Understanding IT Security Administration through a Field Study

The security administration of large organizations is exceptionally challenging due to the increasingly large numbers of application instances, resources, and users; the growing complexity and dynamics of business processes; and the spiralling volume of change that results from the interaction of the first two factors. Yet little is known about security administrators, their roles and responsibilities within organizations, and how effective existing tools and practices are at protecting organizations and employees while still allowing productive collaborative work. We report a descriptive qualitative study of IT security administrators, their tasks and tools, the organizations in which they reside, and their information technology. This field study comprises the first phase of the project Human, Organization, and Technology Centred Improvement of IT Security Administration. It used ethnographic methods to investigate security administrators in their work settings in order to understand and model their tasks as well as the effectiveness and usability of the tools they currently use to perform these tasks. It obtained inventories of tasks and tools sufficient for the development of models, theories, and guidelines of security administration.