To boldly go where invention isn't secure: applying security entrepreneurship to secure systems design.

Faily, Shamal; Fl�chais, Ivan

doi:10.1145/1900546.1900557

Cross-platform access control for mobile web applications. (2012)
Conference Proceeding
LYLE, J., MONTELEONE, S., FAILY, S., PATTI, D. and RICCIATO, F. 2012. Cross-platform access control for mobile web applications. In Proceedings of the 2012 IEEE international symposium on policies for distributed systems and networks (POLICY 2012), 16-18 July 2012, Chapel Hill, USA. Los Alamitos: IEEE Computer Society [online], pages 37-44. Available from: https://doi.org/10.1109/POLICY.2012.9

Web browsers are a common platform for delivering cross-platform applications. However, they currently fail to provide consistent access control for security and privacy sensitive JavaScript APIs, such as geolocation and local storage. This problem i... Read More about Cross-platform access control for mobile web applications..

Tool-supported premortems with attack and security patterns. (2012)
Conference Proceeding
FAILY, S., LYLE, J. and PARKIN, S. 2012. Tool-supported premortems with attack and security patterns. In Proceedings of the 1st International workshop on cyberpatterns (Cyberpatterns 2012): unifying design patterns with security, attack and forensic patterns, 9-10 July 2012, Abingdon, UK. Oxford: Oxford Brookes University, pages 10-11.

Security patterns are a useful technique for packaging and applying security knowledge. However, because patterns represent partial knowledge of a problem and solution space, there is little certainty that addressing the consequences of one problem w... Read More about Tool-supported premortems with attack and security patterns..

Analysing chindōgu: applying defamiliarisation to security design. (2012)
Presentation / Conference
FAILY, S. 2012. Analysing chindōgu: applying defamiliarisation to security design. Presented at the Workshop on defamiliarization in innovation and usability, part of the 30th ACM SIGCHI conference on human factors in computing systems (CHI 2012), 5 May 2012, Austin, Texas.

Envisaging how secure systems might be attacked is difficult without adequate attacker models or relying on stereotypes. Defamiliarisation removes this need for a priori domain knowledge and encourages designers to think critically about system prope... Read More about Analysing chindōgu: applying defamiliarisation to security design..

The webinos project. (2012)
Conference Proceeding
FUHRHOP, C., LYLE, J. and FAILY, S. 2012. The webinos project. In Proceedings of the 21st Annual conference on World Wide Web companion (WWW 2012 Companion), 16-20 April 2012, Lyon, France. New York: ACM [online], pages 263-266. Available from: https://doi.org/10.1145/2187980.2188024

This poster paper describes the webinos project and presents the architecture and security features developed in webinos. It highlights the main objectives and concepts of the project and describes the architecture derived to achive the objectives.

Here's Johnny: a methodology for developing attacker personas. (2011)
Conference Proceeding
ATZENI, A., CAMERONI, C., FAILY, S., LYLE, J. and FLÉCHAIS, I. 2011. Here's Johnny: a methodology for developing attacker personas. In Proceedings of the 6th International conference on availability, reliability and security (ARES 2011), 22-26 Aug 2011, Vienna, Austria. Los Alamitos: IEEE Computer Society [online], pages 722-727. Available from: https://doi.org/10.1109/ARES.2011.115

The adversarial element is an intrinsic part of the design of secure systems, but our assumptions about attackers and threat is often limited or stereotypical. Although there has been previous work on applying User-Centered Design on Persona developm... Read More about Here's Johnny: a methodology for developing attacker personas..

User-centered information security policy development in a post-Stuxnet world. (2011)
Conference Proceeding
FAILY, S. and FLÉCHAIS, I. 2011. User-centered information security policy development in a post-Stuxnet world. In Proceedings of the 5th International workshop on secure software engineering (SecSE 2011), part of the 6th International conference on availability, reliability and security (ARES 2011), 22-26 Aug 2011, Vienna, Austria. Los Alamitos: IEEE Computer Society [online], pages 716-721. Available from: https://doi.org/10.1109/ARES.2011.111

A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements Engineering methods can facilitate such an approach, but these tend to focus on either security at the expense... Read More about User-centered information security policy development in a post-Stuxnet world..

