People and Security

People are frequently called the "weakest link in the security chain". Many examples of security incidents involve legitimate users, administrators and developers being unable to comply with, or otherwise duped into breaking the security policy. This course will explore security from a socio-technical and human-computer interaction perspective. The aim is to better understand people and their contexts, in order to develop systems which are more secure in practice.

Frequency

This course normally runs twice a year.

Course dates

Objectives

The successful participant will:

• be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts;
• be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that an organisation needs to implement to ensure long-term security in practice;
• understand the impact of security measures on different kinds of users and contexts;
• understand the role of risk perception, incentives, and regulation in security-related decision-making;
• be able to develop appropriate strategies against attacks on information systems which exploit human error.

Contents

Usability and HCI

HCI principles; Systems, people, tasks and context; usability evaluation

Authentication and Identity

Types of authentication and trade-offs; Identity and attribute-based credentials

Security in context

Personas; Equity and justice; Developers as users

Economics and Politics of Security

Decision-making, risks and costs; Compliance budget; Regulation

Attacks and Nudges

Phishing; Scams; Dark patterns; Warnings; Advice

Requirements

Participants should have a basic understanding of computer security to the level provided by the Security Principles course.