Ivan Flechais

Bringing security home: a process for developing secure and usable systems

The aim of this paper is to provide better support for the development of secure systems. We argue that current development practice suffers from two key problems:1. Security requirements tend to be kept separate from other system requirements, and not integrated into any overall strategy.2. The impact of security measures on users and the operational cost of these measures on a day-to-day basis are usually not considered.Our new paradigm is the full integration of security and usability concerns into the software development process, thus enabling developers to build secure systems that work in the real world. We present AEGIS, a secure software engineering method which integrates asset identification, risk and threat analysis and context of use, bound together through the use of UML, and report its application to case studies on Grid projects. An additional benefit of the method is that the involvement of stakeholders in the high-level security analysis improves their understanding of security, and increases their motivation to comply with policies.

Usability and security of out-of-band channels in secure device pairing protocols

Initiating and bootstrapping secure, yet low-cost, ad-hoc transactions is an important challenge that needs to be overcome if the promise of mobile and pervasive computing is to be fulfilled. For example, mobile payment applications would benefit from the ability to pair devices securely without resorting to conventional mechanisms such as shared secrets, a Public Key Infrastructure (PKI), or trusted third parties. A number of methods have been proposed for doing this based on the use of a secondary out-of-band (OOB) channel that either authenticates information passed over the normal communication channel or otherwise establishes an authenticated shared secret which can be used for subsequent secure communication. A key element of the success of these methods is dependent on the performance and effectiveness of the OOB channel, which usually depends on people performing certain critical tasks correctly. In this paper, we present the results of a comparative usability study on methods that propose using humans to implement the OOB channel and argue that most of these proposals fail to take into account factors that may seriously harm the security and usability of a protocol. Our work builds on previous research in the usability of pairing methods and the accompanying recommendations for designing user interfaces that minimise human mistakes. Our findings show that the traditional methods of comparing and typing short strings into mobile devices are still preferable despite claims that new methods are more usable and secure, and that user interface design alone is not sufficient in mitigating human mistakes in OOB channels.

Persona cases: a technique for grounding personas

Personas are a popular technique in User-Centered Design, however their validity can be called into question. While the techniques used to developed personas and their integration with other design activities provide some measure of validity, a personas legitimacy can be threatened by challenging its characteristics. This note presents Persona Cases: personas whose characteristics are both grounded in, and traceable to their originating source of empirical data. This approach builds on the premise that sense-making in qualitative data analysis is an argumentative activity, and aligns concepts associated with a Grounded Theory analysis with recent work on arguing the characteristics of personas. We illustrate this approach using a case study in the Critical Infrastructure Protection domain.

A meta-model for usable secure requirements engineering

There is a growing recognition of the need for secure software engineering approaches addressing both technical and human factors. Existing approaches to secure software engineering focus on the need for technical security to the detriment of usability. This paper presents the IRIS (Integrating Requirements and Information Security) meta-model, a conceptual model for usable secure requirements engineering. We describe a practical application of the meta-model through a case study in the Critical Infrastructure domain.

Two heads are better than one: security and usability of device associations in group scenarios

We analyse and evaluate the usability and security of the process of bootstrapping security among devices in group scenarios. While a lot of work has been done in single user scenarios, we are not aware of any that focusses on group situations. Unlike in single user scenarios, bootstrapping security in a group requires coordination, attention, and cooperation of all group members. In this paper, we provide an analysis of the security and usability of bootstrapping security in group scenarios and present the results of a usability study on these scenarios. We also highlight crucial factors necessary for designing for secure group interactions.

Here's Johnny: A Methodology for Developing Attacker Personas

The adversarial element is an intrinsic part of the design of secure systems, but our assumptions about attackers and threat is often limited or stereotypical. Although there has been previous work on applying User-Centered Design on Persona development to build personas for possible attackers, such work is only speculative and fails to build upon recent research. This paper presents an approach for developing Attacker Personas which is both grounded and validated by structured data about attackers. We describe a case study example where the personas were developed and used to support the development of a Context of Use description for the EU FP7 webinos project.

The secret lives of assumptions: developing and refining assumption personas for secure system design

Personas are useful for obtaining an empirically grounded understanding of a secure systems user population, its contexts of use, and possible vulnerabilities and threats endangering it. Often, however, personas need to be partly derived from assumptions; these may be embedded in a variety of different representations. Assumption Personas have been proposed as boundary objects for articulating assumptions about a user population, but no methods or tools currently exist for developing and refining these within the context of secure and usable design. This paper presents an approach for developing and refining assumption personas before and during the design of secure systems. We present a model for structuring the contribution of assumptions to assumption personas, together with a process for developing assumption personas founded on this model. We also present some preliminary results based on an application of this approach in a recent case study.

Designing and aligning e-Science security culture with design

Purpose – The purpose of this paper is to identify the key cultural concepts effecting security in multi‐organisational systems and align these with design techniques and tools.Design/methodology/approach – A grounded theory model of security culture was derived from the related security culture literature and empirical data from an e‐Science project. Influencing concepts were derived from these and aligned with recent work on techniques and tools for usable secure systems design.Findings – Roles and responsibility, sub‐cultural norms and contexts, and different perceptions of requirements were found to be influencing concepts towards a culture of security. These concepts align with recent work on personas, environment models, and related tool support.Originality/value – This paper contributes a theoretically and empirically grounded model of security culture. This is also the first paper explicitly aligning key concepts of security culture to design techniques and tools.

On the design and development of webinos : a distributed mobile application middleware

As personal devices become smarter, opportunities arise for sharing services, applications and data between them. While web technologies hold the promise of being a unifying layer, browsers lack functionality for supporting inter-device communication, synchronization, and security. To address this, we designed webinos: a cross-device distributed middleware providing interoperability, compatibility and security for mobile web applications. In this paper we present a case study of the webinos project, showing how the architecture of webinos was specified, designed and implemented, and reflect on several lessons learned.

User-Centered Information Security Policy Development in a Post-Stuxnet World

A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements Engineering methods can facilitate such an approach, but these tend to focus on either security at the expense of usability, or vice-versa, it is also uncertain whether existing techniques are useful when the time available for applying them is limited. In this paper, we describe a case study where Usability and Requirements Engineering techniques were used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. We motivate and describe the approach taken while carrying out this case study, and conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design.