Conference PaperPDF Available

Elicitation of Requirements for an inter-organizational Platform to Support Security Management Decisions

Authors:
  • Continental Automotive Technologies GmbH

Abstract and Figures

Due to new regulations in Germany energy providers are required to obtain IT security certificates. Especially small and medium-sized energy providers struggle to fulfill these new requirements. Since most of them are in the same situation, we are dealing with the question on how to support their collaboration using a web-based platform. We elicited criteria from energy providers on how such a platform should be designed to support them. The main contribution is a set of requirements for the collaboration platform along with the implications for its implementation. The focus of this work is not on technical innovation but on how existing technologies and best practices can be adopted for the needs of small and medium-sized energy providers.
Content may be subject to copyright.
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
78
Elicitation of Requirements for an inter-organizational
Platform to Support Security Management Decisions
J. Dax2, B. Ley2, S. Pape1,C. Schmitz1, V. Pipek2 and K. Rannenberg1
1 Goethe University Frankfurt, Chair of Mobile Business & Multilateral Security,
Germany
2 University of Siegen, Institute of Information Systems, Germany
e-mail: {julian.dax; benedikt.ley; volkmar.pipek}@uni-siegen.de
{sebastian.pape; christopher.schmitz; kai.rannenberg}@m-chair.de
Abstract
Due to new regulations in Germany energy providers are required to obtain IT security
certificates. Especially small and medium-sized energy providers struggle to fulfill these new
requirements. Since most of them are in the same situation, we are dealing with the question
on how to support their collaboration using a web-based platform. We elicited criteria from
energy providers on how such a platform should be designed to support them. The main
contribution is a set of requirements for the collaboration platform along with the implications
for its implementation. The focus of this work is not on technical innovation but on how
existing technologies and best practices can be adopted for the needs of small and medium-
sized energy providers.
Keywords
Usable Security, Security Management, Security Assessment, Security Perception
1. Introduction
The European Program for Critical Infrastructure Protection (EPCIP) was recently
implemented in national laws in Germany. The IT security law requires providers of
critical infrastructures to get certifications for their security. This especially concerns
energy providers as they also have to comply with industry-sector-specific
regulations laid out in the Energy Industry Act (EnWG). There is no de minimis rule
if the definition for critical infrastructure is fulfilled. As a consequence, in particular
small and medium-sized energy providers struggle to fulfill the requirements.
Compared to larger providers, they have the handicap that there is a low budget for
IT security and that no experts for IT security are employed there. One of their first
challenges in order to meet the criteria is to introduce an information security
management system (ISMS). Most of the providers mainly do this to comply with
the new regulation. When the ISMS is put to work, the energy providers should
make use of it to monitor and improve the IT security of their systems.
Most of the energy providers are uncertain how to start and may need to hire external
consultants to support them. The aim of the project SIDATE is to support them to
continuously improve their security. Since many of the small and medium-sized
energy providers face very similar challenges, a natural solution to support them is to
stimulate inter-organizational collaboration. This should be done by building an
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
79
inter-organizational collaboration platform for energy providers. The platform should
enable the energy providers to share their knowledge about IT security in a
structured way.
In this paper, we describe the requirements elicitation process with the energy
providers. We aimed to engage them very early in the design process. It showed that
many of the criteria are not domain-specific for energy providers. Therefore, we
believe that other domains can profit from those criteria as well. Our contribution is a
set of requirements for the collaboration platform along with the implications for its
construction.
The remainder of this paper is organized as follows: Section 2 discusses related
work. Section 3 describes the used methodology. Section 4 sketches the results of the
first workshop with the energy providers. The planned modules for our collaboration
platform are shown in Sect. 5. In Sect. 6, we describe the design criteria for the
collaboration platform collected from energy providers.
2. Related Work
2.1. Collaboration platforms and expertise sharing
The “endeavor to understand the nature and characteristics of cooperative work with
the objective of designing adequate computer-based technologies.“ (Bannon &
Schmidt 1989) has always been the aim of Computer Supported Cooperative Work
(CSCW). Therefore, collaboration platforms have been a major field of research in
CSCW. Inside this field, the aspect of inter-organizational needs for such platforms
can be studied. While ‘inter-organizational information systems’ (IOIS) are
automated information systems shared by two or more organizations (Cash &
Konsynski 1985), CSCW applications provide “capabilities beyond simple
information access to facilitate communication and collaboration among partners”
(Drury & Scholtz 2005). The term ‘knowledge sharing’ is used for artifact-centered
studies, while the communication-centered ‘expertise sharing’ focuses on the actor
(Ackerman et al. 2013). Further, expertise sharing focuses on the “self-organized
activities of the organization’s members and emphasizes the human aspects”
(Ackerman et al. 2013). There have been a number of studies of expertise sharing in
CSCW in different fields of application: For example, Doherty et al. (Doherty et al.
2012) studied inter-organizational coordination mechanisms in software
development and Hobson et al. (Hobson et al. 2011) studied the information sharing
needs and practices in municipal governments. Bharosa et al., (Bharosa et al. 2010)
conducted a study on multi-agency disaster response and identified the problem that
“actual level of information sharing across different organizations is often limited,
although it is being promoted”. For energy providers the German association of
municipal corporations "Verband kommunaler Unternehmen" (VKU) offers an
efficiency comparison/benchmark, but unfortunately no online platform is offered.
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
80
2.2. Shared Risk Analysis, ISMS and Stakeholders' Engagement
Karlsson et al. (Karlsson et al. 2015) regard ISMS to manage information systems in
inter-organizational collaborations. The difference to our use-case is, that the energy
providers do not collaborate in the sense of sharing business processes. The reason
for them to use our collaboration platform would be that they face the same
challenges and are able to exchange experiences. Faily (Faily 2014) reports on
engaging stakeholders in the design of a secure system. Our platform also aims to
engage the stakeholders; not on the system itself but rather on sharing experience and
expertise on how to design secure systems.
When it comes to implementing information security policies in organizations, Arif
(Arif 2011) studied five factors which determine the willingness to comply with
these policies: culture, awareness, training, risk perception and re-enforcement. In his
study, the cultural factor was the most impactful. Reichard et al. (Reichard et al.
2011) studied barriers to the successful implementation of such policies and how to
overcome them. Like Arif, they stress the importance of a “security culture” in the
organization. Moreover, they stress the need for collaborative implementation of
such policies. Another related factor in the successful introduction of IT-security
policies identified by Reichard et al. is that the principles and benefits of IT-security
have to be communicated and “sold” to the organization.
Apart from that, in the US the concept of Information Sharing Analysis Centers
(ISACs) can be found. Those non-profit organizations gather and analyze IT
security-related information within critical infrastructure sectors (e.g. electricity) and
provide analysis results, security strategies and general information to their members.
In contrast to that, our approach focuses more on the individual assessing and
benchmarking of the energy provider's security level (ISAC Council 2004).
3. Methodology
In order to elicit the target group-specific requirements, three two-hour workshops
with different stakeholder groups were conducted. In total, eleven experts from eight
energy providers attended the workshops. Most participants were IT security officers
or IT managers from energy providers, but also representatives from national interest
groups were present.
Seven experts from six different energy providers attended the first workshop. After
an introductory talk by the organizer, each of the attendees introduced themselves
based on a short questionnaire which addressed, for instance, general characteristics
of their company and their experience in IT security. Afterwards, the experts were
invited to discuss the platform’s requirements and their expectations in a moderated
discussion.
The workshop’s results were subsequently discussed in an additionally internal
design workshop, where eight members from the project partners were involved. As
a result, several mockups visualizing the platform’s functionalities were sketched.
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
81
In another workshop, five experts from six energy providers attended as well as three
employees from two interest groups. After the mockups had been presented, the
discussion which was moderated by using the card-technique, was opened. The
participants were asked to formulate the platform’s must-have and nice-to-have
requirements on different colored cards. After 10 minutes, the cards were collected
and sorted in content-related clusters on a pin board. Then, all cards were discussed
in an open discussion.
