects sensitive information;
  • Security and system administrators, who deploy and manage security-sensitive software and hardware systems;
  • IT professionals whose decisions have impact on end users' security and privacy;
  • Intelligence analysts, who collect and analyze data about security matters to understand information and make predictions; and
  • Security consultants and educators, who provide guidance to individuals and organizations on practicing good security behaviors and implementing security technologies
This workshop aims to develop and stimulate discussion about security information workers. We will consider topics including but not limited to:
  • Empirical studies of security information workers, including case studies, experiments, field studies, and surveys;
  • New tools designed to assist security information workers;
  • Infrastructure for better understanding security information workers;
  • Information visualization and other techniques designed to help security information workers do their jobs;
  • Evaluations of tools and techniques for security information workers.


Our first quarterly WSIW event will be November 9 at 11:00 EST! If you’d like to do a short talk on a WIP, have a suggestion for a speaker, or want to talk about another topic of interest to the community, send a quick email with a short description of the talk to Looking forward to “seeing” you all and having some great discussions!
We do have a slack channel - email us if you want to be invited.

Agenda - WSIW Quarterly Event

November 9, 2020 12:00 – 13:00 Eastern Standard Time

12:00 – 12:20Exploring the Security Narrative in the Work ContextKaroline Busse, NSI/HSVN
AbstractIt is a well-known fact that the language of IT security experts differs from that of non-security-related people, leading to a multitude of problems. However, very little work has examined the differences in perception between security experts within a single security department or company. The sociological theory of power relations and organizational uncertainties by Croizer and Friedberg suggests that uncertainties about the narratives used in a department can lead to potentially harmful power relations and dissatisfied employees. We conducted a qualitative interview study within two distinct IT security companies in order to research the impact of diverging security narratives within security departments. Our results show that there is indeed an uncertainty about the term IT security. However, one company we interviewed regarded this uncertainty as highly beneficial for team creativity, communication, and mutual education, while the other, more technical-focused company showed few diversions within the security staff, but a possibly uniting conflict with the company’s IT department. Our results suggest that conscious shaping of a zone of uncertainty around the security narrative in the work context can be an important management skill for IT security practitioners. Furthermore, we show that the analysis of language uncertainties provides a powerful approach to studying the motivation of professional security groups.
12:20 – 12:40Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and ChallengesMohammad Tahaei, University of Edinburgh
AbstractSoftware development teams are responsible for making and implementing software design decisions that directly impact end-user privacy. Yet, promoting privacy values and principles in organisations is not a trivial task. Privacy Champions—people who strongly care about advocating privacy—play a useful role in shifting organisational culture towards respect and protection of end-user privacy. We conducted twelve interviews with Privacy Champions in software development teams to understand their motivations, challenges, and strategies for promoting end-user privacy. We find that participants are motivated by personal values and organisational culture, they use discussions and one-to-one interactions to promote end-user privacy, and they find it challenging to do their job when privacy features are delayed because of time and other priorities. Our study is a first step towards understanding Privacy Champions and how organisations might better leverage them to improve privacy approaches and values both within their teams and their products.
12:40 – 13:00A New Attitude-Behavior Model for CybersecurityCori Faklaris, Carnegie Mellon University
AbstractWe analyze data collected in a U.S. Census-weighted survey sample to create the SA-13 security attitude inventory. This is a composite of four scales, tentatively labeled Engagement with Security Measures, Attentiveness to Security Measures, Resistance to Security Measures, and Concernedness with Improving Compliance; the first two scales comprise the SA-6 measure published at SOUPS 2019. The new SA-13 measure was found to explain at least 30% of the variance (p<.001) in another collected measure of security behavior, the Recalled Security Actions inventory (RSec). We discuss when and why to use SA-13 and its component scales and welcome a discussion of how useful it might be for security information workers.

Organizing Committee / Program Committee Chairs

Web Chair