research-article

Caring for IT Security: Accountabilities, Moralities, and Oscillations in IT Security Practices

Authors:

Andreas Poller,

Susann WagenknechtAuthors Info & Claims

Proceedings of the ACM on Human-Computer Interaction, Volume 2, Issue CSCW

Article No.: 92, Pages 1 - 20

https://doi.org/10.1145/3274361

Published: 01 November 2018 Publication History

Abstract

Despite being considered a fundamental issue in the design, use, and appropriation of digital technologies, IT security has found but little attention in CSCW so far. Approaches in Human-Computer Interaction and Software Engineering do not account appropriately for the weave of dispersed practices that it takes to 'do' IT security---practices that involve a heterogeneous set of actors and unfold at diverse sites and across organizational, legal, and professional boundaries. In this paper we propose to conceive of IT security through the lens of care, a notion that we draw from Science and Technology Studies. Caring for IT security requires continuous, often invisible work that relies upon tinkering and experimentation and addresses perennial oscillations between in-/securities. Caring for IT security, then, engages with established accountabilities and cultivates a moral stance that refrains from blaming insecurities upon single actors. We conclude with outlining a caring approach to IT security for CSCW.

References

[1]

Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick McDaniel, and Matthew Smith. 2016. SoK: Lessons Learned from Android Security Research for Appified Software Platforms. In 2016 IEEE Symposium on Security and Privacy (SP '16). 433--451.

[2]

Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the Usability of Cryptographic APIs. In 2017 IEEE Symposium on Security and Privacy (SP '17). 154--171.

[3]

Anthony Amicelle, Claudia Aradau, and Julien Jeandesboz. 2015. Questioning security devices: Performativity, resistance, politics. Security Dialogue, Vol. 46, 4 (2015), 293--306.

[4]

Debi Ashenden and Angela Sasse. 2013. CISOs and organisational culture: Their own worst enemy? Computers & Security, Vol. 39 (2013), 396--405.

Digital Library

[5]

Pernille Bjørn and Carsten Østerlund. 2014. Sociomaterial-Design: Bounding technologies in practice .Springer International Publishing, Cham, Switzerland.

Digital Library

[6]

Marisa Leavitt Cohn. 2016. Convivial Decay: Entangled Lifetimes in a Geriatric Infrastructure. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing (CSCW '16). ACM, New York, NY, USA, 1511--1523.

Digital Library

[7]

Jérôme Denis and David Pontille. 2015. Material Ordering and the Care of Things. Science, Technology, & Human Values, Vol. 40, 3 (2015), 338--367.

[8]

Rachna Dhamija and J. D. Tygar. 2005. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (SOUPS '05). ACM, New York, NY, USA, 77--88.

Digital Library

[9]

Paul Dourish and Ken Anderson. 2006. Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena. Human-Computer Interaction, Vol. 21, 3 (2006), 319--342.

Digital Library

[10]

Paul Dourish, Rebecca E. Grinter, Jessica Delgado de la Flor, and Melissa Joseph. 2004. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, Vol. 8, 6 (Nov 2004), 391--401.

[11]

Sascha Fahl, Yasemin Acar, Henning Perl, and Matthew Smith. 2014. Why Eve and Mallory (Also) Love Webmasters: A Study on the Root Causes of SSL Misconfigurations. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '14). ACM, New York, NY, USA, 507--512.

Digital Library

[12]

Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges .Morgan & Claypool.

Digital Library

[13]

Matthew Green and Matthew Smith. 2016. Developers are Not the Enemy!: The Need for Usable Security APIs. IEEE Security Privacy, Vol. 14, 5 (Sept 2016), 40--46.

Digital Library

[14]

Ellie Harmon, Matthias Korn, and Amy Voida. 2017. Supporting Everyday Philanthropy: Care Work In Situ and at Scale. In Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing (CSCW '17). ACM, New York, NY, USA, 1631--1645.

Digital Library

[15]

Christopher R. Henke. 1999. The Mechanics of Workplace Order: Toward a Sociology of Repair. Berkeley Journal of Sociology, Vol. 44 (1999), 55--81.

