THE INFORMATION BEHAVIOR OF INFORMATION SECURITY AND CRYPTOGRAPHY PROFESSIONALS: HOW THESE PROFESSIONALS SEEK AND USE INFORMATION

This paper presents a user study of information security and cryptography professionals, focusing on the use of information behavior models. The methodological procedure proposed in this paper uses as a base model the information behavior model proposed by Choo et al. (2000), which divides human information behavior into three processes: information need, seek and use. The exploratory, descriptive and quali-quantitative study was carried out with 50 professionals from the Brazilian Community of Information Security and Cryptography (Comsic) through questionnaires, interviews and documentary analysis. Four subgroups were identified: cryptographic algorithms and protocols research group, cryptographic hardware and firmware development group, network security professionals group, and information security managers group.


Introduction
In contemporary society, information has become the main wealth of organizations and an indispensable asset in the performance of any activity.It is present in all environments and in all social, scientific, technological, cultural, political and economic activities.
As raw material of this new capitalist model, information is essential for the economic and cultural development of society.In this context, the intensive use of information technology, as a mechanism to facilitate collection, production, processing, transmission and storage, leads to overwhelming changes in the world (Viera, 2007).The intensive use of information technology and the emergence of the Internet in the late 20th century have increased the number of computer security incidents.

Research Problem
Maintaining information security is a job that may require the specialist to search various sources of information.Decision making depends on the correlation of information that may be distributed in these various sources.Processing this information is a task that often requires the support of other specialists, demands time and can be crucial for business continuity.
The great challenge for this professional is to deal with a mass of information about cryptography, policies, norms, methodologies, threats, vulnerabilities, attack techniques, and forms of control, normally dispersed across diverse sources of information.
These professionals are subjected to known problems, whose solutions may be stored in information systems, such as the organization's databases, through which information can be shared, or in personal notes and records.There are also new problems that will require a search for new knowledge and information to identify the best ways to solve them.
In this context, this paper aims, based on a study of information users, to understand how these information security and cryptography professionals deal with information, using information behavior models and the analysis of the needs, seeking, and use of the information of these specialists examined within their professional and organizational context.There are studies on the information behavior of professional categories, such as physicians, engineers, scientists and academics, but a lack of research involving professionals in the field of information security and cryptography.
Ohtoshi, Paulo; Duque, Cláudio Gottschalg.The information behavior of information security and cryptography professionals: how these professionals seek and use information.// Brazilian Journal of Information Studies: Research Trends.11:3 (2017) p. 6-16. ISSN 19816-16. ISSN -1640. .This research is based on the hypothesis that understanding the information behavior of this group of information security specialists, the way they seek information, which sources are the most consulted and what use they make of the information found can contribute for the improvement of the decision-making processes involved in the daily exercise of these professionals and for the improvement of the processes of search and use of information.

Research Questions
The research aimed to answer the following questions: 1) Is there a common information behavior among information security professionals?
2) Can this behavior be diagnosed?
3) What theoretical bases can be used?
4) What recommendations can be drawn from this to assist in the provision of information services for these professionals?

Research Objectives
The general objective of the research is to characterize the information behavior of information security and cryptography experts, that is, how they seek and use security information, which is the information used to provide information security.
The specific objectives are: 1) To propose a methodological procedure for the study of the information behavior of the information security professional; 2) To diagnose the information behavior of the information security professional from a theoretical framework; 3) To propose recommendations for improving the process of seeking and using the information.

Information Behavior
Gasque e Costa (2003) emphasize that the term information behavior is often used in the international literature.In Brazil, knowledge about information behavior is usually addressed under the label of "user studies".
In Wilson's view, information behavior comprises "those activities a person may engage in when identifying their own needs for information, searching for such information in any way, and using or transferring that information" (Wilson, 1999).
According to Figueiredo (1994), studies of information behavior or user studies are "investigations that are done to find out what users need in terms of information or to know if the information needs of users of a library or an information center are being adequately met."Through these studies, it is verified why, how and for what purposes individuals use information and what factors affect such use.These are surveys to identify and differentiate the characteristics, interests, needs and information habits of real and potential users of an information unit.
The use of information behavior models allows the identification and understanding of the factors affecting the behavior of these professionals and enables the elaboration of the questions that will be asked to the respondents through questionnaires, interviews and documentary analysis.Without the use of models, it is difficult to analyze the results collected in the field.

