Our workshop in a nutshell
IT security is a major concern in the proliferation of IT systems in all areas of society. Socio-technical futures and presents such as global data networks, smart and mobile devices, Internet of things, Big Data analytics, Industry 4.0, ubiquitous computing, critical infrastructures and so forth all hinge on functioning and secure IT systems. Security breaches in IT systems are nowadays broadly recognized in the public not only regarding technical causes and their impacts, but with respect to potential effects on economics and the society as a whole. The recent “WannaCry†ransomware attacks [1] and the hack of the Democratic National Committee during the 2016 US presidential elections [2] are just two telling examples of the broad recognition of IT security issues. Such events and how they are discussed in the public render the attention of policymakers and encourage them to develop new regulations and political doctrines, such as those related to “cyberwarâ€.
IT security, however, is often discussed in regard to isolated aspects, e.g., encryption of data or mental models of password setting. Missing, however, is an interdisciplinary approach that incorporates both material and social dimensions, both technologies and processes, both aspects of individual agency as well as social structure. To develop such an approach, we suggest to adopt practices as focus of analysis. Practice-theoretical approaches have gained considerable acknowledgement among science and technology studies (STS) for studying the interrelations between science, technology and society but have not yet been applied to IT security. By taking this “practice turn‗focusing on security practices as shaped by social and technological affordances and constraints—we open the blackbox of IT security and develop a broader understanding of how IT security is perceived and negotiated by different actors and how security is inscribed in or enacted with material artifacts. Such an understanding, we argue, can facilitate new ways of informed decision making for design, policy making and organizational management; and it will enable us to bring forward a meaningful discourse among diverse stakeholders and actors in society on how to contribute to IT security efforts.
Working towards a comprehensive understanding of IT security practices, we propose a two-day international and interdisciplinary workshop on “The practice turn in IT securityâ€, a workshop that involves participants from the social sciences, science and technology studies as well as computer science. The workshop mobilizes practice-theoretical approaches in its concept and method to tackle pressing technical and non-technical questions of IT security. In so doing, the workshop explores how IT security emerges from a mesh of diverse practices, involving a range of actors such as software developers, security researchers, hackers, users, policy makers, non-profit organizations, etc. “Taking the practice turn†with IT security, we suggest to study IT security in terms of distributed collaboration, tense negotiation and heterogeneous cooperation across organizational boundaries and socio-material settings.
Why our workshop
This workshop proceeds from the observation that global communication networks and ubiquitous computing raise the complexity of communication systems. With ever more devices and people being linked through, e.g., the Internet of things or smart devices, information security becomes more critical and the stakes are high as recent security incidents showed.
In the face of these new challenges to information systems and security, we assume that existing techno-centric approaches to IT security leave a gap and that established notions of usable security limit questions of IT security to relatively narrow concerns for product quality and consumer competency (see [3]). Conventionally, techno-centric IT security research has focused on proposing technologies intended to protect actors engaged with an IT system, as defined ex ante in a security model. The entities to protect against are likewise modeled, adversaries considered a potential threat to this system under consideration. The aim is designing and developing these technologies in a way that their security promises regarding the underlying threat and system model are well-defined, predictable, and even mathematically proven. While being concerned with delivering the reliable technological foundations affording the creation and operation of secure IT systems, until now the question how these technologies are enacted in everyday practice is not the focus for conventional IT security research.
However, recent research in human factors in IT security acknowledges that human actions are part of the security equation. Usable security takes up on this stance by exploring users’ interactions with technology in order to identify and describe human behavior considered as related to successful applications of security technology. The idea is to find ways to ease and optimize human-computer interactions so that the claimed promises of security technologies can be kept in practical application scenarios.
While usable security can provide valuable feedback to security technologists, this approach alone cannot explain how and why IT security practices and IT security technologies develop and spread—or, why and when IT security incidents occur. In contrast, we propose to analyze IT security in terms of the practices that build, maintain, ensure, and possibly undermine IT security. We propose the notion of IT security practices to highlight that:
- IT security practices are distributed, i.e., IT security is made and maintained in a wide and complex mesh of practices that engages multiple contexts and actors (such as, e.g., corporate developers, vendors, users, independent security researchers, and hackers).
- IT security practices concern intricate socio-material entanglements, i.e., IT security (or, its failure) is neither solely a technological nor a social (e.g., organizational) problem.
- IT security is a dynamic process, i.e., IT security is neither a stable product, technical standard, or value, nor solely a cryptographic problem. Rather, IT security is a matter of problematization, valuation, ongoing negotiation, and continuous relation work between various actors.