[16]

Lara Houston and Steven J. Jackson. 2016. Caring for the "Next Billion" Mobile Handsets: Opening Proprietary Closures Through the Work of Repair. In Proceedings of the Eighth International Conference on Information and Communication Technologies and Development (ICTD '16). ACM, New York, NY, USA, Article 10, bibinfonumpages11 pages.

Digital Library

[17]

Lara Houston, Steven J Jackson, Daniela K Rosner, Syed Ishtiaque Ahmed, Meg Young, and Laewoo Kang. 2016. Values in repair. In Proceedings of the 2016 CHI conference on human factors in computing systems (CHI '16). ACM, 1403--1414.

Digital Library

[18]

Giovanni Iachello and Jason Hong. 2007. End-User Privacy in Human--Computer Interaction. Foundations and Trends in Human--Computer Interaction, Vol. 1, 1 (2007), 1--137.

Digital Library

[19]

Margaret Jack and Steven J. Jackson. 2016. Logistics As Care and Control: An Investigation into the UNICEF Supply Division. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 2209--2219.

Digital Library

[20]

Laura Kocksch, Katharina Kinder-Kurlanda, Andreas Poller, Estrid Sørensen, and Susann Wagenknecht. 2018. Caring, negotiating and tinkering for IT in/security. In Panel at EASST 2018 Conference . Lancaster University, England. https://nomadit.co.uk/easst/easst2018/conferencesuite.php/panels/6277

[21]

Matthias Korn and Susann Wagenknecht. 2017. Friction in Arenas of Repair: Hacking, Security Research, and Mobile Phone Infrastructure. In Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing (CSCW '17). ACM, New York, NY, USA, 2475--2488.

Digital Library

[22]

Ann Light and Yoko Akama. 2014. Structuring Future Social Relations: The Politics of Care in Participatory Practice. In Proceedings of the 13th Participatory Design Conference: Research Papers - Volume 1 (PDC '14). ACM, New York, NY, USA, 151--160.

Digital Library

[23]

Silvia Lindtner and Seyram Avle. 2017. Tinkering with Governance: Technopolitics and the Economization of Citizenship. Proceedings of the ACM on Human-Computer Interaction, Vol. 1, CSCW, Article 70 (Dec. 2017), bibinfonumpages18 pages.

Digital Library

[24]

George E. Marcus. 1995. Ethnography in/of the World System: The Emergence of Multi-Sited Ethnography. Annual Review of Anthropology, Vol. 24, 1 (1995), 95--117.

[25]

Aryn Martin, Natasha Myers, and Ana Viseu. 2015. The politics of care in technoscience. Social Studies of Science, Vol. 45, 5 (2015), 625--641.

[26]

Annemarie Mol. 2008. The Logic of Care: Health and the Problem of Patient Choice .Routledge, London and New York. 2007047374

[27]

Annemarie Mol, Ingunn Moser, and Jeannette Pols. 2010. Care: putting practice into theory. In Care in Practice: On Tinkering in Clinics, Homes and Farms, Annemarie Mol, Ingunn Moser, and Jeannette Pols (Eds.). transcript Verlag, Bielefeld, Germany, Chapter 1, 7--25.

[28]

Patrick Morrison, Benjamin H. Smith, and Laurie Williams. 2017. Surveying Security Practice Adherence in Software Development. In Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp (HoTSoS '17). ACM, New York, NY, USA, 85--94.

Digital Library

[29]

Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 311--328.

Digital Library

[30]

Helen Nissenbaum. 2005. Where Computer Security Meets National Security. Ethics and Information Technology, Vol. 7, 2 (01 Jun 2005), 61--73.

Digital Library

[31]

Andreas Poller, Laura Kocksch, Sven Türpe, Felix Anand Epp, and Katharina Kinder-Kurlanda. 2017. Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group. In Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing (CSCW '17). ACM, New York, NY, USA, 2489--2503.

Digital Library

[32]

Andreas Poller, Sven Türpe, and Katharina Kinder-Kurlanda. 2014. An Asset to Security Modeling?: Analyzing Stakeholder Collaborations Instead of Threats to Assets. In Proceedings of the 2014 New Security Paradigms Workshop (NSPW '14). ACM, New York, NY, USA, 69--82.

