A qualitative study of penetration testers and what they can tell us about information security in organisations

IF 4.9 3区 管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE Information Technology & People Pub Date : 2023-10-10 DOI:10.1108/itp-11-2021-0864
Stefano De Paoli, Jason Johnstone
{"title":"A qualitative study of penetration testers and what they can tell us about information security in organisations","authors":"Stefano De Paoli, Jason Johnstone","doi":"10.1108/itp-11-2021-0864","DOIUrl":null,"url":null,"abstract":"Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.","PeriodicalId":47740,"journal":{"name":"Information Technology & People","volume":"10 1","pages":"0"},"PeriodicalIF":4.9000,"publicationDate":"2023-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Technology & People","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/itp-11-2021-0864","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}
引用次数: 0

Abstract

Purpose This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts. Design/methodology/approach The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis. Findings The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation. Originality/value This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
对渗透测试人员的定性研究,以及他们能告诉我们的有关组织信息安全的信息
本文对渗透测试进行了定性研究,即攻击信息系统以发现安全漏洞并修复它们的实践。本文的目的是了解渗透测试是否以及在多大程度上可以揭示组织中信息安全的各种社会组织因素。在此过程中,本文运用常规活动理论与信息系统概念现象学进行理论创新。日常活动理论和现象学的结合是从数据分析中归纳出来的。数据包括与渗透测试人员进行的24次定性访谈,并进行专题分析。最初的假设是,渗透测试人员类似于犯罪情况下的罪犯,处理目标和缺乏有能力的监护人。一个关键的发现是,渗透测试人员将他们的目标描述为一个已安装的基础,突出了使目标合适的漏洞如何经常从现有构建的数字环境的属性中出现。这包括被遗忘或缺乏持续维护的系统。此外,渗透测试人员强调,尽管测试经常以计划好的方法为基础,但他们经常求助于偶然的实践,比如即兴创作。原创性/价值本文对理论做出了贡献,展示了日常活动理论和现象学概念如何在信息安全的社会组织因素研究中协同工作。这一贡献源于考虑到许多关于信息安全的研究侧重于组织的内部行为。将渗透测试作为真实攻击的代理进行研究,可以对组织中信息安全的社会组织因素产生新的见解。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Information Technology & People
Information Technology & People INFORMATION SCIENCE & LIBRARY SCIENCE-
CiteScore
8.20
自引率
13.60%
发文量
121
期刊介绍: Information Technology & People publishes work that is dedicated to understanding the implications of information technology as a tool, resource and format for people in their daily work in organizations. Impact on performance is part of this, since it is essential to the well being of employees and organizations alike. Contributions to the journal include case studies, comparative theory, and quantitative research, as well as inquiries into systems development methods and practice.
期刊最新文献
Unraveling real-time mobile connectivity paradox and emotional ambivalence: a quasi-experimental design from a multi-source perspective Understanding consumers' interest in social commerce: the role of privacy, trust and security Evaluating compliance for organizational information security and business continuity: three strata of ventriloqual agency The configurational effects of artificial intelligence-based hiring decisions on applicants' justice perception and organisational commitment Bridging the adoption gap for cryptocurrencies: understanding the affordances that impact approach–avoidance behavior for potential users and continuation usage for actual users
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1