Behavioral Studies with IT-Administrators - Updating in Complex Environments and Securing Web Servers

Abstract

Up until the turn of the millennium, research in the field of IT security mainly focused on the technical aspects of security mechanisms. Since then, the human factor has become more and more important and sparked research in the very broad field of usable security and privacy. In this field, researchers study the human-aspects of security systems, such as understanding security mechanisms and user-behavior when it comes to picking passwords or updating their systems. <br /> While these works mainly focused on end users, recently, expert users have become the subject of research as well. In understanding developers and administrators, we can identify problems they face in performing security-relevant tasks and developing systems that support them, resulting in enhanced system security. <br /> This thesis extends the field of usable security research and presents the results of four studies involving IT-administrators and expert users, which focus on the update processes in corporate contexts and the TLS setup step in the web server configuration. <br /> The first study analyzes the update process of administrators in companies. This study also reveals obstacles that occur at various points in this process, which can be a reason for delaying or not deploying updates. <br /> Based on the emerged process model, I further present a case study in which I apply the model to update processes of a web development company. The results show that the process is far more flexible than originally thought, leading to an adapted version of this model. <br /> Subsequently, I present the findings of a study related to the importance of specific components in update release notes. <br /> The findings of these three studies serve as a foundation to spark future work, e.g., in researching better communication strategies of the changes an update brings or finding ways to reduce the delay of updates by preventing downtimes. <br /> Following the update topic, I present a study on the analysis of the automation effect in the TLS configuration process. The automated approach was found to have a positive impact on the security of the configuration. Through this study, I present lessons learned and discuss areas where the automated approach's principles can further enable better usability and security in the context of IT-administration.