Skip to main content

Research Repository

Advanced Search

Security through usability: a user-centered approach for balanced security policy requirements.




Security policy authors face a dilemma. On one hand, policies need to respond to a constantly evolving, well reported threat landscape, the consequences of which have heightened the security awareness of senior managers. On the other hand, the impact of policies extend beyond constraints on desktop computers and laptops; an overly constrained policy may compromise operations or stifle the freedom needed for staff to innovate. Because few people are fired for making a policy too secure, as long as usability continues to be treated as a trade-off quality together with functionality then policies will err on the side of constraint over freedom of action. Existing work argues that balanced security can be achieved using Requirements Engineering best practice. Such approaches, however, treat usability as another class of quality requirement, and prescribed techniques fail to elicit or analyse empirical data with the same richness as those used by usability professionals. There is, therefore, a need to incorporates techniques from HCI into the task of specifying security, but without compromising Requirements Engineering practice. Recent work demonstrated how user-centered design and security requirements engineering techniques can be aligned; this approach was validated using a general system design project, where ample time was available to collect empirical data and run participatory requirements and risk workshops. The question remains whether such an approach scales for eliciting policy requirements where time is an imperative rather than a luxury.


FAILY, S. and FLÉCHAIS, I. 2010. Security through usability: a user-centered approach for balanced security policy requirements. Presented at the 26th Annual computer security applications conference (ACSAC 2010), 6-10 December 2010, Austin, USA.

Presentation Conference Type Poster
Conference Name 26th Annual computer security applications conference (ACSAC 2010)
Conference Location Austin, USA
Start Date Dec 6, 2010
End Date Dec 10, 2010
Deposit Date Dec 10, 2021
Publicly Available Date Dec 10, 2021
Keywords Systems security; Access and authorisation; Security risk analysis; Security policies; User-centred design; User experience; Requirements engineering
Public URL
Additional Information The file accompanying this record includes both the extended abstract and the full poster.


You might also like

Downloadable Citations