4. Energy Providers' Needs
Before we started to design our platform, we collected the energy providers'
requirements for a collaboration platform. Our assumption was that for the
communication between the energy providers, a web-based solution which allows
asynchronous communication is most helpful. Mainly, because there is no need to
install additional software which lowers the threshold to participate. This was
confirmed by the energy providers during the workshop. The following modules
were considered helpful by the energy providers: a wiki, a forum, a questions and
answers module, a glossary, training modules for further education for security
officers and other employees, checklists, a place to exchange documents,
benchmarks, security assessment modules and a general module to support the
launch of an ISMS.
5. A Platform Supporting Security Management
From the results of the first workshop with the energy providers, we inferred that the
most relevant modules for the energy providers which should be implemented in the
1st iteration are:
A security assessment module, which allows the energy providers to get
feedback about their security level.
A security measures module, which provides information and
recommendation to energy providers about measures which they can
implement in order to strengthen their IT-security.
A question and answer module.
All modules should allow the energy providers to give feedback and exchange their
experiences. We describe them below:
5.1. Security Assessment Module
The security assessment module follows a questionnaire-based quantitative
methodology (Frangopoulos et al. 2014). The module allows energy providers to
perform a self-assessment in order to assess and to improve their current IT security
level. This is done by answering an online questionnaire which is provided on the
proposed platform (see figure 1). The answers of other energy providers to these
questions are also shown in aggregated form in order to allow the user to compare
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
82
his/her organization to others. Additionally, the best rated questions asked by other
community members related to the current topic are also shown.
Figure 1: Mockup of the Security Assessment Module
5.2. Question and Answer Module
In the questions and answers module registered users can ask questions related to IT-
security. These questions can be categorized by tags and be assigned to ISO/IEC
27002 controls.
Figure 2: Mockup of the Questions and Answers Module
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
83
A side bar on the right (see Figure 2) allows users to select these tags and controls to
filter the questions. Questions can be answered by other users, and answers can be
marked as correct by the user who posted the question. Additionally, questions and
answers can be rated and either sorted by rating or creation date.
5.3. Security Measures Module
The security measures module is a catalogue of security measures, which is
maintained by security experts. Each security measure is categorized by one or more
tags and assigned to one or more specific ISO/IEC 27002 controls. Users can
comment on the measures and rate them according to their costs, efficacy and
usability.
Figure 3: Mockup of the Security Measures Module
6. Elicitation of Criteria for the Fundamental Platform Design
In the second workshop with the energy providers, we presented the created
mockups to the participants to show the possible functionality of the proposed
platform. Then we asked them to write down mandatory and nice-to-have
requirements the platform has to fulfil to be usable for them. We got 28 individual
answers that we could cluster into four major categories: (1) platform members, (2)
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
84
confidentially/data privacy, (3) integration into exiting workflows, (4) general
usability of the platform. After we had clustered the participants’ answers, we
discussed each category to expose the motivations behind the requirements and
initial approaches to solution.
6.1. Platform Participants and Data Privacy
The categories platform members and confidentially/data privacy were discussed
together because of several overlaps between both categories. As expected, we could
determine that participants had essential concerns about the privacy in respect to
sensitive IT-security related data they would share across the platform. However,
these concerns basically did not refer to the platform itself or its operator but to other
platform members.
While it seems to be acceptable to share information with other energy providers,
respectively their employees, participants were worried about the participation of
external experts like information security consultants or lawyers. Even if they see an
advantage in the qualified and skilled feedback from such persons, we discovered
two significant concerns we have to deal with. (1) External experts could misuse the
platform for advertising purposes and could flood energy providers with personalized
offers based on the platform content. (2) Non-reliable platform members could use
the visible content and questions by individual energy providers to identify and make
use of possible security flaws.
Based on these initial insights, we developed and discussed several approaches with
the workshop participants in order to find possible solutions that protect the energy
providers’ data and identity on the one hand and make use of the expertise from third
parties on the other hand. While some of the approaches that are listed below are
mutually exclusive, others complement each other.
It is necessary that the platform supports restricted and moderated access
for new members. Individuals or organizations that intend to participate to
the platform need to be validated by the platform operator and have to agree
to suitable terms of use in order to get access.
Different UI views based on the user’s organization and role could be used
to anonymize individuals and organizations to external experts. While
energy providers are able to see each other's questions, answers and other
activities, other participants can only see the content but not the
corresponding author. Energy providers should be able to rate the experts’
contributions in order to improve their reputation. Instead of getting
unwanted advertising, the energy providers can now proactively inquire
consultancy service based on the experts’ reputation.
Instead of giving experts access to the platform, energy provides should be
able to mark their contribution as expert approved. This means that the
contribution rests on the result from consultancy service or legal advice the
respectively user made use of before. This approach completely excludes
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
85
third parties from the platform and only allows the indirect passing of
expert’s assessments and opinions via the energy providers.
As reliable organizations, the interest groups for energy providers could
undertake the role of experts on the platform and contribute to energy
providers’ questions. However, the participating representatives of the
interest groups in the workshop made clear that they do not have profound
expertise to give sufficient answers to all questions. The only practicable
approach is that they inform about legal changes and regulations on
information security for energy provider.
6.2. Integration into Existing Workflows
The aim of the platform is to support participating energy providers to improve their
information security and fulfill legal regulations. Thus, another important topic we
have discussed with the workshop participants was that the effort they have to put
into using the platform must not exceed the potential benefit. Several requirements
given by the participants dealt with the question on how can the platform and its
functionality be integrated into users’ existing workflows.
As a result from the self-assessment module the platform should provide
individual checklists and tools that help the users’ implementing required
information security measures. In a first step this should predominantly aim
at the fulfillment of statutory provisions (in case of energy providers in
Germany the implementation of an ISMS according to ISO/IEC 27001).
The self-assessment should also contribute to internal information
security audits, e.g. the regular validation of measures and processes.
It should be possible to export results from self-assessment to reuse them
for internal reports (e.g. to be presented to the management) or other
processes and workflows like the information security related controlling.
6.3. General Usability of the Platform
The remaining requirements that came up during the workshop focused on the
general usability and will only be described briefly here because of their generality.
Essentially the participants expect that the content on the platform is well-structured
and maintained. There should be a moderator who leads discussions to an outcome,
ensures that new topics/questions are created in the right section and prevents
duplicates. Also the platform has to be up to date and deprecated content needs to be
marked as such.
7. Conclusion and Future Work
Due to new regulatory requirements for critical infrastructures, especially small and
medium-sized energy providers struggle to get their IT security certified. Because
they face very similar challenges, we proposed a new concept for a collaboration
platform in order support them to collaboratively improve their IT security.
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
86
To elicit the specific requirements of how such a platform should be designed, we
conducted workshops with different stakeholder groups. As a result, we identified a
set of functions and requirements which the platform has to fulfill.
There are three elementary modules. A central role plays the security assessment
module for assessing and benchmarking the energy provider's security level. The
second module is the security measures module which describes the most relevant IT
security measures including the practical experiences by other energy providers.
Finally, there is the questions and answers module which allows them to share their
experiences with both other energy providers as well as with external experts.
Because the platform processes highly sensitive data, aspects in regard to data
privacy have a very high priority for the stakeholders. This includes, for instance,
having different UI views to anonymize individuals and organizations to external
experts, and having a restricted and moderated access for new members. Also the
integration into existing workflows plays a central role. For example the self-
assessment should provide individual checklists and tools according to the ISO/IEC
27001 and should contribute to the internal information security audit. Besides that,
the general usability of the platform was mentioned as essential requirement.
The next step is to implement the proposed concept and to iteratively refine the
platform's functions based on user feedback. As future work, it would be interesting
to analyse to what extent the platform can be transferred to other domains.
8. Acknowledgement
This research was developed in the context of the project SIDATE which is funded
by the German Federal Ministry of Education and Research (BMBF) within its
funding priority ”IT Security for Critical Infrastructures". Grant number:
16KIS0239K, 16KIS0240.
9. References
Ackerman, M.S. et al., 2013. Sharing Knowledge and Expertise: The CSCW View of
Knowledge Management. Computer Supported Cooperative Work (CSCW), 22(4-6), pp.531–
573.
