Technological systems and infrastructures form the bedrock of modern society and it is system administrators (sysadmins) who configure, maintain and operate these infrastructures. More often than not, they do so behind the scenes. The work of system administration tends to be unseen and, consequently, not well known. After all, do you think of your IT help-desk when everything is working just fine? Usually, people reach out for help when something is not working as expected or when they need something. A lot of work and effort goes into ensuring that systems are working as expected most of the time and, paradoxically, this smooth functioning results in the invisibilization of the work and effort that went into it. This PhD research focuses on system administration work and what that entails in day-to-day tasks. Instead of proposing technical and social solutions, we try to better understand the “problem” that these proposed solutions are meant to solve. Drawing from safety science research and feminist research approaches, we perform a qualitative exploration of sysadmins’ work. We center their experiences via an in-depth interview investigation and a focus group study. We identify and describe the coordination mechanisms and gender considerations embedded in their work. We shed light on care work as part of sysadmin work and the phenomenon of double invisibility that is experienced by sysadmins who are not cis men. The thesis wraps up with a set of recommendations for moving toward safe and equitable work environments for sysadmins. @en

Restorative justice is an approach that aims to replace hurt by healing in the understanding that the perpetrators of pain are also victims of the incident themselves. In 2016, Mersey Care, an NHS community and mental health trust in the Liverpool region, implemented restorative justice (or what it termed a 'Just and Learning Culture') to fundamentally change its responses to incidents, patient harm, and complaints against staff. Although qualitative benefits from this implementation seemed obvious, it was also thought relevant to identify the economic effects of restorative justice. Through interviews with Mersey Care staff and collecting data pertaining to costs, suspensions, and absenteeism, an economic model of restorative justice was created. We found that the introduction of restorative justice has coincided with many qualitative improvements for staff, such as a reduction in suspensions and dismissals, increase in the reporting of adverse events, increase in the number of staff that feel encouraged to seek support and a slowing down of the upward trend in absence due to illness. It also improved staff retention. The economic benefits of restorative justice appear significant. After corrections for inflation, acquisitions and anomalies, we found that the salary costs averaged over two fiscal years were reduced by £ 4 million per year, coinciding with the introduction of a just and learning culture in 2016. In addition, Mersey Care reaped around £ 1 million in saved legal and termination expenses. We conservatively attribute half of these savings to the introduction of a just and learning culture itself, and the other half to non-related factors. Using this assumption, we estimate the total economic benefit of restorative justice in the case of Mersey Care NHS Foundation Trust to be about £ 2.5 million or approximately 1% of the total costs and 2% of the labour costs.@en

Restorative justice is an approach that aims to replace hurt by healing in the understanding that the perpetrators of pain are also victims of the incident themselves. In 2016, Mersey Care, an NHS community and mental health trust in the Liverpool region, implemented restorative justice (or what it termed a 'Just and Learning Culture') to fundamentally change its responses to incidents, patient harm, and complaints against staff. Although qualitative benefits from this implementation seemed obvious, it was also thought relevant to identify the economic effects of restorative justice. Through interviews with Mersey Care staff and collecting data pertaining to costs, suspensions, and absenteeism, an economic model of restorative justice was created. We found that the introduction of restorative justice has coincided with many qualitative improvements for staff, such as a reduction in suspensions and dismissals, increase in the reporting of adverse events, increase in the number of staff that feel encouraged to seek support and a slowing down of the upward trend in absence due to illness. It also improved staff retention. The economic benefits of restorative justice appear significant. After corrections for inflation, acquisitions and anomalies, we found that the salary costs averaged over two fiscal years were reduced by £ 4 million per year, coinciding with the introduction of a just and learning culture in 2016. In addition, Mersey Care reaped around £ 1 million in saved legal and termination expenses. We conservatively attribute half of these savings to the introduction of a just and learning culture itself, and the other half to non-related factors. Using this assumption, we estimate the total economic benefit of restorative justice in the case of Mersey Care NHS Foundation Trust to be about £ 2.5 million or approximately 1% of the total costs and 2% of the labour costs.@en

Instead of only considering technology, computer security research now strives to also take into account the human factor by studying regular users and, to a lesser extent, experts like operators and developers of systems. We focus our analysis on the research on the crucial population of experts, whose human errors can impact many systems at once, and compare it to research on regular users. To understand how far we advanced in the area of human factors, how the field can further mature, and to provide a point of reference for researchers new to this field, we analyzed the past decade of human factors research in security and privacy, identifying 557 relevant publications. Of these, we found 48 publications focused on expert users and analyzed all in depth. For additional insights, we compare them to a stratified sample of 48 end-user studies. In this paper we investigate: (i) The perspective on human factors, and how we can learn from safety science (ii) How and who are the participants recruited, and how this -- as we find -- creates a western-centric perspective (iii) Research objectives, and how to align these with the chosen research methods (iv) How theories can be used to increase rigor in the communities scientific work, including limitations to the use of Grounded Theory, which is often incompletely applied (v) How researchers handle ethical implications, and what we can do to account for them more consistently Although our literature review has limitations, new insights were revealed and avenues for further research identified.@en

