{"title":"对渗透测试人员的定性研究,以及他们能告诉我们的有关组织信息安全的信息","authors":"Stefano De Paoli, Jason Johnstone","doi":"10.1108/itp-11-2021-0864","DOIUrl":null,"url":null,"abstract":"Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.","PeriodicalId":47740,"journal":{"name":"Information Technology & People","volume":"10 1","pages":"0"},"PeriodicalIF":4.9000,"publicationDate":"2023-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A qualitative study of penetration testers and what they can tell us about information security in organisations\",\"authors\":\"Stefano De Paoli, Jason Johnstone\",\"doi\":\"10.1108/itp-11-2021-0864\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.\",\"PeriodicalId\":47740,\"journal\":{\"name\":\"Information Technology & People\",\"volume\":\"10 1\",\"pages\":\"0\"},\"PeriodicalIF\":4.9000,\"publicationDate\":\"2023-10-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information Technology & People\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1108/itp-11-2021-0864\",\"RegionNum\":3,\"RegionCategory\":\"管理学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"INFORMATION SCIENCE & LIBRARY SCIENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Technology & People","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/itp-11-2021-0864","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}
A qualitative study of penetration testers and what they can tell us about information security in organisations
Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.
期刊介绍:
Information Technology & People publishes work that is dedicated to understanding the implications of information technology as a tool, resource and format for people in their daily work in organizations. Impact on performance is part of this, since it is essential to the well being of employees and organizations alike. Contributions to the journal include case studies, comparative theory, and quantitative research, as well as inquiries into systems development methods and practice.