Arif, M., 2011. What Matters Most Among Human Factors to Comply With Organisation's
Information Security Policy? In 5th International Symposium on Human Aspects of
Information Security and Assurance, HAISA 2011, London, UK, July 7-8, 2011. Proceedings.
pp. 35–46.
Bannon, L.J. & Schmidt, K., 1989. CSCW - Four Characters in Search of a Context. DAIMI
Report Series, 18(289).
Bharosa, N., Lee, J. & Janssen, M., 2010. Challenges and obstacles in sharing and
coordinating information during multi-agency disaster response: Propositions from field
exercises. Information Systems Frontiers, 12(1), pp.49–65.
Proceedings of the Tenth International Symposium on
Human Aspects of Information Security & Assurance (HAISA 2016)
87
Cash, J.I. & Konsynski, B.R., 1985. IS Redraws Competitive Boundaries. Harvard Business
Review, 63, pp.134–142.
Doherty, G., Karamanis, N. & Luz, S., 2012. Collaboration in Translation: The Impact of
Increased Reach on Cross-organisational Work. Computer Supported Cooperative Work
(CSCW), 21(6), pp.525–554.
Drury, J. & Scholtz, J., Evaluating Inter-Organizational Information Systems. In Inter-
Organizational Information Systems in the Internet Age. Inter-Organizational Information
Systems in the Internet Age, pp. 266–296.
Faily, S., 2014. Engaging Stakeholders in Security Design: An Assumption-Driven Approach.
In Eighth International Symposium on Human Aspects of Information Security & Assurance,
HAISA 2014 ,Plymouth, UK, July 8-9, 2014. Proceedings. pp. 21–29.
Frangopoulos, E.D., Eloff, M.M. & Venter, L.M., 2014. Human Aspects of Information
Assurance: A Questionnaire-based Quantitative Approach to Assessment. In Eighth
International Symposium on Human Aspects of Information Security & Assurance, HAISA
2014 ,Plymouth, UK, July 8-9, 2014. Proceedings. pp. 217–229.
Hobson, S.F. et al., 2011. Towards Interoperability in Municipal Government: A Study of
Information Sharing Practices. In Human-Computer Interaction – INTERACT 2011. Lecture
Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 233–247.
ISAC Council, 2004. A Functional Model for Critical Infrastructure Information Sharing and
Analysis, White Paper (31 January).
Karlsson, F. et al., 2015. Inter-Organisational Information Sharing - Between a Rock and a
Hard Place. HAISA, pp.71–81.
Reichard, A., Quirchmayr, G. & Wills, C.C., 2011. Challenges in Implementing Information
Security Policies. In 5th International Symposium on Human Aspects of Information Security
and Assurance, HAISA 2011, London, UK, July 7-8, 2011. Proceedings. pp. 22–34.
... Since most of the small and medium sized German energy providers were in a similar situation and they were not directly competing against each other, the idea was to support their collaboration using a web-based platform. For that purpose, we conducted a survey among all German energy providers and elicited criteria from energy providers on how such a platform should be designed [46]. ...
... Besides the surveys, we also got some insights by workshops within the SIDATE project [49] with personnel from energy providers responsible for IT security [46,189]. Since most of the German energy providers were in the same situation and they were not directly competing against each other, the idea was to support their collaboration using a web-based platform. ...
... Since most of the German energy providers were in the same situation and they were not directly competing against each other, the idea was to support their collaboration using a web-based platform. For that purpose, we elicited criteria from energy providers on how such a platform should be designed [46] in the workshops. ...
Thesis
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
... Additionally, the LiSRA framework has been integrated into the SIDATE security management web platform which has been developed in Liferay 7.0 [33]. The user enters the organisation's maturity levels in the data input section (see Fig. 9), whereupon all the risks are graphically represented in the risk representation section (see Fig. 10). ...
... For another study, the concerns of sharing sensitive data in the security management platform have been analysed, including the implemented LiSRA framework [33]. Two workshops have been conducted with experts from small and medium-sized energy providers (seven experts from six energy providers in the first workshop; six experts from five energy providers in the second workshop). ...
