{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T07:57:27Z","timestamp":1781078247954,"version":"3.54.1"},"reference-count":31,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2009,6,5]],"date-time":"2009-06-05T00:00:00Z","timestamp":1244160000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2009,6,5]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The paper seeks to provide a foundational understanding of the socio\u2010technical system that is computer network intrusion detection, including the nature of the knowledge work, situated expertise, and processes of learning as supported by information technology.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>The authors conducted a field study to explore the work of computer network intrusion detection using multiple data collection methods, including semi\u2010structured interviews, examination of security tools and resources, analysis of information security mailing list posts, and attendance at several domain\u2010specific user group meetings.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>The work practice of intrusion detection analysts involves both domain expertise of networking and security and a high degree of situated expertise and problem\u2010solving activities that are not predefined and evolve with the dynamically changing context of the analyst's environment. This paper highlights the learning process needed to acquire these two types of knowledge, contrasting this work practice with that of computer systems administrators.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>The research establishes a baseline for future research into the domain and practice of intrusion detection, and, more broadly, information security.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>The results presented here provide a critical examination of current security practices that will be useful to developers of intrusion detection support tools, information security training programs, information security management, and for practitioners themselves.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>There has been no research examining the work or expertise development processes specific to the increasingly important information security practice of intrusion detection. The paper provides a foundation for future research into understanding this highly complex, dynamic work.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09593840910962186","type":"journal-article","created":{"date-parts":[[2009,5,23]],"date-time":"2009-05-23T07:13:49Z","timestamp":1243062829000},"page":"92-108","source":"Crossref","is-referenced-by-count":46,"title":["Developing expertise for network intrusion detection"],"prefix":"10.1108","volume":"22","author":[{"given":"John R.","family":"Goodall","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wayne G.","family":"Lutters","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Anita","family":"Komlodi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","reference":[{"key":"key2022012320392797300_b1","unstructured":"Anderson, E.A. (2002), Researching System Administration, University of California, Berkeley, CA."},{"key":"key2022012320392797300_b2","doi-asserted-by":"crossref","unstructured":"Barley, S.R. (1996), \u201cTechnicians in the workplace: ethnographic evidence for bringing work into organizational studies\u201d, Administrative Science Quarterly, Vol. 41 No. 3, pp. 404\u201041.","DOI":"10.2307\/2393937"},{"key":"key2022012320392797300_b3","doi-asserted-by":"crossref","unstructured":"Barrett, R., Kandogan, E., Maglio, P.P., Haber, E.M., Takayama, L.A. and Prabaker, M. (2004), \u201cField studies of computer system administrators: analysis of system management tools and practices\u201d, Proceedings of the ACM Conference on Computer\u2010Supported Cooperative Work (CSCW), Chicago, IL, November 6\u201010, pp. 388\u201095.","DOI":"10.1145\/1031607.1031672"},{"key":"key2022012320392797300_b4","doi-asserted-by":"crossref","unstructured":"Bechky, B.A. (2003), \u201cSharing meaning across occupational communities: the transformation of understanding on a production floor\u201d, Organization Science, Vol. 14 No. 3, pp. 312\u201030.","DOI":"10.1287\/orsc.14.3.312.15162"},{"key":"key2022012320392797300_b5","doi-asserted-by":"crossref","unstructured":"Bentley, R., Hughes, J.A., Randall, D., Rodden, T., Sawyer, P., Shapiro, D. and Sommerville, I. (1992), \u201cEthnographically\u2010informed systems design for air traffic control\u201d, Proceedings of the ACM Conference on Computer\u2010Supported Cooperative Work (CSCW), Toronto, November 1\u20104, pp. 123\u20109.","DOI":"10.1145\/143457.143470"},{"key":"key2022012320392797300_b6","unstructured":"Bruner, J. (1990), Acts of Meaning, Harvard University Press, Cambridge, MA."