Parallel Data Lab Research on Network Security

Part 1 - Your Information

Job Title:
Education:	High School Some college College degree Master's/Professional degree PhD/MD
Age:
System/network Admin. certifications:
Years of system/network admin. experience:

Part 2 - Your Favourite Security Product

Tell us about the best computer security product you have used (e.g., firewalls, intrusion detection systems, virus scanners).

Product:
Vendor:
Dates used:
For how many computers was this product used?
On which OS(s) did you use this product?	Windows Unix/Linux Mac OS Other

The intrusion detection method is primarily based on

1. rule or signature matching
anomaly detection

1

2

3

4

5

6

7

8

9

Rate your overall experience with this product on each of these word pairs:

2. terrible
wonderful

1

2

3

4

5

6

7

8

9

3. frustrating
satisfying

1

2

3

4

5

6

7

8

9

4. dull
stimulating

1

2

3

4

5

6

7

8

9

5. difficult
easy

1

2

3

4

5

6

7

8

9

6. inadequate power
adequate power

1

2

3

4

5

6

7

8

9

7. rigid
flexible

1

2

3

4

5

6

7

8

9

Rate the product's capabilities:

8. Speed

too slow
fast enough

1

2

3

4

5

6

7

8

9

9. The product is reliable

never
always

1

2

3

4

5

6

7

8

9

10. Correcting your mistakes

difficult
easy

1

2

3

4

5

6

7

8

9

11. Ease of operation depends on your level of experience

never
always

1

2

3

4

5

6

7

8

9

12. Sensors are mainly

at every host
at one centralized location

1

2

3

4

5

6

7

8

9

Rate configuration, specifically

13. Configuring the product is

easy
difficult

1

2

3

4

5

6

7

8

9

14. The configuration interface is

text-based
graphical

1

2

3

4

5

6

7

8

9

Rate the product's efficacy

15. How well does the product prevent intrusions?

not at all
perfectly

1

2

3

4

5

6

7

8

9

Rate the monitoring infrastructure

16. Detecting intrusions occurred

unreliable
reliable

1

2

3

4

5

6

7

8

9

17. Diagnosing an intrusion (once it is detected)

difficult
easy

1

2

3

4

5

6

7

8

9

18. False alarm rate

too high
acceptable

1

2

3

4

5

6

7

8

9

19. Alerts interrupt me while I'm doing other things

always
never

1

2

3

4

5

6

7

8

9

20. It is easy to determine which host is compromised

never
always

1

2

3

4

5

6

7

8

9

21. It is easy to determine which program/service is compromised

never
always

1

2

3

4

5

6

7

8

9

22. It is easy to determine the source of the attack

never
always

1

2

3

4

5

6

7

8

9

23. It is easy to determine when the attack occurred

never
always

1

2

3

4

5

6

7

8

9

24. The alert interface is

text-based
graphical

1

2

3

4

5

6

7

8

9

25. Finding details about alerts is

difficult
easy

1

2

3

4

5

6

7

8

9

26. Being aware of the network overall is

difficult
easy

1

2

3

4

5

6

7

8

9

27. I filter alerts based on their attributes (e.g., time of detection, source address):
never					always
1	2	3	4	5	6	7	8	9

If you filter alerts (if not, skip to question 35):

28. I primarly use this type of interface to filter
graphical					textual
1	2	3	4	5	6	7	8	9

29. I typically filter on this many attributes at a time:

30. How many different filters do you commonly use:

31. I sort alerts on one or more attributes

never
always

1

2

3

4

5

6

7

8

9

32. I use scripting or macros to help filter or sort alerts

never
always

1

2

3

4

5

6

7

8

9

33. I would like to use filtering or macros (more) to help filter or sort alerts

strongly disagree
strongly agree

1

2

3

4

5

6

7

8

9

34. I would like to view alert summaries (more) graphically
strongly disagree					strongly agree
1	2	3	4	5	6	7	8	9

Rate the usefulness of the tool in responding to intrusions

35. It is easy to respond appropriately to the intrusion

never
always

1

2

3

4

5

6

7

8

9

36. It is easy to change which services are active when necessary

never
always

1

2

3

4

5

6

7

8

9

37. It is easy to change user access

never
always

1

2

3

4

5

6

7

8

9

38. It is easy to reconfigure the network

never
always

1

2

3

4

5

6

7

8

9

39. It is easy to change the security configuration

never
always

1

2

3

4

5

6

7

8

9

Rate the experience of learning how to use the product:

40. Learning to use it

difficult
easy

1

2

3

4

5

6

7

8

9

41. Exploration of features by trial and error

discouraging
encouraging

1

2

3

4

5

6

7

8

9

42. Remembering names and use of commands

difficult
easy

1

2

3

4

5

6

7

8

9

43. Tasks can be performed in a straightforward manner

never
always

1

2

3

4

5

6

7

8

9

44. Your primary reason for using this product: (If no longer in use, primary reason for discontinuing use)

45. Other comments about the product:

Part 3 - Preferences Regarding Network and Security Management

46. I like to configure different parts of my network
the same everywhere					each part differently
1	2	3	4	5	6	7	8	9

47. I want to modify settings in real-time
never					always
1	2	3	4	5	6	7	8	9

48. How often do you read alerts? (0 for real time)
every

49. Importance of protection from attacks from outside your network
Not important					Very Important
1	2	3	4	5	6	7	8	9

50. Importance of protection from attacks from inside your network
Not important					Very Important
1	2	3	4	5	6	7	8	9

I would trust an IDS to automatically respond to intrusions by:

51. Slowing down network traffic
Strongly disagree					Strongly agree
1	2	3	4	5	6	7	8	9

52. Terminating network connections
Strongly disagree					Strongly agree
1	2	3	4	5	6	7	8	9

53. Disabling services
Strongly disagree					Strongly agree
1	2	3	4	5	6	7	8	9

If you needed to increase security, how willing would you be to give up some of:

54. your time
very unwilling					very willing
1	2	3	4	5	6	7	8	9

55. network performance
very unwilling					very willing
1	2	3	4	5	6	7	8	9

56. functionality available to your users
very unwilling					very willing
1	2	3	4	5	6	7	8	9

57. your users' time
very unwilling					very willing
1	2	3	4	5	6	7	8	9

58. How often do you communicate with other network/system administrators about intrusions?
Many times a day
Every day
Every week
Every month
Less often than every month

Rank how much you use each of these media to communicate about intrusions with other network/system administrators:

59. e-mail

never
all the time

1

2

3

4

5

6

7

8

9

60. phone

never
all the time

1

2

3

4

5

6

7

8

9

61. instant messages

never
all the time

1

2

3

4

5

6

7

8

9

62. in person

never
all the time

1

2

3

4

5

6

7

8

9

63. website

never
all the time

1

2

3

4

5

6

7

8

9

64. usenet

never
all the time

1

2

3

4

5

6

7

8

9

65. other (please specify):

never
all the time

1

2

3

4

5

6

7

8

9

Section 4 - Optional

I would like to receive summary results of the survey.
I would be willing to answer follow-up questions.

If you checked either or both of the two boxes above, we need your contact information. If you choose to provide this information, only people in our research group will have access to it and we will treat it with the same care we treat our own confidential information.

Name:
Email address:
Organization:

For questions about this research project, please contact A. Chris Long at chrisl+survey@cs.cmu.edu.