The Quarterly Workshop on Security Information Workers

The human element is often considered the weakest element in security. Although many kinds of humans interact with systems that are designed to be secure, one particular type of human is especially important, the security information workers who develop, use, and manipulate security-related information and data as a significant part of their jobs. Security information workers include:
  • Software developers, who design and build software that manages and protects sensitive information;
  • Security and system administrators, who deploy and manage security-sensitive software and hardware systems;
  • IT professionals whose decisions have impact on end users' security and privacy;
  • Intelligence analysts, who collect and analyze data about security matters to understand information and make predictions; and
  • Security consultants and educators, who provide guidance to individuals and organizations on practicing good security behaviors and implementing security technologies
This workshop aims to develop and stimulate discussion about security information workers. We will consider topics including but not limited to:
  • Empirical studies of security information workers, including case studies, experiments, field studies, and surveys;
  • New tools designed to assist security information workers;
  • Infrastructure for better understanding security information workers;
  • Information visualization and other techniques designed to help security information workers do their jobs;
  • Evaluations of tools and techniques for security information workers.


Our second quarterly WSIW event will be February 9 at 11:00 EST! If you’d like to do a short talk on a WIP, have a suggestion for a speaker, or want to talk about another topic of interest to the community, send a quick email with a short description of the talk to Looking forward to “seeing” you all and having some great discussions!
We do have a slack channel - email us if you want to be invited.

Agenda - WSIW Quarterly Event

February 9, 2021 11:00 – 12:00 Eastern Standard Time
Zoom link: TBD

11:00 – 11:20A Large-Scale Interview Study on Information Security in and Attacks against Small and Medium-sized Enterprises
Nicolas Huaman, Leibniz University Hannover
AbstractCybercrime is on the rise. Attacks by hackers, organized crime and nation-state adversaries are an economic threat for companies world-wide. Small and medium-sized enterprises (SMEs) have increasingly become victims of cyberattacks in recent years. SMEs often lack the awareness and resources to deploy extensive information security measures. However, the health of SMEs is critical for society: For example, in Germany, 38.8% of all employees work in SMEs and they contribute 31.9% of the German annual gross domestic product. Many guidelines and recommendations encourage companies to invest more into their information security measures. However, there is a lack of understanding of the adoption of security measures in SMEs in Germany, their risk perception with regards to cybercrime and their experiences with cyberattacks. To address this gap in research, we perform 5,000 computer-assisted telephone-interviews (CATIs) with representatives of SMEs in Germany. We report on their experiences with cybercrime, management of information security and risk perception. We present and discuss empirical results of the adoption of both technical and organizational security measures and risk awareness in SMEs. We find that many technical security measures and basic awareness have been deployed in the majority of companies. We uncover differences in reporting cybercrime incidences for SMEs based on their industry sector, company size and security awareness. We conclude our work with a discussion of recommendations for future research, industry and governments and legislators.
11:20 – 11:40Focus groups in security information workers research: Lessons learned during a work-in-progress study
Julie Haney, National Institute of Standards and Technology
AbstractFocus groups are a less-frequently used method for studying security information workers. However, this method can be valuable when trying to understand differences in perspectives among categories of workers, exploring how ideas emerge from a group, and collecting information needed for the design of quantitative surveys. In this talk I will describe my research team’s recent experiences with focus groups as part of a work-in-progress, mixed-methods study targeting security awareness professionals. I will discuss why we selected focus groups as well as lessons learned and perceived benefits and limitations.
11:40 – 12:00Observations From an Online Security Competition and Its Implications on Crowdsourced Security
Alejandro Cuevas Villalba, Carnegie Mellon University
AbstractThe crowd sourced security industry has grown dramatically over the past years and has become the main source of software security reviews for many companies. However, the academic literature has largely omitted security teams, particularly in crowd work contexts. As such, we know very little about how security teams organize, collaborate, and what technology needs they have. We fill this gap by conducting focus groups with the top five teams (out of 18,201 participating teams) of a computer security Capture-the-Flag(CTF) competition. We find that these teams adopted a set of strategies centered on specialties, which allowed them to reduce issues relating to dispersion, double work, and lack of previous collaboration. Observing the current issues of individuals in security crowd work platforms, our study cases that scaling security crowd work to teams is feasible and beneficial. Finally, we identify various areas which warrant future work, such as issues of social identity in high-skilled crowd work environments.

Organizing Committee / Program Committee Chairs

Web Chair