October 2024
·
7 Reads
This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.
October 2024
·
7 Reads
May 2024
·
3 Reads
·
3 Citations
July 2023
·
13 Reads
System administrators, similar to end users, may delay or avoid software patches, also known as updates, despite the impact their timely application can have on system security. These admins are responsible for large, complex, amalgamated systems and must balance the security related needs of their organizations, which would benefit from the patch, with the need to ensure that systems must continue to run unimpeded. In this paper, we present a case study which follows the online life-cycle of a pair of Microsoft patches. We find that communities of sysadmins have evolved sophisticated mechanisms to perform risk assessments that are centred around collecting, synthesizing, and generating information on patches. These communities span different Virtual Communities of Practice, as well as influencers who monitor and report on the impact of new patches. As information is propagated and aggregated across blogs, forums, web sites, and mailing lists, eventually resulting in a consensus around the risk of a patch. Our findings highlight the role that these communities play in informing risk management decisions: Patch information is not static, and it transforms as communities collaborate to understand patch issues.
January 2023
·
60 Reads
·
2 Citations
October 2021
·
1,415 Reads
·
21 Citations
Proceedings of the ACM on Human-Computer Interaction
Malicious communications aimed at tricking employees are a serious threat for organizations, necessitating the creation of procedures and policies for quickly respond to ongoing attacks. While automated measures provide some protection, they cannot completely protect an organization. In this case study, we use interviews and observations to explore the processes staff at a large University use when handling reports of malicious communication, including how the help desk processes reports, whom they escalate them to, and how teams who manage protections such as the firewalls and mail relays use these reports to improve defenses. We found that the process and work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and tactic knowledge. Sudden large campaigns were found to overwhelm the help desk with reports, greatly impacting staff's workflow and hindering the effective application of mitigations and the potential for reflection. We detail potential improvements to ticketing systems and reflect on ITIL, a common framework of best practice in IT management.
May 2021
·
36 Reads
·
9 Citations
Lecture Notes in Computer Science
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples’ code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.
March 2021
·
108 Reads
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.
September 2020
·
185 Reads
·
15 Citations
Applying regular patches is vital for the timely correction of security vulnerabilities, but installing patches also risks disrupting working systems by potentially introducing unknown errors. System administrators must manage the challenges of patching using a combination of reliance on best practice and available information to best match their organizations' needs. In this work, we study how patch-related activities are supported by the mailing list of the website PatchManagement.org which is dedicated to the task. We qualitatively coded 356 list emails sent between March and July, 2018, to understand how members interact with the list community. Based on our results, we argue that the mailing list is an example of an Online Community of Practice, where practitioners engage in communal learning and support. We find that the community supports members in multiple phases of the patching process by providing workarounds before a patch is available, guidance prioritizing released patches, and helping with post-patch trouble. Additionally, the community provides help around tool selection and facilitating discussions.
September 2019
·
54 Reads
·
10 Citations
The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.
... notas de atualização pode atrapalhar o processo de decisão e implementação, expondo sistemas a riscos muitas vezes desnecessários. A principal recomendação do artigo que fica como lição aprendida é a separação de atualizações de segurança das de funcionalidade, de forma a facilitar a gestão e melhorar a segurança geral dos sistemas computacionais.[Jenkins et al. 2024] abordam as práticas de gerenciamento de patches entre administradores de sistemas e como o contexto de trabalho influencia tais práticas. Para tanto, os autores coletaram dados de 220 administradores de sistemas de diversas organizações, examinando fatores como a disponibilidade de ambientes de teste e o uso de Anais do SBSeg 2024: Art ...
May 2024
... Qualitative research is a method of inquiry that involves collecting and analyzing non-numerical data, such as text, audio, or video, to gain insights into concepts, opinions, or experiences [42]. It has been used in various fields, including medicine [43], social sciences [44], and usable security [45], and has led to valuable contributions to our understanding of many real-world problems. In this study, we employ the approach of qualitative coding to minimize the subjectivity in human judgment and create a structured representation of phishing emails that is likely to be reproducible by other researchers. ...
January 2023
... These simulators replicate the various types of phishing attacks, including email, phone, and SMS-based attacks, enabling organizations to experience the impact of a phishing attack without the risk of actual compromise(Naqvi et al. 2023). Phishing simulators offer numerous benefits, including simulators enable organizations to test and refine their incident response plans, ensuring they are prepared to respond effectively in the event of a real-world phishing attack(Althobaiti et al. 2021). Simulators help to educate employees on the dangers of phishing, improving their ability to identify and reportsuspicious emails (Wen et al. 2019). ...
October 2021
Proceedings of the ACM on Human-Computer Interaction
... The results revealed that participants lack the necessary knowledge and awareness of security principles, and their importance is often underestimated. In the same context, Tahaei et al. (2021) analyzed the perceptions of a group of Computer Science students (n = 20) from a university in Edinburgh (UK), finding a lack of awareness of security and privacy issues. Alharbi and Tassaddiq (2021) analyzed knowledge of cybersecurity in undergraduate students (n = 576) from Majmaah University (Saudi Arabia), finding that participants were unaware of the concept of cybersecurity and lacked knowledge of good practices in terms of secure data management. ...
September 2019
... Another problem is that the information is often distributed across different sources and users have to tediously gather and filter it [7,10]. Trustworthiness of the sources also plays a role [6], which CSAF ingrained in their design, as CSAF trusted providers have to sign and hash their advisories [11]. ...
September 2020