Instead of only considering technology, computer security research now strives to also take into account the human factor by studying regular users and, to a lesser extent, experts like operators and developers of systems. We focus our analysis on the research on the crucial population of experts, whose human errors can impact many systems at once, and compare it to research on regular users. To understand how far we advanced in the area of human factors, how the field can further mature, and to provide a point of reference for researchers new to this field, we analyzed the past decade of human factors research in security and privacy, identifying 557 relevant publications. Of these, we found 48 publications focused on expert users and analyzed all in depth. For additional insights, we compare them to a stratified sample of 48 end-user studies. In this paper we investigate: (i) The perspective on human factors, and how we can learn from safety science (ii) How and who are the participants recruited, and how this -- as we find -- creates a western-centric perspective (iii) Research objectives, and how to align these with the chosen research methods (iv) How theories can be used to increase rigor in the communities scientific work, including limitations to the use of Grounded Theory, which is often incompletely applied (v) How researchers handle ethical implications, and what we can do to account for them more consistently Although our literature review has limitations, new insights were revealed and avenues for further research identified.@en

Instead of only considering technology, computer security research now strives to also take into account the human factor by studying regular users and, to a lesser extent, experts like operators and developers of systems. We focus our analysis on the research on the crucial population of experts, whose human errors can impact many systems at once, and compare it to research on regular users. To understand how far we advanced in the area of human factors, how the field can further mature, and to provide a point of reference for researchers new to this field, we analyzed the past decade of human factors research in security and privacy, identifying 557 relevant publications. Of these, we found 48 publications focused on expert users and analyzed all in depth. For additional insights, we compare them to a stratified sample of 48 end-user studies. In this paper we investigate: (i) The perspective on human factors, and how we can learn from safety science (ii) How and who are the participants recruited, and how this -- as we find -- creates a western-centric perspective (iii) Research objectives, and how to align these with the chosen research methods (iv) How theories can be used to increase rigor in the communities scientific work, including limitations to the use of Grounded Theory, which is often incompletely applied (v) How researchers handle ethical implications, and what we can do to account for them more consistently Although our literature review has limitations, new insights were revealed and avenues for further research identified.@en

Instead of only considering technology, computer security research now strives to also take into account the human factor by studying regular users and, to a lesser extent, experts like operators and developers of systems. We focus our analysis on the research on the crucial population of experts, whose human errors can impact many systems at once, and compare it to research on regular users. To understand how far we advanced in the area of human factors, how the field can further mature, and to provide a point of reference for researchers new to this field, we analyzed the past decade of human factors research in security and privacy, identifying 557 relevant publications. Of these, we found 48 publications focused on expert users and analyzed all in depth. For additional insights, we compare them to a stratified sample of 48 end-user studies. In this paper we investigate: (i) The perspective on human factors, and how we can learn from safety science (ii) How and who are the participants recruited, and how this -- as we find -- creates a western-centric perspective (iii) Research objectives, and how to align these with the chosen research methods (iv) How theories can be used to increase rigor in the communities scientific work, including limitations to the use of Grounded Theory, which is often incompletely applied (v) How researchers handle ethical implications, and what we can do to account for them more consistently Although our literature review has limitations, new insights were revealed and avenues for further research identified.@en

In the system and network administration domain, gender diversity remains a distant target. The experiences and perspectives of sysadmins who belong to marginalized genders (non cis-men) are not well understood beyond the fact that sysadmin work environments are generally not equitable. We address this knowledge gap in our study by focusing on the ways in which sysadmins from marginalized genders manage their work in men-dominated sysadmin work spaces and by understanding what an inclusive workplace would look like. Using a feminist research approach, we engaged with a group of 16 sysadmins who are not cis-men via six online focus groups. We found that managing the impact of gender identity in the sysadmin workplace means demonstrating excellence and going above and beyond in system administration tasks, and also requires performing additional care work not expected from cis men. Furthermore, our participants handle additional layers of work due to gender considerations and to actively find community in the workplace. We found that sysadmins manage by going above and beyond in their tasks, performing care work and doing extra layers of work because of gender considerations, and finding community in the workplace. To mitigate this additional workload, we recommend more care for care work. For future research, we recommend the use of feminist lenses when studying sysadmin work in order to provide more equitable solutions that ultimately contribute to improving system security by fostering a just workplace. @en

The ongoing global COVID-19 pandemic made working from home – wherever working remotely is possible the norm for what had previously been office-based jobs across the world. This change in how we work created a challenging situation for system administrators (sysadmins), as they are the ones building and maintaining the digital infrastructure our world relies on. In this paper, we examine how system administration work changed early in the pandemic from sysadmins’ personal perspectives, through semi-structured interviews and thematic analysis. We find that sysadmins faced a two-sided crisis: While sysadmins’ own work environment changed, they also had to react to the new situation and facilitate stable options to work online for themselves and their colleagues, supporting their users in adapting to the crisis. This finding embeds into earlier work on the connection between IT (security) work and the notion of ‘care’, where we substantiate these earlier findings with results from a repeatable method grounded in coordination theory. Furthermore, while we find that sysadmins perceived no major changes in the way they work, by consecutively probing our interviewees, we find that they did experience several counter-intuitive effects on their work. This includes that while day-to-day communication became inherently more difficult, other tasks were streamlined by the remote working format and were seen as having become easier. Finally, by structuring our results according to a model of coordination and communication, we identify changes in sysadmins’ coordination patterns. From these we derive recommendations for how system administration work can be coordinated, ranging beyond the immediate pandemic response and the transition to any ‘new normal’ way of working.@en