Complexity is dead, long live complexity! How software can help service providers manage security and compliance

Service providers expected to see a simplification regarding security and compliance management as standards and best practice were applied to complex information technology (IT) outsourcing arrangements. However, security and compliance management became even more complex and is presenting greater challenges to service providers than ever before. In this article, we focus on the work practices of service providers dealing with complex and transitory security requirements and distributed IT infrastructures. Based on the results of semi-structured interviews followed by a think-aloud study, we first describe specific requirements to be met by software supporting security and compliance management in complex IT outsourcing arrangements, and discuss the extent to which existing software already meets them. We show that existing software, which is primarily designed for in-house settings, fails to meet requirements of complex IT outsourcing arrangements such as (1) the use of standardized and formal descriptions of security requirements and configurations, (2) the definition of a interface allowing to exchange messages and to delegate tasks, (3) the provision of mechanisms for designing and implementing a configuration for specific security requirements across organizational boundaries, (4) the provision of mechanisms for verifying and approving the enforcement of these security requirements, and (5) the provision of mechanisms for searching and browsing security requirements, configurations and links between them. We then propose a software architecture that claims to be capable of meeting those requirements and outline how this claim was evaluated by means of another think-aloud study in which potential end users were asked to perform a series of tasks using a prototypical implementation of the architecture. The results of the evaluation confirm that the software meets the described requirements and suggests that it facilitates the management of security and compliance in complex IT outsourcing arrangements. © 2014 Elsevier Ltd. All rights reserved. 09; fax: þ43 5125072844. ac.at (S. Thalmann), dani k.ac.at (M. Manhart). rved. [email protected] (D. Bachlechner), lukas.demetz@