Digital Library

[33]

Andreas Poller, Ulrich Waldmann, Sven Vowe, and Sven Türpe. 2012. Electronic Identity Cards for User Authentication: Promise and Practice. IEEE Security Privacy, Vol. 10, 1 (Jan 2012), 46--54.

Digital Library

[34]

María Puig de la Bellacasa. 2011. Matters of care in technoscience: Assembling neglected things. Social Studies of Science, Vol. 41, 1 (2011), 85--106.

[35]

María Puig de la Bellacasa. 2012. 'Nothing Comes Without Its World': Thinking with Care. The Sociological Review, Vol. 60, 2 (2012), 197--216.

[36]

María Puig de la Bellacasa. 2017. Matters of Care: Speculative Ethics in More than Human Worlds .University of Minnesota Press.

[37]

Daniela K Rosner and Sarah E Fox. 2016. Legacies of craft and the centrality of failure in a mother-operated hackerspace. New Media & Society, Vol. 18, 4 (2016), 558--580.

[38]

Theodore R. Schatzki. 2002. The Site of the Social: A Philosophical Account of the Constitution of Social Life and Change .The Pennsylvania State University Press, University Park, Pennsylvania.

[39]

Elizabeth Shove, Matt Watson, and Nicola Spurling. 2015. Conceptualizing connections: Energy demand, infrastructures and social practices. European Journal of Social Theory, Vol. 18, 3 (2015), 274--287.

[40]

Justin Smith, Brittany Johnson, Emerson Murphy-Hill, Bill Chu, and Heather Richter Lipford. 2015. Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE '15). ACM, New York, NY, USA, 248--259.

Digital Library

[41]

Susan Leigh Star and Anselm Strauss. 1999. Layers of Silence, Arenas of Voice: The Ecology of Visible and Invisible Work. Computer Supported Cooperative Work (CSCW), Vol. 8, 1 (Mar 1999), 9--30.

Digital Library

[42]

Lucy Suchman, Karolina Follis, and Jutta Weber. 2017. Tracking and Targeting: Sociotechnologies of (In)security. Science, Technology, & Human Values, Vol. 42, 6 (2017), 983--1002.

[43]

Austin Toombs, Shad Gross, Shaowen Bardzell, and Jeffrey Bardzell. 2017. From Empathy to Care: A Feminist Care Ethics Perspective on Long-Term Researcher-Participant Relations. Interacting with Computers, Vol. 29, 1 (2017), 45--57.

[44]

Austin L. Toombs, Shaowen Bardzell, and Jeffrey Bardzell. 2015. The Proper Care and Feeding of Hackerspaces: Care Ethics and Cultures of Making. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 629--638.

Digital Library

[45]

Susann Wagenknecht and Matthias Korn. 2016. Hacking As Transgressive Infrastructuring: Mobile Phone Networks and the German Chaos Computer Club. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing (CSCW '16). ACM, New York, NY, USA, 1104--1117.

Digital Library

[46]

Nina Witjes and Philipp Olbrich. 2017. A fragile transparency: satellite imagery analysis, non-state actors, and visual representations of security. Science and Public Policy, Vol. 44, 4 (2017), 524--534.

[47]

Jim Witschey, Olga Zielinska, Allaire Welk, Emerson Murphy-Hill, Chris Mayhorn, and Thomas Zimmermann. 2015. Quantifying Developers' Adoption of Security Tools. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE '15). ACM, New York, NY, USA, 260--271.

Digital Library

[48]

Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW '14). ACM, New York, NY, USA, 1095--1106.

Digital Library

[49]

Jing Xie, Heather Lipford, and Bei-Tseng Chu. 2012. Evaluating Interactive Support for Secure Programming. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 2707--2716.

Digital Library

[50]

Elia Zureik and Karen Hindle. 2004. Governance, Security and Technology: the Case of Biometrics. Studies in Political Economy, Vol. 73, 1 (2004), 113--137.