2.2
The Integrative Model of Choo et al. (2000) The Information Behavior Model of Choo et al. (2000) was chosen because it describes all stages of information behavior.It is a model that integrates theories and models of the human information behavior described below.According to Choo, information behavior comprises three processes: i) Information Need; ii) Information Seeking; and iii) Information Use.Each is influenced by cognitive, affective, and situational factors, as shown in Figure 1.
According to Choo et al. (2000), information needs are often analysed as cognitive needs, gaps or anomalies in the state of knowledge of a person, which can be represented by questions or topics.These questions can be presented to a system or information source.Satisfying the cognitive need involves retrieving information whose subject corresponds to the query.The hypothesis of the anomalous state of knowledge was proposed by Belkin (1980), according to which individuals who seek information are almost always unable to specify their needs, since they cannot readily express what they do not know or what is lacking (Choo, 2003).The performance of organizational tasks, including planning and decision making, are the main drivers of cognitive needs.
In the "Information Need" layer, the "Cognitive Factors" can be described according to Dervin's Sense-Making model (1983).In the model of sense-making, the individual moves in space and time, taking steps through experiences and is continuously creating meanings.The "Affective Factors" of the model describe how the emotional aspects of the individual influence and are influenced by the individual's ability to construct meanings to solve the information needs.In relation to the "Situational Factors", the information needs arise from the problems, uncertainties and ambiguities found in specific situations and experiences that are the combination of many elements that relate not only to the subject, but also to the situational factors,  Choo et al. (2000) Source: Choo (2000) In the "Information Seeking" layer (Figure 1), the process of information seeking occurs because of information needs.According to Choo et al. (2000), the experience of information needs does not always lead to the information seeking.People can rely on their own memory or intuition to fill the information need.
People can also suppress their information needs or avoid a problem situation so that no information seeking will be required.In Kuhlthau's view (1993), during the search, the user experiences three kinds of experience: emotional (feelings), cognitive (thinking) and physical (action) (Choo, 2003).At the "Cognitive Level," the individual selects the source that is perceived as the one most likely to provide information that will be relevant and useful.In the "Affective Level," the degree of personal motivation and interest of the individual in the problem or topic will determine the amount of energy that will be invested in the information seeking.Kuhlthau (1993) suggests that as the information searching progresses, the initial feelings of uncertainty and anxiety are reduced and confidence increases.If the theme becomes clearer to the point of developing a focus for research, the individual will become highly motivated, and if that pursuit continues well, there will be an increase in the sense of satisfaction and fulfillment.At the "Situational Level," the selection and use of sources are influenced by the amount of time and effort (physical, intellectual and psychological) needed to locate and contact the source and interact with it to extract information.These attributes can be grouped into a variable called perceived accessibility of the source.
In the "Information Use" layer (Figure 1), the use typically involves the selection and processing of information to answer a question, solve a problem, make a decision, negotiate a position or make sense of a situation.Whether information will be used or ignored de-pends to a large extent on its relevance to the clarification of the issue or to the solution to the problem.At the "Cognitive Level," an individual's style and cognitive preferences influence the way information is processed and used.In the "Affective Level," when processing information, people avoid using information that will arouse strong and negative emotions, in others or in themselves.People use information selectively to avoid embarrassment, conflict, or regret, to maintain self-image and to improve personal status or reputation.In the "Situational Level", the degree to which a task has been structured by rules and routines will have an impact on the use of information.Organizations rely on standard operating procedures to guide information processing.The three phases proposed by Choo, Information Need, Information Seeking and Information Use can be integrated into a single model, as shown in Figure 2. The individual experiences an information need when he perceives a gap in his state of knowledge or in his ability to build meaning.The perception of the information need is shaped by cognitive, affective and situational factors.The individual can choose to suppress this need, avoiding the problem situation so that there is no information seeking.Alternatively, the individual may decide to fill this gap of knowledge or understanding by searching for purposeful information.During the information seeking, the selection and use of information sources depends on the accessibility and perceived quality of the source, the complexity of the task and the personal interest.Information may also be received "by chance" because of regular media surveys or conversations with others, even if those activities have not been directed at meeting specific information needs.

