Skip to main content

Research Repository

Advanced Search

All Outputs (113)

Enhancing the construction of attacker personas in cybersecurity software designs using case law-based facts. [Preprint] (2024)
Preprint / Working Paper
ILESANMI, O., FAILY, S., NICHO, M. and MCDERMOTT, C. 2024. Enhancing the construction of attacker personas in cybersecurity software designs using case law-based facts. [Preprint]. Hosted on SSRN [online]. Available from: https://doi.org/10.2139/ssrn.4812698

Thwarting potential attackers is always at the heart of cybersecurity software designs. This interdisciplinary paper in computing science and law investigates the possibility of building attacker personas through reliance on case law facts. To combat... Read More about Enhancing the construction of attacker personas in cybersecurity software designs using case law-based facts. [Preprint].

Programming language evaluation criteria for safety-critical software in the air domain. (2022)
Presentation / Conference Contribution
ASHMORE, R., HOWE, A., CHILTON, R. and FAILY, S. 2022. Programming language evaluation criteria for safety-critical software in the air domain. In Proceedings of the 2022 IEEE (Institute of Electrical and Electronics Engineers) International symposium on software reliability engineering workshops (ISSREW 2022), 31 October - 3 November 2022, Charlotte, NC, USA. Los Alamitos: IEEE Computer Society [online], pages 230-237. Available from: https://doi.org/10.1109/ISSREW55968.2022.00072

Safety-critical software in the air domain typically conforms to RTCA DO-178C. However, latent failures might arise based on assumptions underpinning the programming language used to write the software, whereas the lack of empirical data may constrai... Read More about Programming language evaluation criteria for safety-critical software in the air domain..

Privacy goals for the data lifecycle. (2022)
Journal Article
HENRIKSEN-BULMER, J., YUCEL, C., FAILY, S. and CHALKIAS, I. 2022. Privacy goals for the data lifecycle. Future internet [online], 14(11), article number 315. Available from: https://doi.org/10.3390/fi14110315

The introduction of Data Protection by Default and Design (DPbDD) brought in as part of the General Data Protection Regulation (GDPR) in 2018, has necessitated that businesses review how best to incorporate privacy into their processes in a transpare... Read More about Privacy goals for the data lifecycle..

Automation and cyber security risks on the railways: the human factors implications. (2022)
Presentation / Conference Contribution
THON, E. and FAILY, S. 2022. Automation and cyber security risks on the railways: the human factors implications. Presented at the 2022 International conference on ergonomics and human factors, part one (EHF2022 Online), 11-12 April 2022, [virtual event].

Automation improves rail passenger experience, but may reduce cyber resilience because it fails to adequately account for human factors. Preliminary results from a study on signallers and automation confirms this, but judicious use of modelling tools... Read More about Automation and cyber security risks on the railways: the human factors implications..

Assessing system of systems information security risk with OASoSIS. (2022)
Journal Article
KI-ARIES, D., FAILY, S., DOGAN, H. and WILLIAMS, C. 2022. Assessing system of systems information security risk with OASoSIS. Computers and security [online], 117, article 102690. Available from: https://doi.org/10.1016/j.cose.2022.102690

The term System of Systems (SoS) is used to describe the coming together of independent systems, collaborating to achieve a new or higher purpose. However, the SoS concept is often misunderstood within operational environments, providing challenges t... Read More about Assessing system of systems information security risk with OASoSIS..

Integrated design framework for facilitating systems-theoretic process analysis. (2022)
Presentation / Conference Contribution
ALTAF, A., FAILY, S., DOGAN, H., THRON, E. and MYLONAS, A. 2022. Integrated design framework for facilitating systems-theoretic process analysis. In Katsikas, S., Lambrinoudakis, C., Cuppens, N. et al (eds.) Computer security: 26th European symposium on research in computer security (ESORICS 2021) international workshops: selected papers from 7th workshop on the security of industrial control systems of cyber-physical systems (CyberICPS 2021), co-located with SECPRE, ADIoT, SPOSE, CPS4CIP, CDT and SECOMANE, 4-8 October 2021, Darmstadt, Germany. Lecture notes in computer science (LNCS), 13106. Cham: Springer [online], pages 58-73. Available from: https://doi.org/10.1007/978-3-030-95484-0_4

Systems-Theoretic Process Analysis (STPA) helps mitigate identified safety hazards leading to unfortunate situations. Usually, a systematic step-by-step approach is followed by safety experts irrespective of any software based tool-support, but ident... Read More about Integrated design framework for facilitating systems-theoretic process analysis..

