July 23-25, 2008
Pittsburgh, PA


Call for participation





Workshop on Usable IT Security Management (USM '08)

July 23, 2008

part of 2008 Symposium on Usable Privacy and Security (SOUPS)

Pittsburgh, PA

Scope and Focus

Having recently received increasing attention, usable security is implicitly all about the end user who employs a computer system to accomplish security-unrelated business or personal goals. However, there is another aspect to usable security. IT professionals have to deal with the order of magnitude more difficult problem of managing security of large, complex enterprise systems, where an error could cost a fortune. IT security is distributed amongst various individuals and tools within the organization making the support for IT security management tasks hard. The diversity of the tasks also contributes to the complexity of the issues. The workshop organizers are soliciting research and position papers on the usability of tools and technology employed for all types of IT security management tasks, including but not limited to:

  • analysis of security and privacy regulations, requirements, and liabilities
  • management of security and privacy policies
  • design of security controls and procedures
  • deployment, integration, modification, and maintenance of security solutions
  • security configuration and monitoring of devices, systems, and applications
  • collection, visualization, and analysis of security information
  • detection, reporting, response to, investigation of, and recovery from security incidents
  • management of user accounts and rights
  • compliance with regulations
  • patch management

The workshop participants are also welcome to explore in their papers significant and interesting questions related to the usability of IT security management, such as:

  • Are the notions of usable security for end-users and IT professionals the same?
  • What is unique about IT security management, and why should HCISec community care?
  • What are the differences in the background, training, goals, tasks, constraints, and tools between end-users, IT security professionals, and other IT staff (e.g., network admins)?
  • How do these differences affect the (perception of) usability of the security mechanisms and tools?
  • Can the approaches to improving the security usability for end-users be directly applied to the domain of IT security management, and vice versa?
  • With some of the modern-day systems, where users are largely responsible for their own security self-administration, where is the boundary between the end-users, power users, and IT security professionals? Can it be defined precisely or is it blurred?


9:00 - 9:30 Introductions, logistics, and opening remarks
Konstantin Beznosov (University of British Columbia) and John Karat (IBM), workshop organizers

9:30 - 10:30 Invited Talk
Human and Organizational Aspects of Security Incident Management - Robin Ruefle, CERT

10:30 - 11:00 Break

11:00 am - 12:00

12:00 - 1:00 pm: Lunch

1:00 - 2:00

2:00 - 2:30 Break

2:30 - 3:45

Invited talk

Human and Organizational Aspects of Security Incident Management
Robin Ruefle

Robin Ruefle photo Although technology plays a critical role in the detection, analysis, and resolution of security incidents, it is usually the human and organizational elements that will determine how successful the response and recovery actually is. For computer security incident response to occur in an effective and successful way, all the tasks and processes being performed must be viewed from an enterprise perspective. This means identifying how tasks and processes relate, how information is exchanged, and how actions are coordinated, no matter who is performing the work. Looking only at the technology part of the process misses key human and organizational elements that can impact the overall response, possibly delaying actions due to confusion of roles and responsibilities, ownership of data and systems, and organizational authority. Response can also be delayed or ineffective because of communications problems such as not knowing whom to contact or even due to poor quality information being received about the event or incident. Any impact on the response timeliness and quality can cause further damage to critical assets and data during an incident.

To truly be effective security incidents must be managed in an enterprise-wide process that defines for the organization how incidents are received, processed, and communicated. Building such an incident management capability can be challenging and complex due to the numerous people, systems, and business processes that must be taken into consideration.

This talk will examine common human and organizational problems in not only handling computer security incidents but also in building a capability for performing this work.

Bio: Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute at Carnegie Mellon University. She works as a member of the CERT CSIRT Development team (CDT). Ruefle’s focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CDT, Ruefle develops and delivers sessions in the suite of courses offered to CSIRT managers and incident handling staff, including Creating a CSIRT, Managing CSIRTs, Fundamentals of Incident Handling, and Advanced Incident Handling for Technical Staff. She also participates in the Train-the-Trainer program that licenses these products to existing CSIRTs. The CSIRT Development Team also provides guidance in the development of implementation strategies, policies, standard operating procedures, response plans, and training programs for new and existing CSIRTs. As part of that work, Ruefle has authored or co-authored publications including: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, The Role of Computer Security Incident Response Teams in the Software Development Life Cycle, as well as numerous other articles and best practice guides. These documents can be found on the CSIRT Development webpages at []. Ruefle has presented at numerous incident response and security conferences, including The Forum for Incident Response and Security Teams (FIRST), The US Government Forum for Incident Response and Security Teams (GFIRST), EDUCAUSE, SECURE IT, and other similar venues. Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.

Workshop Organizers

Konstantin (Kosta) Beznosov, University of British Columbia

John Karat, IBM


SOUPS is sponsored by Carnegie Mellon CyLab.

USM workshop is sponsored in part by the Laboratory for Education and Research in Secure Systems Engineering (LERSSE).