Research Characterization
The research presented in this paper is classified as applied, since it aims to generate knowledge for practi- cal application and is directed to the solution of specific problems.As for the objectives, this research is defined as exploratory and descriptive.Exploratory research aims to provide greater familiarity with the problem for making it more explicit or for constructing hypotheses.It includes a bibliographical survey and interviews with people who have had practical experiences with the researched problem.The descriptive research has as its main objective the description of the characteristics of a certain population or phenomenon.
In the research, the quantitative and qualitative or mixed approaches were adopted, because combining these two approaches would be more adequate for reaching the objectives of the research.

Population and Sample
The population studied is comprised of information security and cryptography professionals.The selected sample for the research is constituted by members of the Brazilian Community of Information Security and Cryptography (Comsic), which brings together 412 professionals of the sector.

Data Collection Instruments
As a data collection instrument, the research employed a questionnaire containing 21 factual questions, through which it was possible to identify the needs, the seeking and the use of information.This questionnaire was sent by e-mail to 412 professionals in the sector, of which 50 participated in the survey.The questionnaire was used to collect quantifiable data from the survey, such as demographic characteristics and the most used sources of information, as well as frequency of use.
Among those professionals who answered the questionnaire, 10 were randomly selected for a semistructured interview, through which it was possible to collect qualitative aspects of this behavior and to deepen the understanding of the results collected in the questionnaires.Through the interview, it was possible to ask questions that required long narratives.The interview used in the research is composed of open questions, made orally, following a previously established sequence.
Another instrument used was the documentary analysis, which allowed us to obtain corporate data, such as specifications and project plans, which, directly or indirectly, influence the information behavior.

Methodological Procedure
Based on the view proposed by the Choo et al. (2000), which incorporates the ideas of other authors such as Taylor (1968), Taylor (1996) and Ellis (1989), a methodological procedure was established for the research, shown in Figure 3, which was structured in 4 parts: i) Professional Profile; ii) Information Need; iii) Infor-mation Seeking; and iv) Information Use.The use of the procedure also allowed for the elaboration of a questionnaire structured in four parts.
The first part of the procedure, which corresponds to the identification and characterization of the Professional Profile, gathers information that helps to characterize and understand the behavior of the individual.This step includes the collection of demographic information such as age, level of education, area of education and career trajectory.All of them influence this behavior.
The second part of the procedure, which corresponds to the first Information Need process of the Choo's et al. Model (2000), aims to analyze the information needs of the professional.These needs, in the adopted procedure, are characterized according to the Taylor's Needs Classification System (1968): Visceral, Conscious, Formalized and Adapted.
The third part of the procedure, which corresponds to the second process or process of Information Seeking of the Choo's et al. Model (2000), aims to characterize how the information seeking occurs.The sources used by information security professionals are investigated.
The quality of the sources and information sought is also evaluated, using criteria of relevance, frequency and reliability of sources and information.
The fourth and last part of the procedure, which corresponds to the third process or process of Information Use of the Choo et al. Model (2000), aims to identify how the information sought is used.To characterize this step, the research was based on the classification system proposed by Taylor (1996) on the use of information, which can be classified in: Enlightenment, Problem Understanding, Instrumental, Factual, Confirmational, Projective, Motivational and Personal or Political.
The methodological approach adopted in the research is presented in Figure 3.The research group consists of professionals working with information security and/or cryptography in the following subareas: 1) Cryptographic algorithms and protocols research and development, 2) Cryptographic hardware and firmware development, 3) Network security management, and 4) Information security management.
The first group of research and development of cryptographic algorithms and protocols professionals elaborates solutions that involve the use of cryptography.
Cryptography is an area that requires knowledge normally offered by graduate and advanced courses in mathematics, statistics, electrical engineering or computer science.
The second group of development of cryptographic hardware and firmware professionals consists of engineers with bachelor's degree and graduate degrees in electrical engineering and electronics technicians.The third group of network security professionals selected for the survey is comprised of specialists with bachelor's degree in computer science, computer engineering, electrical engineering and network engineering.They are responsible for installing and updating systems to maintain the security of computer networks.
The fourth and last group of information security management professionals is composed of experts from different areas of education, with specialization courses in information security management.