Article
Full-text available
Information security risk assessment frameworks support decision-makers in assessing and understanding the risks their organisation is exposed to. However, there is a lack of lightweight approaches. Most existing frameworks require security-related information that are not available and that are very challenging to gather. So they are not suitable in practice, especially for small and medium-sized enterprises (SMEs) who often lack in data and in security knowledge. On the other hand, other explicit SME approaches have far less informative value than the proposed framework. Moreover, many approaches only provide extensive process descriptions that are challenging for SMEs. In order to overcome this challenge, we propose LiSRA, a lightweight, domain-specific framework to support information security decision-making. It is designed with a two-sided input where domain experts initially provide domain-specific information (e.g. attack scenarios for a specific domain), whereupon users can focus on specifying their security practices and organisational characteristics by entering information that many organisations have already collected. This information is then linked to attack paths and to the corresponding adverse impacts in order to finally assess the total risk. Moreover, LiSRA can be used to get transparent recommendations for future security activities and presents detailed insights on the mitigating effects of each recommendation. The security activities are being evaluated taking into account the security activities already in place, and also considering the dependencies between multiple overlapping activities that can be of complementary, substitutive or dependent nature. Both aspects are ignored by most existing evaluation approaches which can lead to an over-investment in security. A prototype has been implemented, and the applicability of the framework has been evaluated with performance and robustness analyses and with initial qualitative evaluations.
... It enables energy providers to assess their security level and to improve their security also by interorganisational discussions. We systematically elicited the requirements in several workshops (Dax et al. 2016). The platform consists of four main components aiming to support knowledge sharing between the organisations:  Security measures catalogue: The security measures component is a catalogue of security measures which is maintained by security experts. ...
Conference Paper
Full-text available
A web-based platform was developed to support the inter-organisational collaboration between small and medium-sized energy providers. Since critical infrastructures are subject to new security regulations in Germany, the platform particularly serves for the exchange of experience and for mutual support in information security. The focus of this work is the security self-assessment component. In order to ease the burden of going through a long questionnaire we have implemented small, motivating modules that are spread across the platform. The data entered is used for an individual risk assessment but also for a fine granular inter-organisational security benchmarking which builds a common added value for the entire community on the platform and strengthens the community building process. We implemented a prototype of the platform and evaluated the it in a focus group.
Article
The recent developments in web technologies, pervasive and ubiquitous systems and networks, cloud and highly distributed computing systems, and the availability of massive amounts of data have changed the field of computer supported collaboration, particularly with the emergence of new capabilities and forms of collaboration both locally and remotely. These developments and capabilities present new challenges and issues as well. The purpose of this special issue on Advanced Technologies and Systems for Collaboration and Computer Supported Cooperative Work is to discuss cutting-edge research in the field of collaboration technologies and systems. The core contributions in this special issue are based on substantially extended versions of the most relevant manuscripts of the 2016 International Conference on Collaboration Technologies and Systems (CTS 2016). In this editorial, we also provide some observations from the last 10 years of CTS conferences in order to identify the major research areas covered by the papers that have been presented. The highlights and comments are presented in a chronological order and from a comparative perspective, along with a discussion of several research trends which may shape up the next decade in this important subject matter
Conference Paper
Full-text available
System stakeholders fail to engage with security until comparatively late in the design and development process. User Experience artefacts like personas and scenarios create this engagement, but creating and contextualising them is difficult without real-world, empirical data; such data cannot be easily elicited from disengaged stakeholders. This paper presents an approach for engaging stakeholders in the elicitation and specification of security requirements at a late-stage of a system's design; this approach relies on assumption-based personas and scenarios, which are aligned with security and requirements analysis activities. We demonstrate this approach by describing how it was used to elicit security requirements for a medical research portal.
Article
Full-text available
This chapter describes different means of evaluating the usability and suitability of computer-based inter-organizational information systems (IOISs). It begins with describing why doing so is important yet difficult, and provides an assessment of the advantages and disadvantages of the major types of evaluation. It continues with a case study focusing on determining whether an application provides the necessary insight into other collaborators' identities, presence, and activities while keeping sensitive information private from a subset of the collaborators. The goal of this chapter is to provide practical guidance to organizations seeking IOISs to help them choose (or develop) an IOIS that best meets their needs.
