This is an archived version of the Quarterly WSIW Workshop from November 2020. You can find the current WSIW website here.
The human element is often considered the weakest element in security. Although many kinds of humans interact with systems that are designed to be secure, one particular type of human is especially important, the security information workers who develop, use, and manipulate security-related information and data as a significant part of their jobs. Security information workers include:November 9, 2020 12:00 – 13:00 Eastern Standard Time
| 12:00 – 12:20 | Exploring the Security Narrative in the Work Context – Karoline Busse, NSI/HSVN |
| Abstract | It is a well-known fact that the language of IT security experts differs from that of non-security-related people, leading to a multitude of problems. However, very little work has examined the differences in perception between security experts within a single security department or company. The sociological theory of power relations and organizational uncertainties by Croizer and Friedberg suggests that uncertainties about the narratives used in a department can lead to potentially harmful power relations and dissatisfied employees. We conducted a qualitative interview study within two distinct IT security companies in order to research the impact of diverging security narratives within security departments. Our results show that there is indeed an uncertainty about the term IT security. However, one company we interviewed regarded this uncertainty as highly beneficial for team creativity, communication, and mutual education, while the other, more technical-focused company showed few diversions within the security staff, but a possibly uniting conflict with the company’s IT department. Our results suggest that conscious shaping of a zone of uncertainty around the security narrative in the work context can be an important management skill for IT security practitioners. Furthermore, we show that the analysis of language uncertainties provides a powerful approach to studying the motivation of professional security groups. |
| 12:20 – 12:40 | Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges – Mohammad Tahaei, University of Edinburgh |
| Abstract | Software development teams are responsible for making and implementing software design decisions that directly impact end-user privacy. Yet, promoting privacy values and principles in organisations is not a trivial task. Privacy Champions—people who strongly care about advocating privacy—play a useful role in shifting organisational culture towards respect and protection of end-user privacy. We conducted twelve interviews with Privacy Champions in software development teams to understand their motivations, challenges, and strategies for promoting end-user privacy. We find that participants are motivated by personal values and organisational culture, they use discussions and one-to-one interactions to promote end-user privacy, and they find it challenging to do their job when privacy features are delayed because of time and other priorities. Our study is a first step towards understanding Privacy Champions and how organisations might better leverage them to improve privacy approaches and values both within their teams and their products. |
| 12:40 – 13:00 | A New Attitude-Behavior Model for Cybersecurity – Cori Faklaris, Carnegie Mellon University |
| Abstract | We analyze data collected in a U.S. Census-weighted survey sample to create the SA-13 security attitude inventory. This is a composite of four scales, tentatively labeled Engagement with Security Measures, Attentiveness to Security Measures, Resistance to Security Measures, and Concernedness with Improving Compliance; the first two scales comprise the SA-6 measure published at SOUPS 2019. The new SA-13 measure was found to explain at least 30% of the variance (p<.001) in another collected measure of security behavior, the Recalled Security Actions inventory (RSec). We discuss when and why to use SA-13 and its component scales and welcome a discussion of how useful it might be for security information workers. |