Cybersecurity user requirements analysis: the ECHO approach. (2022)
Presentation / Conference Contribution
KATOS, V., KI-ARIES, D., FAILY, S., GENCHEV, A., BOZHILOVA, M. and STOIANOV, N. 2022. Cybersecurity user requirements analysis: the ECHO approach. In Shkarlet, S., Morozov, A., Palagin, A., Vinnikov, D., Stoianov, N., Zhelezniak, M. and Kazymyr, V. (eds.) Mathematical modeling and simulation of systems: selected papers from the proceedings of the 16th International scientific-practical conference on mathematical modeling and simulation of systems (MODS 2021), 28 June - 1 July 2021, Chernihiv, Ukraine. Lecture notes in networks and systems, 344. Cham: Springer [online], pages 405-421. Available from: https://link.springer.com/book/9783030899011

Cyber defense requires research and investment in advanced technological solution as well as in the development of effective methods and tools for identifying cyber threats and risks. This implies a need for a well-defined process for user requiremen... Read More about Cybersecurity user requirements analysis: the ECHO approach..

Use-case informed task analysis for secure and usable design solutions in rail. (2021)
Presentation / Conference Contribution
ALTAF, A., FAILY, S., DOGAN, H., MYLONAS, A. and THRON, E. 2021. Use-case informed task analysis for secure and usable design solutions in rail. In Percia, D.D., Mermoud, A. and Maillart, T. (eds.). Critical information infrastructures security: revised selected papers of 16th international conference on Critical information infrastructures security 2021 (CRITIS 2021), 27-29 September 2021, Lausanne, Switzerland. Lecture notes in computer science, 13139. Cham: Springer [online], pages 168-185. Available from: https://doi.org/10.1007/978-3-030-93200-8_10

Meeting secure and usable design goals needs the combined effort of safety, security and human factors experts. Human factors experts rely on a combination of cognitive and hierarchical task analysis techniques to support their work. We present an ap... Read More about Use-case informed task analysis for secure and usable design solutions in rail..

Visualising personas as goal models to find security tensions. (2021)
Journal Article
FAILY, S., IACOB, C., ALI, R. and KI-ARIES, D. 2021. Visualising personas as goal models to find security tensions. Information and computer security [online], 29(5), pages 787-815. Available from: https://doi.org/10.1108/ICS-03-2021-0035

This paper aims to present a tool-supported approach for visualising personas as social goal models, which can subsequently be used to identify security tensions. The authors devised an approach to partially automate the construction of social goal m... Read More about Visualising personas as goal models to find security tensions..

Evaluating privacy: determining user privacy expectations on the web. (2021)
Journal Article
PILTON, C., FAILY, S., and HENRIKSEN-BULMER, J. 2021. Evaluating privacy: determining user privacy expectations on the web. Computers and security [online], 105, article 102241. Available from: https://doi.org/10.1016/j.cose.2021.102241

Individuals don’t often have privacy expectations. When asked to consider them, privacy realities were frequently perceived not to meet these expectations. Some websites exploit the trust of individuals by selling, sharing, or analysing their data. W... Read More about Evaluating privacy: determining user privacy expectations on the web..

