{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T16:45:59Z","timestamp":1762015559329,"version":"3.41.2"},"reference-count":16,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2013,3,15]],"date-time":"2013-03-15T00:00:00Z","timestamp":1363305600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,3,15]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221311314400","type":"journal-article","created":{"date-parts":[[2013,3,25]],"date-time":"2013-03-25T11:56:36Z","timestamp":1364212596000},"page":"30-40","source":"Crossref","is-referenced-by-count":15,"title":["Intrusion detection and the role of the system administrator"],"prefix":"10.1108","volume":"21","author":[{"given":"Teodor","family":"Sommestad","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Amund","family":"Hunstad","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022020719584483000_b1","doi-asserted-by":"crossref","unstructured":"Axelsson, S. (2000), \u201cThe base\u2010rate fallacy and the difficulty of intrusion detection\u201d, ACM Transactions on Information and System Security, Vol. 3 No. 3, pp. 186\u2010205.","DOI":"10.1145\/357830.357849"},{"key":"key2022020719584483000_b2","doi-asserted-by":"crossref","unstructured":"Biermann, E. (2001), \u201cA comparison of intrusion detection systems\u201d, Computers & Security, Vol. 20 No. 8, pp. 676\u201083.","DOI":"10.1016\/S0167-4048(01)00806-9"},{"key":"key2022020719584483000_b3","unstructured":"Branlat, M. (2011), Challenges to Adversarial Interplay Under High Uncertainty: Staged\u2010World Study of a Cyber Security Event, The Ohio State University, Columbus, OH."},{"key":"key2022020719584483000_b4","doi-asserted-by":"crossref","unstructured":"Fisher, R.A. (1922), \u201cOn the interpretation of chi\u2010square from contingency tables, and the calculation of P\u201d, Journal of the Royal Statistical Society, Vol. 85 No. 1, pp. 87\u201094.","DOI":"10.2307\/2340521"},{"key":"key2022020719584483000_b6","doi-asserted-by":"crossref","unstructured":"Goodall, J.R., Lutters, W.G. and Komlodi, A. (2004), \u201cI know my network: collaboration and expertise in intrusion detection\u201d, Proceedings of the 2004 ACM Conference on Computer Supported Cooperative Work, ACM, pp. 342\u20105.","DOI":"10.1145\/1031607.1031663"},{"key":"key2022020719584483000_b5","doi-asserted-by":"crossref","unstructured":"Goodall, J.R., Lutters, W.G. and Komlodi, A. (2009), \u201cDeveloping expertise for network intrusion detection\u201d, Information Technology & People, Vol. 22 No. 2, pp. 92\u2010108.","DOI":"10.1108\/09593840910962186"},{"key":"key2022020719584483000_b7","doi-asserted-by":"crossref","unstructured":"McHugh, J. (2000), \u201cTesting intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory\u201d, ACM Transactions on Information and System Security, Vol. 3 No. 4, pp. 262\u201094.","DOI":"10.1145\/382912.382923"},{"key":"key2022020719584483000_b8","unstructured":"Mell, P., Hu, V. and Lippmann, R. (2003), \u201cAn overview of issues in testing intrusion detection systems\u201d, NIST IR 7007, Citeseer, available at: http:\/\/citeseerx.ist.psu.edu\/viewdoc\/summary?doi=10.1.1.8.5163 (accessed 5 January 2011)."},{"key":"key2022020719584483000_b9","doi-asserted-by":"crossref","unstructured":"Ranum, M.J. (2001), \u201cExperiences benchmarking intrusion detection systems\u201d, NFR Security, pp. 1\u201010.","DOI":"10.1201\/1079\/43257.27.11.20000501\/30334.1"},{"key":"key2022020719584483000_b10","doi-asserted-by":"crossref","unstructured":"Sommestad, T. and Hallberg, J. (2012), \u201cCyber security exercises and competitions as a platform for cyber security experiments\u201d, paper presented at Nordsec, Karlskrona, Sweden.","DOI":"10.1007\/978-3-642-34210-3_4"},{"key":"key2022020719584483000_b11","doi-asserted-by":"crossref","unstructured":"Sourour, M., Adel, B. and Tarek, A. (2009), \u201cEnvironmental awareness intrusion detection and prevention system toward reducing false positives and false negatives\u201d, 2009 IEEE Symposium on Computational Intelligence in Cyber Security, IEEE, pp. 107\u201014.","DOI":"10.1109\/CICYBS.2009.4925097"},{"key":"key2022020719584483000_b12","doi-asserted-by":"crossref","unstructured":"Spathoulas, G.P. and Katsikas, S.K. (2010), \u201cReducing false positives in intrusion detection systems\u201d, Computers & Security, Vol. 29 No. 1, pp. 35\u201044.","DOI":"10.1016\/j.cose.2009.07.008"},{"key":"key2022020719584483000_b13","doi-asserted-by":"crossref","unstructured":"Thompson, R.S., Rantanen, E.M., Yurcik, W. and Bailey, B.P. (2007), \u201cCommand line or pretty lines? Comparing textual and visual interfaces for intrusion detection\u201d, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, p. 1205.","DOI":"10.1145\/1240624.1240807"},{"key":"key2022020719584483000_b16","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Hawkey, K. and Muldner, K. (2008), \u201cThe challenges of using an intrusion detection system: is it worth the effort?\u201d, SOUPS '08 Proceedings of the 4th Symposium on Usable Privacy and Security, p. 1.","DOI":"10.1145\/1408664.1408679"},{"key":"key2022020719584483000_b15","unstructured":"Werlinger, R., Muldner, K., Hawkey, K. and Beznosov, K. (2009), \u201cTowards understanding diagnostic work during the detection and investigation of security incidents\u201d, Proceedings of the Third International Symposium on Human Aspects of Information Security & Assurance (HAISA 2009), Lulu.com, p. 119."},{"key":"key2022020719584483000_b14","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Muldner, K., Hawkey, K. and Beznosov, K. (2010), \u201cPreparation, detection, and analysis: the diagnostic work of IT security incident response\u201d, Information Management & Computer Security, Vol. 18 No. 1, pp. 26\u201042.","DOI":"10.1108\/09685221011035241"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685221311314400","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221311314400\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221311314400\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:26Z","timestamp":1753402166000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/21\/1\/30-40\/176383"}},"subtitle":[],"editor":[{"given":"Steven M.","family":"Furnell","sequence":"first","affiliation":[],"role":[{"role":"editor","vocabulary":"crossref"}]}],"short-title":[],"issued":{"date-parts":[[2013,3,15]]},"references-count":16,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2013,3,15]]}},"alternative-id":["10.1108\/09685221311314400"],"URL":"https:\/\/doi.org\/10.1108\/09685221311314400","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2013,3,15]]}}}