},{"key":"key2022012320392797300_b7","unstructured":"CSO Magazine\/US Secret Service\/CERT Coordination Center (2005), \u201c2005 e\u2010crime watch survey\u201d, available at: www.csoonline.com\/info\/ecrimesurvey05.html."},{"key":"key2022012320392797300_b8","doi-asserted-by":"crossref","unstructured":"D'Amico, A., Whitley, K., Tesone, D., O'Brien, B. and Roth, E. (2005), \u201cAchieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts\u201d, Proceedings of the Human Factors and Ergonomics Society 49th Annual Meeting, Orlando, FL, September 26\u201030, pp. 229\u201033.","DOI":"10.1177\/154193120504900304"},{"key":"key2022012320392797300_b9","doi-asserted-by":"crossref","unstructured":"Dreyfus, H.L. and Dreyfus, S.E. (2005), \u201cPeripheral vision: expertise in real world contexts\u201d, Organization Studies, Vol. 26 No. 5, pp. 779\u201092.","DOI":"10.1177\/0170840605053102"},{"key":"key2022012320392797300_b10","doi-asserted-by":"crossref","unstructured":"Goodall, J.R., Lutters, W.G. and Komlodi, A. (2004), \u201cI know my network: collaboration and expertise in intrusion detection\u201d, Proceedings of the ACM Conference on Computer\u2010Supported Cooperative Work (CSCW), Chicago, IL, November 6\u201010, pp. 342\u20105.","DOI":"10.1145\/1031607.1031663"},{"key":"key2022012320392797300_b11","doi-asserted-by":"crossref","unstructured":"Goodall, J.R., Lutters, W.G., Rheingans, P. and Komlodi, A. (2006), \u201cFocusing on context in network traffic analysis\u201d, IEEE Computer Graphics and Applications, Vol. 26 No. 2, pp. 72\u201080.","DOI":"10.1109\/MCG.2006.31"},{"key":"key2022012320392797300_b12","unstructured":"Hall, M. (2007), \u201cPrice of security breaches \u2026\u201d, available at: www.computerworld.com\/securitytopics\/security\/story\/0,10801,106180,00.html."},{"key":"key2022012320392797300_b13","unstructured":"Halprin, G. (1998), \u201cThe workflow of system administration\u201d, Proceedings of the Conference of the System Administrators Guild of Australia (SAGE\u2010AU), Canberra, July 6\u201010, pp. 6\u201010."},{"key":"key2022012320392797300_b14","unstructured":"Harper, R.H.R. (1998), Inside the IMF: An Ethnography of Documents, Technology and Organisational Action, Academic Press, San Diego, CA."},{"key":"key2022012320392797300_b15","doi-asserted-by":"crossref","unstructured":"Heath, C. and Luff, P. (1992), \u201cCollaboration and control: crisis management and multimedia technology in london underground control rooms\u201d, Journal of Computer Supported Cooperative Work, Vol. 1 No. 1, pp. 24\u201048.","DOI":"10.1007\/BF00752451"},{"key":"key2022012320392797300_b16","doi-asserted-by":"crossref","unstructured":"Hughes, J., Randall, D. and Shapiro, D. (1992), \u201cFaltering from ethnography to design\u201d, Proceedings of the ACM Conference on Computer\u2010Supported Cooperative Work (CSCW), Toronto, November 1\u20104, pp. 115\u201022.","DOI":"10.1145\/143457.143469"},{"key":"key2022012320392797300_b17","doi-asserted-by":"crossref","unstructured":"Julisch, K. (2003), \u201cClustering intrusion detection alarms to support root cause analysis\u201d, ACM Transactions on Information and System Security, Vol. 6 No. 4, pp. 443\u201071.","DOI":"10.1145\/950191.950192"},{"key":"key2022012320392797300_b18","unstructured":"Kirk, J. (2007), \u201cEstonia recovers from massive denial\u2010of\u2010service attack\u201d, available at: www.networkworld.com\/news\/2007\/051707\u2010estonia\u2010recovers\u2010from\u2010massive\u2010denial\u2010of\u2010service.html."