Bringing security home: a process for developing secure and usable systems

Authors:
Ivan Flechais;M. Angela Sasse;Stephen M. V. Hailes
Affiliations:
University College London, London, UK;University College London, London, UK;University College London, London, UK
Venue:
Proceedings of the 2003 workshop on New security paradigms
Year:
2003

Citing 11
Cited 18

A Spiral Model of Software Development and Enhancement

Computer
Contextual design: defining customer-centered systems

Contextual design: defining customer-centered systems
Security engineering in an evolutionary acquisition environment

Proceedings of the 1998 workshop on New security paradigms
Users are not the enemy

Communications of the ACM
Safe and sound: a safety-critical approach to security

Proceedings of the 2001 workshop on New security paradigms
Information security is information risk management

Proceedings of the 2001 workshop on New security paradigms
Pretty good persuasion: a first step towards effective password security in the real world

Proceedings of the 2001 workshop on New security paradigms
The Art of Deception: Controlling the Human Element of Security

The Art of Deception: Controlling the Human Element of Security
Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security

BT Technology Journal
Using Abuse Case Models for Security Requirements Analysis

ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Why Johnny can't encrypt: a usability evaluation of PGP 5.0

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

The trouble with login: on usability and computer security in ubiquitous computing

Personal and Ubiquitous Computing
Is usable security an oxymoron?

interactions - A contradiction in terms?
Extending XP practices to support security requirements engineering

Proceedings of the 2006 international workshop on Software engineering for secure systems
Aligning usability and security: a usability study of Polaris

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Investigation of IS professionals' intention to practise secure development of applications

International Journal of Human-Computer Studies
A risk-driven security analysis method and modelling language

BT Technology Journal
Security software engineering: do it the right way

SEPADS'07 Proceedings of the 6th WSEAS International Conference on Software Engineering, Parallel and Distributed Systems
Integrating security and usability into the requirements and design process

International Journal of Electronic Security and Digital Forensics
Applying an open application security process to a clinical information system: a case study

Proceedings of the 2008 C3S2E conference
Collective information practice: emploring privacy and security as social and cultural phenomena

Human-Computer Interaction
Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science

International Journal of Human-Computer Studies
The compliance budget: managing security behaviour in organisations

Proceedings of the 2008 workshop on New security paradigms
The developer is the enemy

Proceedings of the 2008 workshop on New security paradigms
Reusable security use cases for mobile grid environments

IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
To boldly go where invention isn't secure: applying security entrepreneurship to secure systems design

Proceedings of the 2010 workshop on New security paradigms
Firms' information security investment decisions: Stock market evidence of investors' behavior

Decision Support Systems
Systematic design of secure Mobile Grid systems

Journal of Network and Computer Applications
Integrity quantification model for object oriented design

ACM SIGSOFT Software Engineering Notes

Quantified Score

Hi-index	0.00

Visualization

Abstract

The aim of this paper is to provide better support for the development of secure systems. We argue that current development practice suffers from two key problems:1. Security requirements tend to be kept separate from other system requirements, and not integrated into any overall strategy.2. The impact of security measures on users and the operational cost of these measures on a day-to-day basis are usually not considered.Our new paradigm is the full integration of security and usability concerns into the software development process, thus enabling developers to build secure systems that work in the real world. We present AEGIS, a secure software engineering method which integrates asset identification, risk and threat analysis and context of use, bound together through the use of UML, and report its application to case studies on Grid projects. An additional benefit of the method is that the involvement of stakeholders in the high-level security analysis improves their understanding of security, and increases their motivation to comply with policies.