Eliciting policy requirements for critical national infrastructure using the IRIS framework. (2011)
Journal Article
FAILY, S. and FLÉCHAIS, I. 2011. Eliciting policy requirements for critical national infrastructure using the IRIS framework. International journal of secure software engineering [online], 2(4), pages 1-18. Available from: https://doi.org/10.4018/jsse.2011100101

Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a bette... Read More about Eliciting policy requirements for critical national infrastructure using the IRIS framework..

Eliciting usable security requirements with misusability cases. (2011)
Presentation / Conference
FAILY, S. and FLÉCHAIS, I. 2011. Eliciting usable security requirements with misusability cases. Presented at the 19th IEEE international requirements engineering conference (RE 2011), 29 August - 2 September 2011, Trento, Italy.

Although widely used for both security and usability concerns, scenarios used in security design may not necessarily inform the design of usability, and vice-versa. One way of using scenarios to bridge security and usability involves explicitly descr... Read More about Eliciting usable security requirements with misusability cases..

Bridging user-centered design and requirements engineering with GRL and persona cases. (2011)
Conference Proceeding
FAILY, S. 2011. Bridging user-centered design and requirements engineering with GRL and persona cases. In Castro, J., Franch, X., Mylopoulos, J. and Yu, E. (eds.) Proceedings of the 5th International i* workshop (iStar 2011), 28-29 August 2011, Trento, Italy. CEUR workshop proceedings, 766. Aachen: CEUR-WS [online], pages 114-119. Available from: http://ceur-ws.org/Vol-766/paper20.pdf

Despite the large body of i* research, there has been comparatively little work on how goal-modelling techniques can help identify usability concerns. Recent work has considered how goal models might better integrate with User-Centered Design. This p... Read More about Bridging user-centered design and requirements engineering with GRL and persona cases..

Do we know each other or is it just our devices? A federated context model for describing social activity across devices. (2011)
Presentation / Conference
GIONIS, G., DESRUELLE, H., BLOMME, D., LYLE, J., FAILY, S. and BASSBOUSS, L. 2011. Do we know each other or is it just our devices? A federated context model for describing social activity across devices. Presented at the Federated social web Europe conference, 3-5 June 2011, Berlin, Germany.

The availability of connected devices is rapidly growing. In our everyday life, we already use a multitude of personal devices that are connected to the Internet. The number of shipped smart-phones at the end of 2010 even surpassed the traditional co... Read More about Do we know each other or is it just our devices? A federated context model for describing social activity across devices..

Security goes to ground: on the applicability of security entrepreneurship to grassroot activism. (2011)
Presentation / Conference
FAILY, S. 2011. Security goes to ground: on the applicability of security entrepreneurship to grassroot activism. Presented at the Workshop on HCI, politics and the city, part of the 29th Annual CHI conference on human factors in computing systems (CHI 2011), 7-8 May 2011, Vancouver, Canada.

Designing security for grassroot movements raises several challenges not particular to the organisations that are catered to by conventional approaches to security design. Drawing on analogies between Social Entrepreneurship and Grassroot Activism, a... Read More about Security goes to ground: on the applicability of security entrepreneurship to grassroot activism..

Persona cases: a technique for grounding personas. (2011)
Conference Proceeding
FAILY, S. and FLÉCHAIS, I. 2011. Persona cases: a technique for grounding personas. In Proceedings of the 29th Annual CHI conference on human factors in computing systems (CHI 2011), 7-12 May 2011, Vancouver, Canada. New York: ACM [online], pages 2267-2270. Available from: https://doi.org/10.1145/1978942.1979274

Personas are a popular technique in User-Centered Design, however their validity can be called into question. While the techniques used to developed personas and their integration with other design activities provide some measure of validity, a perso... Read More about Persona cases: a technique for grounding personas..

Two requirements for usable and secure software engineering. (2011)
Presentation / Conference
FAILY, S. 2011. Two requirements for usable and secure software engineering. Presented at the 1st Software and usable security aligned for good engineering workshop (SAUSAGE 2011), 5-6 April 2011, Gaithersburg, USA.

Despite the acknowledged need for systems to be both usable and secure, we lack guidance on how developers might build such systems. Based on recent research, we believe evidence exists that blending techniques from Security, Usability, and Software... Read More about Two requirements for usable and secure software engineering..

