Paper long abstract:

Most IT security modeling techniques suggest that defining security requirements of a future system means to collect assets and associated threats, to assign risks to the potential threats and finally to model a system in which these risks are mitigated. This approach reflects the traditional objective of information security to protect bounded military or business organizations from the adverse outside world. However, current understandings of organizations as complex networks of human and nonhuman actors (Latour) make defining the boundary of an organization difficult. In addition, rather than with risks, i.e. well-identified dangers associated with describable events, we are often dealing with situations of uncertainty in which we are incapable of establishing the necessary 'list of possible worlds' (Callon). In this paper we show that security requirement definition is a discursive process of negotiation and decision-taking involving multiple, often contradictory perspectives and unforeseeable complications. We show results from an interdisciplinary project (cultural anthropology and computer science) employing ethnographic interviews and observation. With a heterogeneous team of scientists, archivists and IT-professionals we collaboratively defined security requirements of a future remote access to sensitive social science research data. We attempted adapting traditional security modeling techniques in order to turn resulting models into usable boundary objects required to bridge the differences in viewpoints and understanding (Star/Griesemer). We suggest that security modeling approaches only succeed if they assist actors in expressing their viewpoints and support processes of negotiation, thus ensuring that actors can address complex and uncertain issues, and if they allow for the idea of organizations as co-produced by humans and artefacts.