Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

Authors:
Ivan Flechais;M. Angela Sasse
Affiliations:
Computing Laboratory, Oxford University, Wolfson Building, Oxford OX1 3QD, UK;Department of Computer Science, University College London, London WC1E 6BT, UK
Venue:
International Journal of Human-Computer Studies
Year:
2009

Citing 18
Cited 3

The effect of user involvement on system success: a contingency approach

MIS Quarterly
Rethinking the concept of user involvement

MIS Quarterly
A practical solution to the complex human issues of information security design

Information systems security
Contextual design: defining customer-centered systems

Contextual design: defining customer-centered systems
User-centered security

NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Coping with systems risk: security planning models for management decision making

MIS Quarterly
Users are not the enemy

Communications of the ACM
A case study of user participation in the information systems development process

ICIS '97 Proceedings of the eighteenth international conference on Information systems
Investigating information systems with action research

Communications of the AIS
User Interaction Design for Secure Systems

ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
A New Paradigm for Adding Security Into IS Development Methods

Proceedings of the IFIP TC11 WG11.1/WG11.2 Eigth Annual Working Conference on Advances in Information Security Management & Small Systems Security
Using Abuse Case Models for Security Requirements Analysis

ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Managing information systems security: a soft approach

ISCNZ '96 Proceedings of the 1996 Information Systems Conference of New Zealand (ISCNZ '96)
Bringing security home: a process for developing secure and usable systems

Proceedings of the 2003 workshop on New security paradigms
The impact of participation in information system design: a comparison of contextual placements

PDC 04 Proceedings of the eighth conference on Participatory design: Artful integration: interweaving media, materials and practices - Volume 1
Small world, water coolers, and the challenge of remote collaboration

interactions
Why Johnny can't encrypt: a usability evaluation of PGP 5.0

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Integrating security and usability into the requirements and design process

International Journal of Electronic Security and Digital Forensics

Human, organizational, and technological factors of IT security

CHI '08 Extended Abstracts on Human Factors in Computing Systems
Editorial: Usability and e-science

International Journal of Human-Computer Studies
Security practitioners in context: Their activities and interactions with other stakeholders within organizations

International Journal of Human-Computer Studies

Quantified Score

Hi-index	0.00

Visualization

Abstract

e-Science projects face a difficult challenge in providing access to valuable computational resources, data and software to large communities of distributed users. On the one hand, the raison d'etre of the projects is to encourage members of their research communities to use the resources provided. On the other hand, the threats to these resources from online attacks require robust and effective security to mitigate the risks faced. This raises two issues: ensuring that (1) the security mechanisms put in place are usable by the different users of the system, and (2) the security of the overall system satisfies the security needs of all its different stakeholders. A failure to address either of these issues can seriously jeopardise the success of e-Science projects. The aim of this paper is to firstly provide a detailed understanding of how these challenges can present themselves in practice in the development of e-Science applications. Secondly, this paper examines the steps that projects can undertake to ensure that security requirements are correctly identified, and security measures are usable by the intended research community. The research presented in this paper is based on four case studies of e-Science projects. Security design traditionally uses expert analysis of risks to the technology and deploys appropriate countermeasures to deal with them. However, these case studies highlight the importance of involving all stakeholders in the process of identifying security needs and designing secure and usable systems. For each case study, transcripts of the security analysis and design sessions were analysed to gain insight into the issues and factors that surround the design of usable security. The analysis concludes with a model explaining the relationships between the most important factors identified. This includes a detailed examination of the roles of responsibility, motivation and communication of stakeholders in the ongoing process of designing usable secure socio-technical systems such as e-Science.