A practical approach to security assessment
NSPW '97 Proceedings of the 1997 workshop on New security paradigms
Writing Information Security Policies
Writing Information Security Policies
Merging Security Policies: Analysis of a Practical Example
CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
Analyzing consistency of security policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
The Ontological Interpretation of Informational Privacy
Ethics and Information Technology
Ethical regulations on robotics in Europe
AI & Society
An extensible analysable system model
Information Security Tech. Report
Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients
Proceedings of the 2009 ACM symposium on Applied Computing
The compliance budget: managing security behaviour in organisations
Proceedings of the 2008 workshop on New security paradigms
Proceedings of the 2010 workshop on New security paradigms
IEEE Transactions on Knowledge and Data Engineering
Portunes: representing attack scenarios spanning through the physical, digital and social domain
ARSPA-WITS'10 Proceedings of the 2010 joint conference on Automated reasoning for security protocol analysis and issues in the theory of security
The (Social) Construction of Information Security
The Information Society
Modelling trade and trust across cultures
iTrust'06 Proceedings of the 4th international conference on Trust Management
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
Proceedings of the 2012 workshop on New security paradigms
| Hi-index | 0.00 |
Security weaknesses often stem from users trying to comply with social expectations rather than following security procedures. Such normative conflicts between security policies and social norms are therefore undesirable from a security perspective. It has been argued that system developers have a "meta-task responsibility", meaning that they have a moral obligation to enable the users of the system they design to cope adequately with their responsibilities. Depending on the situation, this could mean forcing the user to make an "ethical" choice, by "designing out" conflicts. In this paper, we ask the question to what extent it is possible to detect such potential normative conflicts in the design phase of security-sensitive systems, using qualitative research in combination with so-called system models. We then envision how security design might proactively reduce conflict by (a) designing out conflict where possible in the development of policies and systems, and (b) responding to residual and emergent conflict through organisational processes. The approach proposed in this paper is a so-called subcultural approach, where security policies are designed to be culturally sympathetic. Where normative conflicts either cannot be avoided or emerge later, the organisational processes are used to engage with subcultures to encourage communally-mediated control.