Conference Paper
Full-text available
Municipal governments rely heavily on the sharing of data between departments as a means to provide high-quality and timely service to its citizens. Common tasks such as parcel renovations require the involvement of multiple departments such as Building, Planning, Zoning, Assessment and Tax to achieve the ultimate goals. However, the software applications used to support the work of these departments are provided by independent software vendors and are not integrated with one another. Therefore, municipal employees rely heavily on manual methods for data sharing. We conducted a study of 12 municipal governments to understand their information sharing needs and practices. We focused on the interaction and information sharing within and between municipal departments. Our findings can be used to shape future research on e-government initiatives and interoperability of municipal applications.
Article
Full-text available
Although various scholars have researched issues regarding disaster management, few have studied the sharing and coordinating of information during disasters. Not much empirical data is available in this field and there is sparse insight into the factors that may impede or facilitate information sharing and coordination among stakeholders. In this paper, we provide an overview of the relevant obstacles and challenges by examining existing literature and then investigating a series of multi-agency disaster management exercises, using observations and a survey. Although all the people who took part in our study agree that sharing information is important, for the success of their own organization as well as the exercise as a whole, the extent to which information is actually being shared among organizations is often limited by a number of factors that can be attributed to the community, agency and individual level. We found that relief workers are often more concerned with receiving information from others than with providing information to others who may benefit. Incentives for sharing information, understanding each other’s work-processes and the usability of information systems have shown positive effects on information sharing and coordination. The findings of our study have been formulated using six grounded propositions, which can be used by system designers and policy-makers upon validation in further research. We also provide directions for future research.
Article
Full-text available
The title of this paper was chosen to highlight the fact that the label CSCW, although widely adopted as the acronym for the field of Computer Supported Cooperative Work, has been applied to computer applications of very different ilk. It is not at all clear what are the unique identifying elements of this research area. This paper provides a framework for approaching the issue of cooperative work and its possible computer support. The core issues are identified and prospects for the field are outlined.
Article
Coping with the increased levels of geographic and temporal distribution of work and the near ubiquitous accessibility of information fostered by today’s networking technologies has been recognised as one of the greatest challenges facing CSCW research. This trend is reflected in the development of workflow-based tools which cross organisational boundaries, putting pressure on established coordination mechanisms aimed at articulating the work of teams that include co-located and remote members. In this paper, we explore these issues by analysing a localisation activity carried out across organisational boundaries where the pressures for increased distribution and accessibility of information manifest themselves quite clearly both in the way work is specified and locally articulated. We look at how the work is realised in practice, and present an analysis based on the coordination mechanisms, awareness mechanisms and communication flows which occur both inside and outside of the formal workflow-support tools. The analysis reveals a wide variety of informal communication, ad-hoc coordination mechanisms and bricolage activities that are used for local articulation and metawork. As well as providing a concrete illustration of the issues caused by increased distribution, beyond those inherent in the complexity of the work, the analysis reveals a number of opportunities for better supporting the work and for the successful integration of new technologies.
Article
Knowledge Management (KM) is a diffuse and controversial term, which has been used by a large number of research disciplines. CSCW, over the last 20 years, has taken a critical stance towards most of these approaches, and instead, CSCW shifted the focus towards a practice-based perspective. This paper surveys CSCW researchers' viewpoints on what has become called 'knowledge sharing' and 'expertise sharing'. These are based in an understanding of the social contexts of knowledge work and practices, as well as in an emphasis on communication among knowledgeable humans. The paper provides a summary and overview of the two strands of knowledge and expertise sharing in CSCW, which, from an analytical standpoint, roughly represent 'generations' of research: an 'object-centric' and a 'people-centric' view. We also survey the challenges and opportunities ahead.
  • J I Cash
  • B R Konsynski
Cash, J.I. & Konsynski, B.R., 1985. IS Redraws Competitive Boundaries. Harvard Business Review, 63, pp.134–142.