},{"key":"key2022012320392797300_b19","doi-asserted-by":"crossref","unstructured":"Lave, J. and Wenger, E. (1990), Situated Learning: Legitimate Peripheral Participation, Cambridge University Press, Cambridge.","DOI":"10.1017\/CBO9780511815355"},{"key":"key2022012320392797300_b20","doi-asserted-by":"crossref","unstructured":"Lings, B. and Lundell, B. (2005), \u201cOn the adaptation of grounded theory procedures: insights from the evolution of the 2G method\u201d, Information Technology & People, Vol. 18 No. 3, pp. 196\u2010211.","DOI":"10.1108\/09593840510615842"},{"key":"key2022012320392797300_b21","doi-asserted-by":"crossref","unstructured":"Lutters, W.G. and Ackerman, M.S. (2007), \u201cBeyond boundary objects: collaborative reuse in aircraft technical support\u201d, Journal of Computer Supported Cooperative Work, Vol. 16 No. 3, pp. 341\u201072.","DOI":"10.1007\/s10606-006-9036-x"},{"key":"key2022012320392797300_b22","doi-asserted-by":"crossref","unstructured":"Martin, D. and Sommerville, I. (2004), \u201cPatterns of cooperative interaction: linking ethnomethodology and design\u201d, ACM Transactions on Computer\u2010Human Interaction, Vol. 11 No. 1, pp. 59\u201089.","DOI":"10.1145\/972648.972651"},{"key":"key2022012320392797300_b23","doi-asserted-by":"crossref","unstructured":"Muller, M.J. (1999), \u201cInvisible work of telephone operators: an ethnocritical analysis\u201d, Journal of Computer Supported Cooperative Work, Vol. 8 Nos 1\/2, pp. 31\u201061.","DOI":"10.1023\/A:1008603223106"},{"key":"key2022012320392797300_b24","unstructured":"Polanyi, M. (1967), The Tacit Dimension, Anchor Books, New York, NY."},{"key":"key2022012320392797300_b25","unstructured":"Roesch, M. (1999), \u201cSnort \u2013 lightweight intrusion detection for networks\u201d, Proceedings of Thirteenth Systems Administration Conference (LISA), Seattle, WA, November 7\u201012, pp. 229\u201038."},{"key":"key2022012320392797300_b26","doi-asserted-by":"crossref","unstructured":"Sandusky, R.J. (1997), \u201cInfrastructure management as cooperative work: implications for systems design\u201d, Proceedings of the ACM Conference on Supporting Group Work (GROUP), Phoenix, AZ, November 11\u201019, pp. 91\u2010100.","DOI":"10.1145\/266838.266871"},{"key":"key2022012320392797300_b27","doi-asserted-by":"crossref","unstructured":"Star, S.L. and Strauss, A. (1999), \u201cLayers of silence, arenas of voice: the ecology of visible and invisible work\u201d, Journal of Computer Supported Cooperative Work, Vol. 8 Nos 1\/2, pp. 9\u201030.","DOI":"10.1023\/A:1008651105359"},{"key":"key2022012320392797300_b28","unstructured":"Stolze, M., Pawlitzek, R. and Hild, S. (2003a), \u201cTask support for network security monitoring\u201d, paper presented at the ACM CHI Workshop on System Administrators Are Users, Too: Designing Workspaces for Managing Internet\u2010scale Systems, Fort Lauderdale, FL."},{"key":"key2022012320392797300_b29","unstructured":"Stolze, M., Pawlitzek, R. and Wespi, A. (2003b), \u201cVisual problem\u2010solving support for new event triage in centralized network security monitoring: challenges, tools and benefits\u201d, paper presented at the GI\u2010SIDAR Conference IT\u2010Incident Management & IT\u2010Forensics (IMF), Stuttgart, October 18\u201019."},{"key":"key2022012320392797300_b30","unstructured":"Strauss, A. and Corbin, J. (1998), Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, Sage Publications, Thousand Oaks, CA."},{"key":"key2022012320392797300_b31","unstructured":"Yurcik, W., Barlow, J. and Rosendale, J. (2003), \u201cMaintaining perspective on who is the enemy in the security systems administration of computer networks\u201d, paper presented at the ACM CHI Workshop on System Administrators Are Users, Too: Designing Workspaces for Managing Internet\u2010scale Systems, Fort Lauderdale, FL."}],"container-title":["Information Technology &amp; People"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09593840910962186","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09593840910962186\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09593840910962186\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:36:58Z","timestamp":1753403818000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/itp\/article\/22\/2\/92-108\/186384"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009,6,5]]},"references-count":31,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2009,6,5]]}},"alternative-id":["10.1108\/09593840910962186"],"URL":"https:\/\/doi.org\/10.1108\/09593840910962186","relation":{},"ISSN":["0959-3845"],"issn-type":[{"value":"0959-3845","type":"print"}],"subject":[],"published":{"date-parts":[[2009,6,5]]}}}