Seeking the philosopher's stone. (2011)
Journal Article
FLÉCHAIS, I. and FAILY, S. 2011. Seeking the philosopher's stone. Interfaces: the quarterly magazine of BCS Interaction Group [online], 86, pages 14-15. Available from: https://www.bcs.org/media/5326/interfaces86-spring2011.pdf

This article describes the unique challenges facing usable security research and design, and introduces three proposals for addressing these. For all intents and purposes, security design is currently a craft, where quality is dependent on individual... Read More about Seeking the philosopher's stone..

A model of security culture for e-science. (2011)
Conference Proceeding
FAILY, S. and FLÉCHAIS, I. 2011. A model of security culture for e-science. In Clarke, N., Furnell, S. and Von Solms, R. (eds.) Proceedings of the South African information security multi-conference (SAISMC 2010), 17-18 May 2010, Port Elizabeth, South Africa. Plymouth: University of Plymouth, pages 154-164.

There is a need to understand the cultural issues affecting security in large, distributed and heterogeneous systems; such systems are typified by e-Science projects. We present a model of security culture for e-Science, grounded both in the security... Read More about A model of security culture for e-science..

The secret lives of assumptions: developing and refining assumption personas for secure system design. (2010)
Conference Proceeding
FAILY, S. and FLÉCHAIS, I. 2010. The secret lives of assumptions: developing and refining assumption personas for secure system design. In Bernhaupt, R., Forbrig, P., Gulliksen, J. and Lárusdóttir, M. (eds.) Human-centred software engineering: proceedings of the 3rd International conference on human-centred software engineering (HCSE 2010), 14-15 October 2010, Reykjavik, Iceland. Lecture notes in computer science, 6409. Berlin: Springer [online], pages 111-118. Available from: https://doi.org/10.1007/978-3-642-16488-0_9

Personas are useful for obtaining an empirically grounded understanding of a secure system's user population, its contexts of use, and possible vulnerabilities and threats endangering it. Often, however, personas need to be partly derived from assump... Read More about The secret lives of assumptions: developing and refining assumption personas for secure system design..

Security through usability: a user-centered approach for balanced security policy requirements. (2010)
Presentation / Conference
FAILY, S. and FLÉCHAIS, I. 2010. Security through usability: a user-centered approach for balanced security policy requirements. Presented at the 26th Annual computer security applications conference (ACSAC 2010), 6-10 December 2010, Austin, USA.

Security policy authors face a dilemma. On one hand, policies need to respond to a constantly evolving, well reported threat landscape, the consequences of which have heightened the security awareness of senior managers. On the other hand, the impact... Read More about Security through usability: a user-centered approach for balanced security policy requirements..

Security and usability: searching for the philosopher's stone. (2010)
Presentation / Conference
FLÉCHAIS, I. and FAILY, S. 2010. Security and usability: searching for the philosopher's stone. Presented at the Workshop on the development of EuroSOUPS, 24 November 2010, Newcastle, UK. Hosted on CoCoLab.org [online]. Available from: https://www.cocolab.org/soups/eurosoups

This paper describes the unique challenges facing usable security research and design, and introduces three proposals for addressing these. For all intents and purposes security design is currently a craft, where quality is dependent on individuals a... Read More about Security and usability: searching for the philosopher's stone..

Designing and aligning e-science security culture with design. (2010)
Journal Article
FAILY, S. and FLÉCHAIS, I. 2010. Designing and aligning e-science security culture with design. Information management and computer security [online], 18(5): selected papers from the South African information security multi-conference (SAISMC 2010), 17-18 May 2010, Port Elizabeth, South Africa, pages 339-349. Available from: https://doi.org/10.1108/09685221011095254

The purpose of this paper is to identify the key cultural concepts affecting security in multi-organisational systems, and to align these with design techniques and tools. A grounded theory model of security culture was derived from the related secur... Read More about Designing and aligning e-science security culture with design..

To boldly go where invention isn't secure: applying security entrepreneurship to secure systems design. (2010)
Conference Proceeding
FAILY, S. and FLÉCHAIS, I. 2010. To boldly go where invention isn't secure: applying security entrepreneurship to secure systems design. In Proceedings of the 2010 New security paradigms workshop (NSPW 2010), 21-23 September 2010, Concord, USA. New York: ACM [online], pages 73-84. Available from: https://doi.org/10.1145/1900546.1900557

When designing secure systems, we are inundated with an eclectic mix of security and non-security requirements; this makes predicting a successful outcome from the universe of possible security design decisions a difficult problem. We propose augment... Read More about To boldly go where invention isn't secure: applying security entrepreneurship to secure systems design..

All Outputs (112)