Identifying implicit vulnerabilities through personas as goal models. (2020)
Presentation / Conference Contribution
FAILY, S., IACOB, C., ALI, R. and KI-ARIES, D. 2020. Identifying implicit vulnerabilities through personas as goal models. In Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Meng, W. and Furnell, S. (eds.) Computer security: ESORICS 2020 international workshops, CyberICPS, SECPRE, and ADIoT: revised selected papers from the 4th International workshop on security and privacy requirements engineering (SECPRE 2020), co-located with the 25th European symposium on research in computer security (ESORICS 2020), 14-18 September 2020, Guildford, UK. Lecture notes in computer science, 12501. Cham: Springer [online], pages 185-202. Available from: https://doi.org/10.1007/978-3-030-64330-0_12

When used in requirements processes and tools, personas have the potential to identify vulnerabilities resulting from misalignment between user expectations and system goals. Typically, however, this potential is unfulfilled as personas and system go... Read More about Identifying implicit vulnerabilities through personas as goal models..

Contextualisation of data flow diagrams for security analysis. (2020)
Presentation / Conference Contribution
FAILY, S., SCANDARIATO, R., SHOSTACK, A., SION, L. and KI-ARIES, D. 2020. Contextualisation of data flow diagrams for security analysis. In Eades, H. III and Gadyatskaya, O. (eds.) Graphical models for security: revised selected papers from the proceedings of the 7th International workshop on graphical models for security (GraMSec 2020), 22 June 2020, Boston, USA. Lecture notes in computer science, 12419. Cham: Springer [online], pages 186-197. Available from: https://doi.org/10.1007/978-3-030-62230-5_10

Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an appr... Read More about Contextualisation of data flow diagrams for security analysis..

DPIA in context: applying DPIA to assess privacy risks of cyber physical systems. (2020)
Journal Article
HENRIKSEN-BULMER, J., FAILY, S. and JEARY, S. 2020. DPIA in context: applying DPIA to assess privacy risks of cyber physical systems. Future internet [online], 12(5), article 93. Available from: https://doi.org/10.3390/fi12050093

Cyber Physical Systems (CPS) seamlessly integrate physical objects with technology, thereby blurring the boundaries between the physical and virtual environments. While this brings many opportunities for progress, it also adds a new layer of complexi... Read More about DPIA in context: applying DPIA to assess privacy risks of cyber physical systems..

The impact of undergraduate mentorship on student satisfaction and engagement, teamwork performance, and team dysfunction in a software engineering group project. (2020)
Presentation / Conference Contribution
IACOB, C. and FAILY, S. 2020. The impact of undergraduate mentorship on student satisfaction and engagement, teamwork performance, and team dysfunction in a software engineering group project. In Proceedings of the 51st ACM technical symposium on computer science education (SIGCSE 2020), 11-14 March 2020, Portland, USA. New York: ACM [online], pages 128-134. Available from: https://doi.org/10.1145/3328778.3366835

Mentorship schemes in software engineering education usually involve professional software engineers guiding and advising teams of undergraduate students working collaboratively to develop a software system. With or without mentorship, teams run the... Read More about The impact of undergraduate mentorship on student satisfaction and engagement, teamwork performance, and team dysfunction in a software engineering group project..

Identifying safety and human factors issues in rail using IRIS and CAIRIS. (2020)
Presentation / Conference Contribution
ALTAF, A., FAILY, S., DOGAN, H., MYLONAS, A. and THRON, E. 2020. Identifying safety and human factors issues in rail using IRIS and CAIRIS. In Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Pallas, F., Pohle, J., Sasse, A., Meng, W., Furnell, S. and Garcia-Alfaro, J. (eds.) Computer security: ESORICS 2019 international workshops, CyberICPS, SECPRE, SPOSE and ADIoT: revised selected papers from the 5th Workshop on security of industrial control systems and cyber-physical systems (CyberICPS 2019), co-located with the 24th European symposium on research in computer security (ESORICS 2019), 26-27 September 2019, Luxembourg City, Luxembourg. Lecture notes in computer science, 11980. Cham: Springer [online], pages 98-107. Available from: https://doi.org/10.1007/978-3-030-42048-2_7

Security, safety and human factors engineering techniques are largely disconnected although the concepts are interlinked. We present a tool-supported approach based on the Integrating Requirements and Information Security (IRIS) framework using Compu... Read More about Identifying safety and human factors issues in rail using IRIS and CAIRIS..

