对渗透测试人员的定性研究,以及他们能告诉我们的有关组织信息安全的信息

IF 4.9 3区 管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE
Stefano De Paoli, Jason Johnstone
{"title":"对渗透测试人员的定性研究,以及他们能告诉我们的有关组织信息安全的信息","authors":"Stefano De Paoli, Jason Johnstone","doi":"10.1108/itp-11-2021-0864","DOIUrl":null,"url":null,"abstract":"Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.","PeriodicalId":47740,"journal":{"name":"Information Technology & People","volume":"10 1","pages":"0"},"PeriodicalIF":4.9000,"publicationDate":"2023-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A qualitative study of penetration testers and what they can tell us about information security in organisations\",\"authors\":\"Stefano De Paoli, Jason Johnstone\",\"doi\":\"10.1108/itp-11-2021-0864\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.\",\"PeriodicalId\":47740,\"journal\":{\"name\":\"Information Technology & People\",\"volume\":\"10 1\",\"pages\":\"0\"},\"PeriodicalIF\":4.9000,\"publicationDate\":\"2023-10-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information Technology & People\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1108/itp-11-2021-0864\",\"RegionNum\":3,\"RegionCategory\":\"管理学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"INFORMATION SCIENCE & LIBRARY SCIENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Technology & People","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/itp-11-2021-0864","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}
引用次数: 0

摘要

本文对渗透测试进行了定性研究,即攻击信息系统以发现安全漏洞并修复它们的实践。本文的目的是了解渗透测试是否以及在多大程度上可以揭示组织中信息安全的各种社会组织因素。在此过程中,本文运用常规活动理论与信息系统概念现象学进行理论创新。日常活动理论和现象学的结合是从数据分析中归纳出来的。数据包括与渗透测试人员进行的24次定性访谈,并进行专题分析。最初的假设是,渗透测试人员类似于犯罪情况下的罪犯,处理目标和缺乏有能力的监护人。一个关键的发现是,渗透测试人员将他们的目标描述为一个已安装的基础,突出了使目标合适的漏洞如何经常从现有构建的数字环境的属性中出现。这包括被遗忘或缺乏持续维护的系统。此外,渗透测试人员强调,尽管测试经常以计划好的方法为基础,但他们经常求助于偶然的实践,比如即兴创作。原创性/价值本文对理论做出了贡献,展示了日常活动理论和现象学概念如何在信息安全的社会组织因素研究中协同工作。这一贡献源于考虑到许多关于信息安全的研究侧重于组织的内部行为。将渗透测试作为真实攻击的代理进行研究,可以对组织中信息安全的社会组织因素产生新的见解。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
A qualitative study of penetration testers and what they can tell us about information security in organisations
Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Information Technology & People
Information Technology & People INFORMATION SCIENCE & LIBRARY SCIENCE-
CiteScore
8.20
自引率
13.60%
发文量
121
期刊介绍: Information Technology & People publishes work that is dedicated to understanding the implications of information technology as a tool, resource and format for people in their daily work in organizations. Impact on performance is part of this, since it is essential to the well being of employees and organizations alike. Contributions to the journal include case studies, comparative theory, and quantitative research, as well as inquiries into systems development methods and practice.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信