Cited By

Mathew A(2024)Unscripted Practices for Uncertain Events: Organizational Problems in Cybersecurity Incident ManagementScience, Technology, & Human Values10.1177/01622439241240411Online publication date: 9-Apr-2024
https://doi.org/10.1177/01622439241240411
Mcclearn JJensen RTalhouk R(2024)Security Patchworking in Lebanon: Infrastructuring Across Failing InfrastructuresProceedings of the ACM on Human-Computer Interaction10.1145/36373978:CSCW1(1-26)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637397
Nepal SHernandez JLewis RChaudhry AHouck BKnudsen ERojas RTankus BPrafullchandra HCzerwinski M(2024)Burnout in Cybersecurity Incident Responders: Exploring the Factors that Light the FireProceedings of the ACM on Human-Computer Interaction10.1145/36373048:CSCW1(1-35)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637304
Show More Cited By

Index Terms

Caring for IT Security: Accountabilities, Moralities, and Oscillations in IT Security Practices

Recommendations

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group
CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and ...
Friction in Arenas of Repair: Hacking, Security Research, and Mobile Phone Infrastructure
CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

This paper studies how communication infrastructure is explored, examined, and evaluated by self-identifying 'security researchers' at hacking conventions. We analyze mobile phone 'security research' as a case of negotiating infrastructural repair. '...
The Sarbanes-Oxley Act and the changing role of the CIO and IT function

The focus of this study is on the changing role of the Chief Information Officer (CIO). At a time when there is an increasing focus on corporate governance and enterprise risk management, the competencies required of CIOs are evolving causing a shift to ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Human-Computer Interaction

Proceedings of the ACM on Human-Computer Interaction Volume 2, Issue CSCW

November 2018

4104 pages

EISSN:2573-0142

DOI:10.1145/3290265

Editors:
Karrie Karahalios
University of Illinois & Adobe
,
Andrés Monroy-Hernández
Snap Inc.
,
Airi Lampinen
Stockholm University
,
Geraldine Fitzpatrick
Vienna University of Technology

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2018

Published in PACMHCI Volume 2, Issue CSCW

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung
Hessen State Ministry for Higher Education, Research and the Arts (HMWK)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

39
Total Citations
View Citations
806
Total Downloads

Downloads (Last 12 months)89
Downloads (Last 6 weeks)17

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mathew A(2024)Unscripted Practices for Uncertain Events: Organizational Problems in Cybersecurity Incident ManagementScience, Technology, & Human Values10.1177/01622439241240411Online publication date: 9-Apr-2024
Mcclearn JJensen RTalhouk R(2024)Security Patchworking in Lebanon: Infrastructuring Across Failing InfrastructuresProceedings of the ACM on Human-Computer Interaction10.1145/36373978:CSCW1(1-26)Online publication date: 26-Apr-2024
Nepal SHernandez JLewis RChaudhry AHouck BKnudsen ERojas RTankus BPrafullchandra HCzerwinski M(2024)Burnout in Cybersecurity Incident Responders: Exploring the Factors that Light the FireProceedings of the ACM on Human-Computer Interaction10.1145/36373048:CSCW1(1-35)Online publication date: 26-Apr-2024
Kaufhold MRiebe TBayer MReuter C(2024)‘We Do Not Have the Capacity to Monitor All Media’: A Design Case Study on Cyber Situational Awareness in Computer Emergency Response TeamsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642368(1-16)Online publication date: 11-May-2024
Demjaha APym DCaulfield TParkin S(2024)‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large universityJournal of Cybersecurity10.1093/cybsec/tyae00710:1Online publication date: 20-Jun-2024
Zakharova IJarke J(2024)Care-ful data studies: or, what do we see, when we look at datafied societies through the lens of care?Information, Communication & Society10.1080/1369118X.2024.231675827:4(651-664)Online publication date: 19-Feb-2024
Kocksch LKocksch L(2024)TinkeringFragile Computing10.1007/978-981-99-9807-4_3(77-113)Online publication date: 18-Jun-2024
Kocksch LKocksch L(2024)IntroductionFragile Computing10.1007/978-981-99-9807-4_1(1-18)Online publication date: 18-Jun-2024
Coban A(2024)Performing TechnocapitalismundefinedOnline publication date: 2-Apr-2024
Brunken LBuckmann AHielscher JSasse MCalandrino JTroncoso C(2023)"To do this properly, you need more resources"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620467(4105-4122)Online publication date: 9-Aug-2023
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents