Skip to main content

Research Repository

Advanced Search

Integrated design framework for facilitating systems-theoretic process analysis. (2022)
Conference Proceeding
ALTAF, A., FAILY, S., DOGAN, H., THRON, E. and MYLONAS, A. 2022. Integrated design framework for facilitating systems-theoretic process analysis. In Katsikas, S., Lambrinoudakis, C., Cuppens, N. et al (eds.) Computer security: 26th European symposium on research in computer security (ESORICS 2021) international workshops: selected papers from 7th workshop on the security of industrial control systems of cyber-physical systems (CyberICPS 2021), co-located with SECPRE, ADIoT, SPOSE, CPS4CIP, CDT and SECOMANE, 4-8 October 2021, Darmstadt, Germany. Lecture notes in computer science (LNCS), 13106. Cham: Springer [online], pages 58-73. Available from: https://doi.org/10.1007/978-3-030-95484-0_4

Systems-Theoretic Process Analysis (STPA) helps mitigate identified safety hazards leading to unfortunate situations. Usually, a systematic step-by-step approach is followed by safety experts irrespective of any software based tool-support, but ident... Read More about Integrated design framework for facilitating systems-theoretic process analysis..

Cybersecurity user requirements analysis: the ECHO approach. (2022)
Conference Proceeding
KATOS, V., KI-ARIES, D., FAILY, S., GENCHEV, A., BOZHILOVA, M. and STOIANOV, N. 2022. Cybersecurity user requirements analysis: the ECHO approach. In: Shkarlet, S., Morozov, A., Palagin, A., Vinnikov, D., Stoianov, N., Zhelezniak, M. and Kazymyr, V. (eds.) Mathematical modeling and simulation of systems: selected papers from the proceedings of the 16th International scientific-practical conference on mathematical modeling and simulation of systems (MODS 2021), 28 June - 1 July 2021, Chernihiv, Ukraine. Lecture notes in networks and systems, 344. Cham: Springer [online], pages 405-421. Available from: https://link.springer.com/book/9783030899011

Cyber defense requires research and investment in advanced technological solution as well as in the development of effective methods and tools for identifying cyber threats and risks. This implies a need for a well-defined process for user requiremen... Read More about Cybersecurity user requirements analysis: the ECHO approach..

Use-case informed task analysis for secure and usable design solutions in rail. (2021)
Conference Proceeding
ALTAF, A., FAILY, S., DOGAN, H., MYLONAS, A. and THRON, E. 2021. Use-case informed task analysis for secure and usable design solutions in rail. In Percia, D.D., Mermoud, A. and Maillart, T. (eds.). Critical information infrastructures security: revised selected papers of 16th international conference on Critical information infrastructures security 2021 (CRITIS 2021), 27-29 September 2021, Lausanne, Switzerland. Lecture notes in computer science, 13139. Cham: Springer [online], pages 168-185. Available from: https://doi.org/10.1007/978-3-030-93200-8_10

Meeting secure and usable design goals needs the combined effort of safety, security and human factors experts. Human factors experts rely on a combination of cognitive and hierarchical task analysis techniques to support their work. We present an ap... Read More about Use-case informed task analysis for secure and usable design solutions in rail..

Identifying implicit vulnerabilities through personas as goal models. (2020)
Conference Proceeding
FAILY, S., IACOB, C., ALI, R. and KI-ARIES, D. 2020. Identifying implicit vulnerabilities through personas as goal models. In Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Meng, W. and Furnell, S. (eds.) Computer security: ESORICS 2020 international workshops, CyberICPS, SECPRE, and ADIoT: revised selected papers from the 4th International workshop on security and privacy requirements engineering (SECPRE 2020), co-located with the 25th European symposium on research in computer security (ESORICS 2020), 14-18 September 2020, Guildford, UK. Lecture notes in computer science, 12501. Cham: Springer [online], pages 185-202. Available from: https://doi.org/10.1007/978-3-030-64330-0_12

When used in requirements processes and tools, personas have the potential to identify vulnerabilities resulting from misalignment between user expectations and system goals. Typically, however, this potential is unfulfilled as personas and system go... Read More about Identifying implicit vulnerabilities through personas as goal models..

Contextualisation of data flow diagrams for security analysis. (2020)
Conference Proceeding
FAILY, S., SCANDARIATO, R., SHOSTACK, A., SION, L. and KI-ARIES, D. 2020. Contextualisation of data flow diagrams for security analysis. In Eades, H. III and Gadyatskaya, O. (eds.) Graphical models for security: revised selected papers from the proceedings of the 7th International workshop on graphical models for security (GraMSec 2020), 22 June 2020, Boston, USA. Lecture notes in computer science, 12419. Cham: Springer [online], pages 186-197. Available from: https://doi.org/10.1007/978-3-030-62230-5_10

Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an appr... Read More about Contextualisation of data flow diagrams for security analysis..

The impact of undergraduate mentorship on student satisfaction and engagement, teamwork performance, and team dysfunction in a software engineering group project. (2020)
Conference Proceeding
IACOB, C. and FAILY, S. 2020. The impact of undergraduate mentorship on student satisfaction and engagement, teamwork performance, and team dysfunction in a software engineering group project. In Proceedings of the 51st ACM technical symposium on computer science education (SIGCSE 2020), 11-14 March 2020, Portland, USA. New York: ACM [online], pages 128-134. Available from: https://doi.org/10.1145/3328778.3366835

Mentorship schemes in software engineering education usually involve professional software engineers guiding and advising teams of undergraduate students working collaboratively to develop a software system. With or without mentorship, teams run the... Read More about The impact of undergraduate mentorship on student satisfaction and engagement, teamwork performance, and team dysfunction in a software engineering group project..

Identifying safety and human factors issues in rail using IRIS and CAIRIS. (2020)
Conference Proceeding
ALTAF, A., FAILY, S., DOGAN, H., MYLONAS, A. and THRON, E. 2020. Identifying safety and human factors issues in rail using IRIS and CAIRIS. In Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Pallas, F., Pohle, J., Sasse, A., Meng, W., Furnell, S. and Garcia-Alfaro, J. (eds.) Computer security: ESORICS 2019 international workshops, CyberICPS, SECPRE, SPOSE and ADIoT: revised selected papers from the 5th Workshop on security of industrial control systems and cyber-physical systems (CyberICPS 2019), co-located with the 24th European symposium on research in computer security (ESORICS 2019), 26-27 September 2019, Luxembourg City, Luxembourg. Lecture notes in computer science, 11980. Cham: Springer [online], pages 98-107. Available from: https://doi.org/10.1007/978-3-030-42048-2_7

Security, safety and human factors engineering techniques are largely disconnected although the concepts are interlinked. We present a tool-supported approach based on the Integrating Requirements and Information Security (IRIS) framework using Compu... Read More about Identifying safety and human factors issues in rail using IRIS and CAIRIS..

Implementing GDPR in the Charity Sector: A Case Study (2019)
Conference Proceeding
HENRIKSEN-BULMER, J., FAILY, S. and JEARY, S. 2019. Implementing GDPR in the charity sector: a case study. In Kosta, E., Pierson, J., Slamanig, D., Fischer-Hübner, S. and Krenn, S. (eds.) Privacy and identity management: fairness, accountability and transparency in the age of Big Data: revised selected papers from the 13th International Federation for Information Processing Working Groups 9.2, 9.6/11.7, 11.6, Special Interest Group 9.2.2 international summer school (IFIP Summer School 2018), 20-24 August 2018, Vienna, Austria. IFIP advances in information and communication technology, 547. Cham: Springer [online], pages 173-188. Available from: https://doi.org/10.1007/978-3-030-16744-8_12

Due to their organisational characteristics, many charities are poorly prepared for the General Data Protection Regulation (GDPR). We present an exemplar process for implementing GDPR and the DPIA Data Wheel, a DPIA framework devised as part of the c... Read More about Implementing GDPR in the Charity Sector: A Case Study.

Rationalising decision-making about risk: a normative approach. (2018)
Conference Proceeding
M'MANGA, A., FAILY, S., MCALANEY, J. and WILLIAMS, C. 2018. Rationalising decision-making about risk: a normative approach. In Clarke, N.L. and Furnell, S.M. (eds.) Proceedings of the 12th International symposium on human aspects of information security and assurance (HAISA 2018), 29-31 August 2018, Dundee, UK. Plymouth: University of Plymouth, pages 263-271. Hosted on the CSCAN Archive [online]. Available from: https://www.cscan.org/?page=openaccess&eid=20&id=395

Techniques for determining and applying security decisions typically follow risk-based analytical approaches where alternative options are put forward and weighed in accordance to risk severity metrics based on goals and context. The reasoning or val... Read More about Rationalising decision-making about risk: a normative approach..