Results
Based on the analysis of the answers obtained, it can be said that 82% are male and 18% are female.Regarding the age, only 4% are less than 25 years old, 38% of those surveyed are in the range of 26 to 35 years, constituting the majority group, between 36 and 45 years are only 18% of the respondents, there are 24% in the range of 46 to 55 and just under 16% in the range of 56 or more.The group selected for the research has a high level of education: 4 with post-doctoral degree, 12 with doctor's degree, 14 with master's degree, 15 with specialization courses, and 12 with bachelor's degree.Regarding the area of education, there is a predominance of computer scientists with 38%, 16% are professionals from other areas, 14% are information security specialists, 8% are engineers, 8% are mathematicians, 4% are military, 4% are information scientists, 2% are physicists.
Regarding the topics, Table 1, on the seeking frequency by theme, shows that the most frequently searched subjects selected by the experts selected in this research are "Cryptography", with 32.6%, secondly, "Security of communications and operations", with 29.5% and" Information security applied to information systems", with 27.3%.Among the less frequently searched topics are "War and cyber defense", with 9.5%, "Digital law" with 4.9% and "Expertise and investigation of cybercrimes", with 5%.It should be noted that these percentages reflect the preferences of a group composed mostly of computer science professionals.
Table 2, on the relevance of each type of information source, shows that the "Colleagues" are considered the most relevant source, or extremely relevant by 55.9% of the respondents.Then there are the "Specialized books and magazines", with 50%, and the "Articles" and "Specialized sites", with 47.1%.As relevant appear in the research, "Conferences, workshops and events" with 47.1; "Search sites" and "Forums and mailing lists", with 44.1%; and "Conference proceedings", with 41.2%.Table 4 on the types of information sources most frequently used in the information seeking are "Search Sites", with 85.3% and "E-mail", with 52.9% which may suggest the use of mailing lists sent by email.Another two types of sources that deserve special mention are the "Personal Registries", with 47.1% and the "Colleagues", with 44.1%.

According to the data in
The results obtained, especially in the interviews, show that there is no uniformity in relation to the sources consulted by these professionals, nor an unanimity about which source is most important.
Table 5 presents the results on the frequency of information use by the professionals.These results indicate that the most frequent use of information is for "Problem Solving", with 63.6%.The use of information for "Problem Solving" is also considered extremely relevant by 81.8% of professionals.The use of information for "Learning", that is, for the acquisition of new knowledge that can be used to solve future problems, appears as the second type of most frequent use of information, with a rate of 59.1%.It is also considered extremely relevant by 77.3% of respondents.
The research data show that the sectors in which these professionals work act as units of information, in which the creation, use and sharing of information occur.Research also shows that the main uses of information are for problem solving and for learning.Information sharing and storage occur less frequently, although they are considered relevant.The research also reveals that the possible uses of information depend, above all, on the type and nature of the work performed.
The theoretical research model proposed in this study proved to be an effective instrument in the achievement of the research objectives by helping to formulate questions that enabled the identification of the phenomena that involve the informational behavior of information security professionals.
After collecting, analyzing and consolidating the data, it was possible to conclude that the general objectives and the specific objectives were reached and that the answers to the research questions were not only obtained, but also enabled the emergence of new thematic ones to be researched in future works.
The results presented indicate that there is a common and diagnosable behavior among information security professionals.As professionals working on information security deal with a multitude of topics, the category was subdivided into subgroups according to the subarea in which they operate.
The multidisciplinary nature of information security is reflected in the composition of the professionals who work in the area, that is, the group of experts selected for the research is composed of professionals from different educational areas.This heterogeneity, which at first seemed to be an obstacle to the research, proved to be useful throughout its development and a decisive factor in the analysis and perception of the different behaviors.
Based on the theoretical research model adopted in this study, it was possible to diagnose the behavior of the researched group and to perceive that there are clear similarities and differences among its members, due to several factors, among them the nature of the work performed by the professional, training, time of experience, time of experience in the same organization.
Regarding the information needs, because it is an unobservable cognitive phenomenon, unlike the information seeking and use behavior, it was assumed that the needs emerge from the activities performed by these specialists.
In the case of professionals working in network security, these professionals live daily with the solution of problems, which has as basic characteristics instantaneity and urgency to be solved.The information needs arise from the need to find information to help solve these problems.The information involves procedures and solutions found in forums, mailing lists or specialized websites.
In the case of professionals who work with medium and long-term project development, the searches occur with greater intensity in the initial phases of the project.It is also at this stage that the sharing and dissemination of information with the other team members occurs.In short, it can be said that information seeking and use behavior is directly related to the project phases and is directly related to the nature of the work.
Information security management professionals interviewed in the survey are responsible for all tasks related to maintaining information security.The main characteristic of the professionals selected in the research is to deal with various types of problems.They are responsible for designing policies that, like those involved in project development, focus their research at the beginning of policy making and follow the patterns of search behavior proposed by Ellis (1989).
In the information seeking, they use internal and external sources, personal and impersonal.The survey detected the Internet as the most frequently used information source, although consultation with colleagues was characterized by the most relevant source.Again, consultation with colleagues was not considered the most frequently used source due to the influence of the nature of the work.In the case of protocol developers and cryptographic algorithms, the confidential nature of the work prevents the exchange of information with other colleagues.Network security experts and professionals working in cryptographic hardware and firmware development describe peer consultation and the sharing of information as relevant.The frequency, however, will depend, in the case of development, on the stage of the project.
Regarding information use behavior, the research revealed that the most frequent use of information is for "Problem solving" and for "Learning".The "Sharing" and "Storage" of information occurs very often among network experts.This sharing and storage is done through the organization's internal databases, where the problems and their solutions are registered.
Some general observations about information behavior should be highlighted.The needs and uses of information must be examined within the professional, organizational and social context of users.Information needs vary according to the user's profession or social group, their demographic origins, and the specific requirements of the task it performs.
In the process of observing informational behavior, it is possible to find certain regularities that, because they are quite uniform, make possible the generalization.Some of the behaviors observed in the professionals selected in the research can be generalized.An example is the behavior observed in those who work on projects.According to the interviewees, the searches intensify at the beginning of the project and tend to decline during the project.In the case of professionals who work in network technical support, this information seeking is constant and regular over time.
From the identification of this behavior, how information needs arise, how information is sought, what information sources are used, what criteria are used to select those sources, and what are the possible uses of the information, it was possible to verify that this behavior is not only diagnosable but may also be improved.
The results show that it is possible to improve the access of these professionals to the information they need, making available the most relevant and reliable resources and sources, as well as creating portals that gather all the information, bibliographic references and links that allow this information to be found.
Knowing the information needs enables the adequacy of the information collections of the organizational libraries to attend not only to the general needs of these professionals, but also to the demand for specific information.
The planning allows investments to be made in a rational way, prioritizing the acquisition of the most frequently used publications, the signing of publications and the most important sites.From the data collected in the research it is also possible to create plans and training programs to meet the information needs of these users.The results of the research may also support the elaboration and plans and public policies for the information security sector and the accomplishment of future works.

