Integrating security and usability into the requirements and design process

Fléchais, Ivan; Mascolo, Cecilia; Sasse, M. Angela

doi:10.1504/ijesdf.2007.013589

Cited by 73 publications

(48 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To understand why, we should consider one example of follow-on work: the Appropriate and Effective Guidance for Information Security (AEGIS) design method [30]. AEGIS assumes that secure systems are not merely software systems, but socio-technical systems: systems of technology used within a system of activity.…”

Section: User-centred Security and Aegismentioning

confidence: 99%

Finding and resolving security misusability with misusability cases

Faily

Fléchais

2014

Requirements Eng

View full text Add to dashboard Cite

Although widely used for both security and usability concerns, scenarios used in security design may not necessarily inform the design of usability, and viceversa. One way of using scenarios to bridge security and usability involves explicitly describing how design decisions can lead to users inadvertently exploiting vulnerabilities to carry out their production tasks. This paper describes how misusability cases, scenarios that describe how design decisions may lead to usability problems subsequently leading to system misuse, address this problem. We describe the related work upon which misusability cases are based before presenting the approach, and illustrating its application using a case study example. Finally, we describe some findings from this approach that further inform the design of usable and secure systems.

show abstract

Section: User-centred Security and Aegismentioning

confidence: 99%

Finding and resolving security misusability with misusability cases

Faily

Fléchais

2014

Requirements Eng

View full text Add to dashboard Cite

show abstract

“…Finally, security countermeasures are proposed based on these risks, cost and an assessment of their ease of use in the context of operation. More details can be found in [Flechais, Mascolo et al, 2006;Flechais, Sasse et al, 2003;Sasse & Flechais, 2005].…”

Section: Action Researchmentioning

confidence: 99%

“…Each workshop lasted between two and three hours, was recorded and transcribed in full. These interventions showed AEGIS to be a useful methodology and also provided useful feedback for improving the method (see [Flechais, Mascolo et al, 2006;Flechais, Sasse et al, 2003] for more details about the specific case studies).…”

Section: Research Approachmentioning

confidence: 99%

See 1 more Smart Citation

Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

Fléchais

Sasse

2009

International Journal of Human-Computer Studies

Self Cite

View full text Add to dashboard Cite

e-Science projects face a difficult challenge in providing access to valuable computational resources, data and software to large communities of distributed users. On the one hand, the raison d'être of the projects is to encourage members of their research communities to use the resources provided. On the other hand, the threats to these resources from online attacks require robust and effective security to mitigate the risks faced. This raises two issues: ensuring that (1) the security mechanisms put in place are usable by the different users of the system, and (2) the security of the overall system satisfies the security needs of all its different stakeholders. A failure to address either of these issues can seriously jeopardise the success of e-Science projects.The aim of this paper is to firstly provide a detailed understanding of how these challenges can present themselves in practice in the development of e-Science applications. Secondly, this paper examines the steps that projects can undertake to ensure that security requirements are correctly identified, and security measures are usable by the intended research community. The research presented in this paper is based on four case studies of e-Science projects. Security design traditionally uses expert analysis of risks to the technology and deploys appropriate countermeasures to deal with them. However, these case studies highlight the importance of involving all stakeholders in the process of identifying security needs and designing secure and usable systems.For each case study, transcripts of the security analysis and design sessions were analysed to gain insight into the issues and factors that surround the design of usable security. The analysis concludes with a model explaining the relationships between the most important factors identified. This includes a detailed examination of the roles of responsibility, motivation and communication of stakeholders in the ongoing process of designing usable secure socio-technical systems such as e-Science.

show abstract

“…Users utilize passwords in everyday life to access their accounts and support their activities. Although user authentication is a topic well studied, the practice of using passwords as a means of providing identity is challenging security and usability design aspects (Flechais, Mascolo and Sasse, 2007) and can hinder situational awareness (Barford et al, 2009). Authentication controls such as password creation policies, try to balance between strong security (which dictates more diverse passwords that are not easily cracked) and usability of authentication mechanisms (relating to the ease of use and memorability of passwords).…”

Section: Introductionmentioning

confidence: 99%

Transparent password policies: A case study of investigating end-user situational awareness

Bullo¹,

Stavrou²,

Stavrou³

2017

IJCSA

View full text Add to dashboard Cite

Transparent password policies are utilized by organizations in an effort to ease the end-user (e.g. customer) from the burden of configuring authentication settings while maintaining a high level of security. However, authentication transparency can challenge security and usability and can impact the awareness of the end-users with regards to the protection level that is realistically achieved. For authentication transparency to be effective, the triptych security -usability -situational awareness should be considered when designing relevant security solutions / products. Although various efforts have been made in the literature, the usability aspects of the password selection process are not well understood or addressed in the context of end-user situational awareness. This research work specifies three security and usability-related strategies that represent the organizations', the end users' and the attackers' objectives with regards to password construction. Understanding each actor's perspective can greatly assist in increasing situational awareness with regards to the authentication controls usage and effectiveness. Furthermore, a case study is presented to evaluate if, and in what way, transparent password policies, that isolate users' involvement can affect the perspective of the end-user with regards to the

show abstract

Integrating security and usability into the requirements and design process

Cited by 73 publications

References 15 publications

Finding and resolving security misusability with misusability cases

Finding and resolving security misusability with misusability cases

Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

Transparent password policies: A case study of investigating end-user situational awareness

Contact Info

Product

Resources

About