A qualitative study of penetration testers and what they can tell us about information security in organisations

IF 4.9 3区管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE

Information Technology & People Pub Date : 2023-10-10 DOI:10.1108/itp-11-2021-0864

Stefano De Paoli, Jason Johnstone

{"title":"A qualitative study of penetration testers and what they can tell us about information security in organisations","authors":"Stefano De Paoli, Jason Johnstone","doi":"10.1108/itp-11-2021-0864","DOIUrl":null,"url":null,"abstract":"Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.","PeriodicalId":47740,"journal":{"name":"Information Technology & People","volume":"10 1","pages":"0"},"PeriodicalIF":4.9000,"publicationDate":"2023-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Technology & People","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/itp-11-2021-0864","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

查看原文本刊更多论文

对渗透测试人员的定性研究，以及他们能告诉我们的有关组织信息安全的信息

本文对渗透测试进行了定性研究，即攻击信息系统以发现安全漏洞并修复它们的实践。本文的目的是了解渗透测试是否以及在多大程度上可以揭示组织中信息安全的各种社会组织因素。在此过程中，本文运用常规活动理论与信息系统概念现象学进行理论创新。日常活动理论和现象学的结合是从数据分析中归纳出来的。数据包括与渗透测试人员进行的24次定性访谈，并进行专题分析。最初的假设是，渗透测试人员类似于犯罪情况下的罪犯，处理目标和缺乏有能力的监护人。一个关键的发现是，渗透测试人员将他们的目标描述为一个已安装的基础，突出了使目标合适的漏洞如何经常从现有构建的数字环境的属性中出现。这包括被遗忘或缺乏持续维护的系统。此外，渗透测试人员强调，尽管测试经常以计划好的方法为基础，但他们经常求助于偶然的实践，比如即兴创作。原创性/价值本文对理论做出了贡献，展示了日常活动理论和现象学概念如何在信息安全的社会组织因素研究中协同工作。这一贡献源于考虑到许多关于信息安全的研究侧重于组织的内部行为。将渗透测试作为真实攻击的代理进行研究，可以对组织中信息安全的社会组织因素产生新的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information Technology & People INFORMATION SCIENCE & LIBRARY SCIENCE-

CiteScore

8.20

自引率

13.60%

发文量

121

期刊介绍： Information Technology & People publishes work that is dedicated to understanding the implications of information technology as a tool, resource and format for people in their daily work in organizations. Impact on performance is part of this, since it is essential to the well being of employees and organizations alike. Contributions to the journal include case studies, comparative theory, and quantitative research, as well as inquiries into systems development methods and practice.