Conclusion
This paper presents a proposal for a methodological procedure based on the Choo et al. Integrative Model (2000).The general objective of the research was to analyze the informational behavior of experts in information security and cryptography.To reach this goal, a group of professionals that are members of the Brazilian information security and cryptography community was selected for the research.Initially, the profile of these professionals was identified based on the collection of some demographic data.The informational needs were detected from the activities carried out in their daily work.Next, the information seeking behavior was evaluated through the identification of the main information sources used by this group of professionals.These sources were evaluated according to frequency, relevance and reliability criteria.Finally, the use of information was identified through the analysis of how professionals use the information selected.
The procedure proposed in the research, of a mixed nature (quantitative and qualitative), was applied to information security and cryptography professionals, through the application of questionnaires, to the survey of the quantitative or quantifiable aspects.Interviews were applied to survey the subjective or complex aspects of the behavior.These aspects, which are difficult to collect through questionnaires, either by the extension, complexity and subjectivity of the answers, can only be collected through a detailed description of their activities and through the materialization of the feelings lived at the moment of the perception of an information need.The documentary research allowed to identify some aspects associated to the tasks carried out by information security professionals, such as the duration of research projects, composition of teams, reports and project documents and organizational structures.

Table 1 .
Seeking frequency by topic

Table 2 .
Relevance of each type of information source Ohtoshi, Paulo; Duque, Cláudio Gottschalg.The information behavior of information security and cryptography professionals: how these professionals seek and use information.// Brazilian Journal of Information Studies: Research Trends.11:3 (2017) p.6-16.ISSN 1981-1640.

Table 3 .
Conferences and events

Table 4 .
Seeking frequency by type of information source Ohtoshi, Paulo; Duque, Cláudio Gottschalg.The information behavior of information security and cryptography professionals: how these professionals seek and use information.// Brazilian Journal of Information Studies: Research Trends.11:3 (2017) p.6-16.ISSN 1981-1640.

Table 5 .
Frequency of information use