Focusing on IT security practices is, we argue, crucial to tackle important questions of IT security. Only in this manner are we able to formulate a notion of IT security that benefits both academic research, (corporate) IT development, policy making, and users.
What do we expect as outcomes
Understanding IT security as achieved in distributed, socio-material and dynamic practices requires us to tackle a range of questions. First and foremost, our workshop aims at mapping the distribution of practices that constitute IT security: Which actors are involved in creating and maintaining IT security? Which organizational and community boundaries do these actors have to cross?
Second, the socio-material dimensions of IT security call for a deeper understanding of its material artifacts and the processes of their fabrication. Therefore, our workshop explores the models, probes, tests, trials, and diagrams of IT security practices—tracing their trajectories, unearthing their underlying assumptions, and parsing the narratives they support: Which role do artifacts play in negotiating in-/security? Why do some tools work in a certain environment while others do not?
Thirdly, framing IT Security as a dynamic process across technological, social and organizational boundaries, raises questions such as: Through which concrete practices is IT security actually achieved and contested? How do distributed practices interlock? How are technological, social, and organizational boundaries bridged?
The pursuit of these questions requires different fields of expertise ranging from social sciences to computer science (e.g., cryptography) and practitioners, calling for an interdisciplinary dialogue on IT security for which our workshop seeks to lay the foundations. We intend to connect and discuss different approaches on IT security, attending to the fields’ distinct research practices and materials. Assembling an interdisciplinary round of participants, we will work to define practices that are center to each participant and each discipline when trying to achieve IT security. With the help of concrete empirical material of IT security in action, either from a social science or a computer science approach, we intend to understand the artifacts, social and organizational embeddedness and discourses that are relevant when framing IT security from a practice perspective. Our workshop is an opportunity for participants to network and build a community of interdisciplinary researchers that certainly encounter IT security very differently in their scientific discipline.
Bringing together interdisciplinary research under the lens of IT security practices prepares for a more comprehensive picture of the challenges to overcome in secure software engineering, designing security tools or cryptography and describing socio-technical entanglements of IT security. By probing the analytic potential of practice-theoretical approaches for generating novel, cutting-edge research on IT security, the workshop helps to prepare further publications (e.g., an article for the Computer Supported Cooperative Work (CSCW) journal) and larger follow-up workshops and conferences on IT security practices. The workshop will also fit into the CAIS portfolio and “CAIS Studien†since it focuses on IT security as a concrete issue for the design, development and appropriation of technology for the internet.
How we want to approach our workshop
This workshop probes a practice-theoretical perspective upon IT security. Diverse practice-theoretical approaches abound both in social theory and the empirical social sciences [4,5,6]. We propose to understand “practices†as clusters of doings and sayings, more or less stabilized as patterns of activity in manifold socio-material arrangements. Focusing upon practices rather than single instances of interaction or monolithic structures, allows to grasp the dynamics of social processes through which actors and materials are woven into collectives and conglomerates. These are processes of (dis-)alignment through cooperation, collaboration, and coordination, as well as negotiation, interaction, adaption, contestation, and also conflict.
We use the notion of “practices†as an analytic lens to focus on questions concerning rules and tacit rule-following, entangled (socio-)materialities, as well as the situated, distributed, and processual character of clusters of activity that transcend organizational and community boundaries.
Methodically, the workshop builds on qualitative empirical data that is presented and discussed, i.e., experiential data gathered through professional participation itself or through participant observation, ethnographic fieldwork, qualitative interviews, as well as fine-grained analyses of textual corpora. This primacy on qualitative data, we argue, facilitates the interdisciplinary dialogue between social scientists and practicing computer scientists because first-hand professional accounts and qualitative empirical data fruitfully complement one another.
To further strengthen the interdisciplinary claim of our workshop, we stress the materials of IT security (tools, algorithms, code, guidelines, software, and so forth) as a key aspect to foster meaningful discussions across disciplines since these materials and their trajectories bind the areas of empirical research and technology design together [7]. By encouraging computer scientist to address their own encounters and pressing issues of technology appropriation, use, misuse and abandonment towards the social sciences, we argue that while employing a social science method mutual interests of all our diverse participants can be served.
How do we connect to existing research strands
We discern three, partly overlapping strands of previous research on IT security:
The first strand—the technology strand—focuses on proposing countermeasures to defend possible adversary attacks. Here, researchers pay specific attention to identifying possible vulnerabilities through modelling or testing, often simulating adversaries to do so. Based on their practical testing and theoretical modeling incorporating anticipated adversary scenarios they design technical countermeasures. Along this epistemic tradition, security solutions are understood as inscriptions into technology. However, while technology is at the heart of this discipline, also among security technologist there is an understanding that security is “fundamentally a people problemâ€. Hence, researchers in this area have started to incorporate “human factors†into their work thereby taking into account aspects of the second strand.
