Lizzie Coles-Kemp

Layered analysis of security ceremonies

A security ceremony expands a security protocol with everything that is considered out of band for it. Notably, it incorporates the user, who, according to their belief systems and cultural values, may be variously targeted by social engineering attacks. This makes ceremonies complex and varied, hence the need for their formal analysis aimed at their rigorous understanding.

Insider Threat and Information Security Management

The notion of insider has multiple facets. An organization needs to identify which ones to respond to. The selection, implementetion and maintenance of information security countermeasures requires a complex combination of organisational policies, functions and processes, which form Information Security Management. This chapter examines the role of current information security management practices in addressing the insider threat. Most approaches focus on frameworks for regulating insider behaviour and do not allow for the various cultural responses to the regulatory and compliance framework. Such responses are not only determined by enforcement of policies and awareness programs, but also by various psychological and organisational factors at an individual or group level. Crime theories offer techniques that focus on such cultural responses and can be used to enhance the information security management design. The chapter examines the applicability of several crime theories and concludes that they can contribute in providing additional controls and redesign of information security management processes better suited to responding to the insider threat.

On-line privacy and consent: a dialogue, not a monologue

With the move to deliver services on-line, there is a reduction in opportunities for a service user to discuss and agree to the terms of the management of their personal data. As the focus is turned to on-line technologies, the design question becomes one of privacy protection not privacy negotiation and conflict resolution. However, the findings from a large privacy survey and the outputs of several follow-up focus groups reflect a need for privacy systems to also support different types of privacy and consent dialogues. These dialogues are used to support the resolution of privacy dilemmas through the selection of effective privacy protection practices. As the face to face contact between service user and service provider decreases, the potential for these types of dialogues to become increasingly important grows. The work presented in this paper forms the initial part of a study to learn more about the types of privacy dialogue and negotiation that should be deployed in on-line services. In this position paper we outline the types of privacy and consent dialogues that service providers and service users want to have. We also explore how a socio-technical approach should ideally form the basis of the design and implementation of any dialogue system.

Information security management: An entangled research challenge

In May 2009 the Information Security Group, Royal Holloway, became host to a medical sociologist from St. Georges Hospital, University of London, under EPSRCs discipline hopping scheme. As part of this knowledge transfer activity, a sociotechnical study group was formed comprising computer scientists, mathematicians, organisational researchers and a sociologist. The focus of this group is to consider different avenues of sociotechnical research in information security. This article briefly outlines some of the areas of research where sociotechnical studies might contribute to information security management.

Looking at clouds from both sides: The advantages and disadvantages of placing personal narratives in the cloud

This article explores the nature of cloud computing in the context of processing sensitive personal data as part of a personal narrative. In so doing, it identifies general security concerns about cloud computing and presents examples of cloud technologies used to process such data. The use of personal narratives in electronic patient records and in voice output communication aids is compared and contrasted and the implications of the advent of cloud computing for these two scenarios are considered.

Principled Electronic Consent Management: A Preliminary Research Framework

Consent is a multifaceted concept that has not received much attention in information systems literature. In this paper we categorise current electronic consent decision making systems into first generation, ex-post and principled Electronic Consent Management. We argue for the adoption of principled ECM as a way forward to consent management in information systems, and outline a research framework for ECM, proposing three key components: consent theory, ECM norms, and ECM norms’ manifestation. A real world context is then selected to illustrate the framework’s intention.

Who says personas can't dance?: the use of comic strips to design information security personas

This paper presents comic strips as an approach to align personas and narrative scenarios; the resulting visual artifact was tested with information security practitioners, who often struggle with wider engagement. It offers ways in which different professional roles can work together to share understanding of complex topics such as information security. It also offers user-centered design practitioners a way to reflect on, and participate with, user research data.

The need for enhanced privacy and consent dialogues

The aim of this article is to present the case for a closer examination of the privacy and consent dialogues that take place during the use of on-line services. This article explores the concepts of privacy and consent in on-line services, discusses the facets of both concepts and presents a case study from Sunderland City Council to illustrate the complexity of deploying privacy and consent dialogue within on-line services. The article concludes with an outline of how enhanced understanding of privacy and consent concepts can result in improved tools to support dialogue and result in a negotiated understanding of the privacy that can be expected and the consent that it is required. This rationale is the underpinning of the VOME project - Visualisation and Other Methods of Expression - funded by TSB, EPSRC and ESRC.

Examining the Contribution of Critical Visualisation to Information Security

This paper examines the use of visualisations in the field of information security and in particular focuses on the practice of information security risk assessment. We examine the current roles of information security visualisations and place these roles in the wider information visualisation discourse. We present an analytic lens which divides visualisations into three categories: journalistic, scientific and critical visualisations. We then present a case study that uses these three categories of visualisations to further support information security practice. Two significant results emerge from this case study: (1) visualisations that promote critical thinking and reflection (a form of critical visualisation) support the multi-stakeholder nature of risk assessment and (2) a preparatory stage in risk assessment is sometimes needed by service designers in order to establish the service design before conducting a formal risk assessment. The reader is invited to explore the images in the digital version of this paper where they can zoom in to particular aspects of the images and view the images in colour.

Service users' requirements for tools to support effective on-line privacy and consent practices

The work presented in this paper explores how privacy dialogues within an on-line service might be constructed by conducting field experiments those identify privacy practices used when engaging with on-line services and elicit service user requirements for privacy dialogues. The findings are considered against the established design principles for general CRM dialogue design such as: frequency, initiation, signalling, service provider disclosure and richness [1] as well as privacy specific design principles including: transparency, service user disclosure and the agreement of privacy norms and rules [12].