Tool-supporting data protection impact assessments with CAIRIS. (2018)
Conference Proceeding
COLES, J., FAILY, S. and KI-ARIES, D. 2018. Tool-supporting data protection impact assessments with CAIRIS. In Beckers, K., Faily, S., Lee, S.-W. and Mead, N. (eds.) Proceedings of the 5th International workshop on evolving security and privacy requirements engineering (ESPRE 2018), 20 August 2018, Banff, Canada. Los Alamitos: IEEE Computer Society [online], pages 21-27. Available from: https://doi.org/10.1109/ESPRE.2018.00010

The General Data Protection Regulation (GDPR) encourages the use of Data Protection Impact Assessments (DPIAs) to integrate privacy into organisations' activities and practices from early design onwards. To date, however, there has been little prescr... Read More about Tool-supporting data protection impact assessments with CAIRIS..

Assessing system of systems security risk and requirements with OASoSIS. (2018)
Conference Proceeding
KI-ARIES, D., FAILY, S., DOGAN, H. and WILLIAMS, C. 2018. Assessing system of systems security risk and requirements with OASoSIS. In Beckers, K., Faily, S., Lee, S.-W. and Mead, N. (eds.) Proceedings of the 5th International workshop on evolving security and privacy requirements engineering (ESPRE 2018), 20 August 2018, Banff, Canada. Los Alamitos: IEEE Computer Society [online], pages 14-20. Available from: https://doi.org/10.1109/ESPRE.2018.00009

When independent systems come together as a System of Systems (SoS) to achieve a new purpose, dealing with requirements conflicts across systems becomes a challenge. Moreover, assessing and modelling security risk for independent systems and the SoS... Read More about Assessing system of systems security risk and requirements with OASoSIS..

Redesigning an undergraduate software engineering course for a large cohort. (2018)
Conference Proceeding
IACOB, C. and FAILY, S. 2018. Redesigning an undergraduate software engineering course for a large cohort. In Proceedings of the 40th ACM/IEEE international conference on software engineering: software engineering education and training (ICSE-SEET 2018), 27 May - 3 June 2018, Gothenburg, Sweden. New York: ACM [online], pages 163-171. Available from: https://doi.org/10.1145/3183377.3183381

Teaching Software Engineering on an undergraduate programme is challenging, particularly when dealing with large numbers of students. On one hand, a strong understanding of software and good programming skills are prerequisites. On the other hand, th... Read More about Redesigning an undergraduate software engineering course for a large cohort..

System of systems characterisation assisting security risk assessment. (2018)
Conference Proceeding
KI-ARIES, D., FAILY, S., DOGAN, H. and WILLIAMS, C. 2018. System of systems characterisation assisting security risk assessment. In Proceedings of the 13th IEEE system of systems engineering conference (SoSE 2018), 19-22 June 2018, Paris, France. Piscataway: IEEE [online], pages 485-492. Available from: https://doi.org/10.1109/SYSOSE.2018.8428765

System of Systems (SoS) is a term often used to describe the coming together of independent systems, collaborating to achieve a new or higher purpose. However, clarity is needed when using this term given that operational areas may be unfamiliar with... Read More about System of systems characterisation assisting security risk assessment..

Qualitative adaptation: informing design for risk-based decision-making. (2018)
Conference Proceeding
M'MANGA, A., FAILY, S., MCALANEY, J., WILLIAMS, C., KADOBAYASHI, Y. and MIYAMOTO, D. 2018. Qualitative adaptation: informing design for risk-based decision-making. In Proceedings of the 2nd Workshop on the challenges and opportunities for qualitative data research methods in HCI, co-located with the 32nd International BCS human computer interaction conference (HCI 2018), 3 July 2018, Belfast, UK. Swindon: BCS [online], article number 216. Available from: https://doi.org/10.14236/ewic/HCI2018.216

Research on decision-making during risk and uncertainty facilitates risk-based decision-making, by understanding techniques that decision-makers use to arrive at informed decisions. Approaches to the research usually involve a mix of cognitive techni... Read More about Qualitative adaptation: informing design for risk-based decision-making..

Eliciting persona characteristics for risk-based decision making. (2018)
Conference Proceeding
M'MANGA, A., FAILY, S., MCALANEY, WILLIAMS, C., KADOBAYASHI, Y. and MIYAMOTO, D. 2018. Eliciting persona characteristics for risk-based decision making. In Proceedings of the 32nd International BCS human computer interaction conference (HCI 2018), 4-6 July 2018, Belfast, UK. Swindon: BCS [online], article number 158. Available from: https://doi.org/10.14236/ewic/HCI2018.158

Personas are behavioural specifications of archetypical users in Human Factors Engineering and User Interaction research, aimed at preventing biased views system designers may have of users. Personas are therefore nuanced representations of goals and... Read More about Eliciting persona characteristics for risk-based decision making..

Using extreme characters to teach requirements engineering. (2017)
Conference Proceeding
IACOB, C. and FAILY, S. 2017. Using extreme characters to teach requirements engineering. In Washizaki, H. and Mead, N. (eds.) Proceedings of the 30th IEEE conference on software engineering education and training (CSEET 2017), 7-9 November 2017, Savannah, USA. Los Alamitos: IEEE Computer Society [online], pages 107-111. Available from: https://doi.org/10.1109/CSEET.2017.25

One of the main challenges in teaching Software Engineering as an undergraduate course is making the need for software processes and documentation obvious. Armed with some knowledge of programming, students may feel inclined to skip any development p... Read More about Using extreme characters to teach requirements engineering..

From requirements to operation: components for risk assessment in a pervasive system of systems. (2017)
Conference Proceeding
KI-ARIES, D., DOGAN, H., FAILY, S., WHITTINGTON, P. and WILLIAMS, C. 2017. From requirements to operation: components for risk assessment in a pervasive system of systems. In Proceedings of the 4th Workshop on evolving security and privacy requirements engineering (ESPRE 2017), part of the 25th IEEE international requirements engineering conference workshops (REW 2017), 4-8 September 2017, Lisbon, Portugal. Los Alamitos: IEEE Computer Society [online], pages 83-89. Available from: https://doi.org/10.1109/REW.2017.36

Framing Internet of Things (IoT) applications as a System of Systems (SoS) can help us make sense of complexity associated with interoperability and emergence. However, assessing the risk of SoSs is a challenge due to the independence of component sy... Read More about From requirements to operation: components for risk assessment in a pervasive system of systems..

Design as code: facilitating collaboration between usability and security engineers using CAIRIS. (2017)
Conference Proceeding
FAILY, S. and IACOB, C. 2017. Design as code: facilitating collaboration between usability and security engineers using CAIRIS. In Proceedings of the 4th Workshop on evolving security and privacy requirements engineering (ESPRE 2017), part of the 25th IEEE international requirements engineering conference workshops (REW 2017), 4-8 September 2017, Lisbon, Portugal. Los Alamitos: IEEE Computer Society [online], pages 76-82. Available from: https://doi.org/10.1109/REW.2017.23

Designing usable and secure software is hard without tool-support. Given the importance of requirements, CAIRIS was designed to illustrate the form tool-support for specifying usable and secure systems might take. While CAIRIS supports a broad range... Read More about Design as code: facilitating collaboration between usability and security engineers using CAIRIS..

Applying contextual integrity to open data publishing. (2017)
Conference Proceeding
HENRIKSEN-BULMER, J. and FAILY, S. 2017. Applying contextual integrity to open data publishing. In Hall, L., Flint, T., O'Hara, S. and Turner, P. (eds.) Proceedings of the 31st International BCS human computer interaction conference (HCI 2017), 3-6 July 2017, Sunderland, UK. Swindon: BCS, paper number 95. Hosted on ScienceOpen [online]. Available from: https://doi.org/10.14236/ewic/HCI2017.95

Open data publishing by both corporate and public bodies has increased significantly in recent years and this type of data could soon be developing into a real commodity. However, not all organisations pay sufficient heed to privacy as part of the de... Read More about Applying contextual integrity to open data publishing..

System design considerations for risk perception. (2017)
Conference Proceeding
M'MANGA, A., FAILY, S., MCALANEY, J. and WILLIAMS, C. 2017. System design considerations for risk perception. In Assar, S., Pastor, O. and Mouratidis, H. (eds.) Proceedings of the 11th IEEE international conference on research challeneges in information science (RCIS 2017), 10-12 May 2017, Brighton, UK. Piscataway: IEEE [online], pages 322-327. Available from: https://doi.org/10.1109/RCIS.2017.7956554

The perception of risk is a driver for security analysts' decision making. However, security analysts may have conflicting views of a risk based on personal, system and environmental factors. This difference in perception and opinion, may impact effe... Read More about System design considerations for risk perception..