Exploring the gap between the student expectations and the reality of teamwork in undergraduate software engineering group projects. (2019)
Journal Article
IACOB, C. and FAILY, S. 2019. Exploring the gap between the student expectations and the reality of teamwork in undergraduate software engineering group projects. Journal of systems and software [online], 157, article number 110393. Available from: https://doi.org/10.1016/j.jss.2019.110393

Software engineering group projects aim to provide a nurturing environment for learning about teamwork in software engineering. Since social and teamwork issues have been consistently identified as serious problems in such projects, we aim to better... Read More about Exploring the gap between the student expectations and the reality of teamwork in undergraduate software engineering group projects..

A normative decision-making model for cyber security. (2019)
Journal Article
M'MANGA, A., FAILY, S., MCALANEY, J., WILLIAMS, C., KADOBAYASHI, Y. and MIYAMOTO, D. 2019. A normative decision-making model for cyber security. Information and computer security [online], 27(5), pages 636-646. Available from: https://doi.org/10.1108/ICS-01-2019-0021

The purpose of this paper is to investigate security decision-making during risk and uncertain conditions, and to propose a normative model capable of tracing the decision rationale. The proposed risk rationalisation model is grounded in literature a... Read More about A normative decision-making model for cyber security..

Implementing GDPR in the Charity Sector: A Case Study (2019)
Presentation / Conference Contribution
HENRIKSEN-BULMER, J., FAILY, S. and JEARY, S. 2019. Implementing GDPR in the charity sector: a case study. In Kosta, E., Pierson, J., Slamanig, D., Fischer-Hübner, S. and Krenn, S. (eds.) Privacy and identity management: fairness, accountability and transparency in the age of Big Data: revised selected papers from the 13th International Federation for Information Processing Working Groups 9.2, 9.6/11.7, 11.6, Special Interest Group 9.2.2 international summer school (IFIP Summer School 2018), 20-24 August 2018, Vienna, Austria. IFIP advances in information and communication technology, 547. Cham: Springer [online], pages 173-188. Available from: https://doi.org/10.1007/978-3-030-16744-8_12

Due to their organisational characteristics, many charities are poorly prepared for the General Data Protection Regulation (GDPR). We present an exemplar process for implementing GDPR and the DPIA Data Wheel, a DPIA framework devised as part of the c... Read More about Implementing GDPR in the Charity Sector: A Case Study.

Privacy risk assessment in context: a meta-model based on contextual integrity. (2019)
Journal Article
HENRIKSEN-BULMER, J., FAILY, S. and JEARY, S. 2019. Privacy risk assessment in context: a meta-model based on contextual integrity. Computers and security [online], 82, pages 270-283. Available from: https://doi.org/10.1016/j.cose.2019.01.003

Publishing data in open format is a growing trend, particularly for public bodies who have a legal obligation to make data available as open data. We look at the privacy implications of publishing open data and, in particular, how organisations can m... Read More about Privacy risk assessment in context: a meta-model based on contextual integrity..

Rationalising decision-making about risk: a normative approach. (2018)
Presentation / Conference Contribution
M'MANGA, A., FAILY, S., MCALANEY, J. and WILLIAMS, C. 2018. Rationalising decision-making about risk: a normative approach. In Clarke, N.L. and Furnell, S.M. (eds.) Proceedings of the 12th International symposium on human aspects of information security and assurance (HAISA 2018), 29-31 August 2018, Dundee, UK. Plymouth: University of Plymouth, pages 263-271. Hosted on the CSCAN Archive [online]. Available from: https://www.cscan.org/?page=openaccess&eid=20&id=395

Techniques for determining and applying security decisions typically follow risk-based analytical approaches where alternative options are put forward and weighed in accordance to risk severity metrics based on goals and context. The reasoning or val... Read More about Rationalising decision-making about risk: a normative approach..