Kartik Markandan

25 June 2007

Abstract: Security administrators prevent security breaches against their infrastructure by using their tools to implement the security policy. This paper deals with security administration errors that were collected from the RISKS-forum and were analyzed using grounded theory. The application of open coding, one of the components of grounded theory, led to a classification of errors based on security tasks. Security errors were also divided according to whether the error was due to Human limitations, Organizational limitations, Technological limitations (HOT) or a combination of these limitations. Moreover, security administration errors were categorized according to different functionality. Our findings have pointed out that security administrators commit a variety of “configuration” errors as well as errors that fall under the category of “patching and upgrading.” We also encountered one error under the category of “password maintenance.” Our results showed that human limitations played a crucial role in the errors that we logged in this study. Thus, we have recommended that more study needs to be conducted into the human factors of security administration.

Keyword(s): hot admin ; security management ; security administration errors ; security tasks ; Usable Security

Published in: Kartik Markandan, "A Study of Security Administration Errors", Laboratory for Education and Research in Secure Systems Engineering, Vancouver, Canada, University of British Columbia, technical report LERSSE-TR-2006-03, 17 December, 2006, pp.12.: