The role of intrusion detection systems in electronic information security: From the activity theory perspective

The purpose of this paper is to investigate the effectiveness of intrusion detection systems as an access control supplement in protecting electronic information resources and networks in information‐centric organisations. The study focuses on the strengths and vulnerabilities of intrusion detection systems (IDSs).

A qualitative case study is conducted with a retail organisation, and an educational institution in Cape Town, South Africa. Using purposive sampling, interviews are held with network administrators of sample institutions to unpack security priorities and the functionalities of IDSs, the significance of the system in concept, whether it is understood within network departments, the cost factor, and its value in securing networks against all possible security challenges. The activity theory is applied as a lens to understanding the security process, and to inform a future security frameworks and research initiatives.

The findings are clear. Although IDSs have vulnerabilities, they offer an added cushion to conventional network access control efforts. Access control for example, guards the gate but IDSs are the watchdogs in your yard, and IDS closes a gap in a network security that only IDSs can. It alerts you of a potential attacker, enabling you to respond promptly, in whichever way you like. It does however, require deliberate reaction against a detected intrusion to be effective, but remains a useful security tool that should become standard to all network security initiatives. A framework presenting network security as a work activity – with actors who are guided by goals – is offered to guide planning, implementations of network security and further research in future.

Security awareness is crucial to effective e‐citizenry, but complacency could be a threat. As a unique contribution, the paper presents an activity‐theory work‐activity framework of analysing network security. Further, the paper presents original, industry‐specific interview findings, raising awareness that existing security measures need to be viewed as a continuous work‐activity whose planning and implementations are embedded on goals and processes towards pursued outcomes. Access controls themselves should be monitored. They should be supplemented by effective intrusion detection systems if unauthorised access is to be effectively minimised.