The second strand—usable security research—focuses on users and developers of software systems as potential real life applicants of security, or inhibitors. Applicants are problematized by viewing their behavior as often counteracting the security goals underlying the development of security technology as outlined before. They do so because, so the argument, they are “lazy†[9], do not care [10] or lack the knowledge and proficiency. Researchers whose work corresponds to this school of thought ask how users and developers understand IT security and apply their mental models of it.
The usable security strand stands out in that it incorporates socio-psychological knowledge about single users and in making secure technology more usable. It also pays attention to software in the making: In experimental studies developers are provided with tools and methods which shall help to make their systems or software more secure [11]. Moreover, recent approaches in the second strand suggest to educate users in situ giving them the knowledge to make informed decisions and improve the transparency of security functions [3, 12].
With its interdisciplinary approach, usable security has established viable collaborations between computer scientists and social scientists. It also brought up a fruitful discourse across disciplines as, e.g., a recent interdisciplinary workshop at the George Washington University shows, where social psychologists and computer scientists came together to define joint understandings and solutions for IT security problems [13].
We aim to extend these interdisciplinary traditions, by thinking one step further and seeking to deal with the limitations of both the technology strand and the usable security approach we identified: The usable security strand promotes a strong dualism between technologies and humans, in that usually one determines the other. This dualistic view becomes even more apparent when we consider how the first two strands discuss security together: The conflated view of both strands is that security can be realized by either technology design, interventions into human behavior in terms of behavioral fixes, or both.
By contrast, science and technology studies and CSCW research suggests human and non-human actors to come together in practice. This perspective allows for new explanations and descriptions of technological systems and their security or insecurity. Hence, this view re-shapes the first two strands by considering dispersed, collective practices leading to insecure software and in particular their reciprocal entanglements with organizational structures, social embeddedness or socio-material environments. (The latter becomes even more significant with new application areas for technology like the Internet of things or the growing economic importance of data for traditional industries.)
We argue that this perspective serves as a third, novel and integrative strand—a view on the security of IT systems that conceives of their users, their makers, their operators and other involved actors as part of a complex entanglement with each other and various contexts of use, design and technology maintenance. From this perspective, achieving security then becomes an involved social, organizational as well as technological challenge. There exists early work in this research area, e.g. [14], however, this third strand of security research is only emerging.
What we have already studied
Korn and Wagenknecht studied how self-identifying “security researchers,†typically with ties to hacking communities, explore, examine, and evaluate communication infrastructure, seeking to re-negotiate the in-/security of technologies with corporate software developers [15]. Furthermore, Wagenknecht and Korn were able to show how hackers make use of security weaknesses to circumvent and reverse engineer proprietary communication technologies in order to build their own free alternatives [16].
In turn, Poller, Kocksch et al. studied the complex and multi-layered organizational embeddedness of IT security in software development [17]. In earlier studies, Poller et al. have analyzed the impact of electronic identity cards on governmental institutions and companies using the case of the “Neuer Personalausweis†[18], and together with colleagues at Fraunhofer, IBM and GESIS investigated into the practical issues of employing threat modeling [19] and risk assessment techniques [20]. All these studies have found that IT security emerges from a mesh of practices distributed across organizational and community boundaries — a finding that, we argue, fruitfully pushes predominant research paradigms in IT security research further.
How do we want to make the workshop results accessible to the research community
To foster a sustainable community around practice-based IT security research, outcomes of the workshop will be disseminated through an array of measures — most centrally a workshop report, a companion website, and follow-up presentations and publications. An in-depth workshop report documenting cross-cutting themes and discussions will be published online and prepared for “CAIS Studienâ€.
The workshop website will be used as a platform to facilitate awareness, discussion, and documentation of the workshop before and after the event.
Presentations reporting on workshop outcomes will be delivered by the applicants at relevant partner institutions and events (among others, the SecHuman PhD program at Ruhr University Bochum, the Collaborative Research Center 1187: Media of Cooperation at University Siegen, and CAIS).
Further, the organizers want to prepare a synthesis publication on the state of research in practice-based IT security research based, in part, on the outcomes of workshop discussions. The publication is aimed at international conferences in Science and Technology Studies (EASST, 4S) and the field of Computer-Supported Collaborative Work (ACM CSCW, ACM CHI). Follow-up events in other European countries are planned to expand and sustain the emerging research community around practice-based IT security research.
