Developing expertise for network intrusion detection

• Published in: Information technology & people (West Linn, Or.) Vol. 22; no. 2; pp. 92 - 108
• Main Authors: Goodall, John R., Lutters, Wayne G., Komlodi, Anita
• Format: Journal Article
• Language: English
• Published: West Linn Emerald Group Publishing Limited 05.06.2009
• Subjects: Automation; Business networks; Business practices; Communication; Communications technology; Computer networks; Computer security; Data collection; Data integrity; Data protection; Data security; Field study; Field work; Information sciences; Information technology; Interviews; Intrusion detection systems; Management science; Network security; Networks; Security services; Studies; Working practices; Data security; Working practices; Computer networks
• ISSN: 0959-3845; 1758-5813
• DOI: 10.1108/09593840910962186

Purpose - The paper seeks to provide a foundational understanding of the socio-technical system that is computer network intrusion detection, including the nature of the knowledge work, situated expertise, and processes of learning as supported by information technology.Design methodology approach - The authors conducted a field study to explore the work of computer network intrusion detection using multiple data collection methods, including semi-structured interviews, examination of security tools and resources, analysis of information security mailing list posts, and attendance at several domain-specific user group meetings.Findings - The work practice of intrusion detection analysts involves both domain expertise of networking and security and a high degree of situated expertise and problem-solving activities that are not predefined and evolve with the dynamically changing context of the analyst's environment. This paper highlights the learning process needed to acquire these two types of knowledge, contrasting this work practice with that of computer systems administrators.Research limitations implications - The research establishes a baseline for future research into the domain and practice of intrusion detection, and, more broadly, information security.Practical implications - The results presented here provide a critical examination of current security practices that will be useful to developers of intrusion detection support tools, information security training programs, information security management, and for practitioners themselves.Originality value - There has been no research examining the work or expertise development processes specific to the increasingly important information security practice of intrusion detection. The paper provides a foundation for future research into understanding this highly complex, dynamic work.