References
[1] The Guardian, Massive ransomware cyber-attack hits nearly 100 countries around the world, https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs, [Online; accessed 28-May-2017], 2017.
[2] E. Lipton, D. Sanger, and S. Shane, The Perfect Weapon: How Russian Cyberpower Invaded the U.S. https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html, [Online; accessed 28-May-2017], 2016.
[3] P. Dourish, R. E. Grinter, J. D. De La Flor, and M. Joseph, “Security in the wild: User strategies for managing security as an everyday, practical problem,†Personal and Ubiquitous Computing, vol. 8, no. 6, pp. 391–401, 2004.
[4] A. Reckwitz, “Grundelemente einer theorie sozialer praktiken: Eine sozialtheoretische Perspektive/basic elements of a theory of social practices: A perspective in social theory,†Zeitschrift für Soziologie, pp. 282–301, 2003.
[5] J. Rouse, “Practice theory,†Handbook of the Philosophy of Science, no. 15, 2007.
[6] K. K. Cetina, T. R. Schatzki, and E. von Savigny, The practice turn in contemporary theory. Routledge, 2005.
[7] P. Bjørn and C. Østerlund, Sociomaterial-design: Bounding technologies in practice. Springer Publishing Company, Incorporated, 2014.
[8] B. Schneier, Secrets and lies: Digital security in a networked society. New York, Wiley, 2004.
[9] A. E. Howe, I. Ray, M. Roberts, M. Urbanska, and Z. Byrne, “The psychology of security for the home computer user,†in 2012 IEEE Symposium on Security and Privacy, May 2012, pp. 209–223. doi: 10.1109/SP.2012.23.
[10] B. Schneier, The psychology of security. 2008, [Online; accessed 28-May-2017].
[11] J. Xie, H. Lipford, and B.-T. Chu, “Evaluating interactive support for secure programming,†in Proc. CHI ’12, Austin, Texas, USA: ACM, 2012, pp. 2707–2716.
[12] P. Dourish and D. Redmiles, “An approach to usable security based on event monitoring and visualization,†in Proceedings of the 2002 Workshop on New Security Paradigms, ser. NSPW ’02, Virginia Beach, Virginia: ACM, 2002, pp. 75–81, isbn: 1-58113-598-X. doi: 10.1145/844102.844116. [Online]. Available: http://doi.acm.org/10.1145/844102.844116.
[13] L. J. Hoffman, Social science, computer science, and cybersecurity workshop summary report, https://cspri.seas.gwu.edu/sites/cspri.seas.gwu.edu/files/downloads/Final+08+22+13+1301+Report+Social+Science.pdf, [On-line; accessed 29-May-2017], 2013.
[14] L. Palen and P. Dourish, “Unpacking privacy for a networked world,†in Proceedings of the SIGCHI conference on Human factors in computing systems, ACM, 2003, pp. 129–136.
[15] M. Korn and S. Wagenknecht, “Friction in arenas of repair: Hacking, security research, and mobile phone infrastructure,†in Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, ser. CSCW ’17, Portland, Oregon, USA: ACM, 2017, pp. 2475–2488.
[16] S. Wagenknecht and M. Korn, “Hacking as transgressive infrastructuring: Mobile phone networks and the german chaos computer club,†in Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing, ser. CSCW ’16, San Francisco, California, USA: ACM, 2016, pp. 1104–1117.
[17] A. Poller, L. Kocksch, S. Türpe, F. A. Epp, and K. Kinder-Kurlanda, “Can security become a routine?: A study of organizational change in an agile software development group,†in Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, ser. CSCW ’17, Portland, Oregon, USA: ACM, 2017, pp. 2489–2503.
[18] A. Poller, U. Waldmann, S. Vowe, and S. Turpe, “Electronic identity cards for user authentication: Promise and practice,†IEEE Security Privacy, vol. 10, no. 1, pp. 46–54, Jan. 2012, issn: 1540-7993.
[19] J. Whitmore, S. Türpe, S. Triller, A. Poller, and C. Carlson, “Threat analysis in the software development lifecycle,†IBM Journal of Research and Development, vol. 58, no. 1, 6:1–6:13, 2014, issn: 0018-8646. doi: 10.1147/JRD.2013.2288060.
[20] A. Poller, S. Türpe, and K. Kinder-Kurlanda, “An asset to security modeling? analyzing stakeholder collaborations instead of threats to assets,†in Proceedings of the 2014 New Security Paradigms Workshop, ser. NSPW ’14, Victoria, British Columbia, Canada: ACM, 2014, pp. 69–82, isbn: 978-1-4503-3062-6.