4. HCI can help
Ethno-
Methodology
Contextual Interaction
Design Programming
Activity
Theory
User
Grounded
Centered
Design
Design
Task
Analysis Participative Usage
Design Centered
Design
Value-
Centered
HCI
Horses for courses?
5. HCI can help
Ethno-
Methodology
s?
Contextual Interaction
t
Design
en
Programming
Activity
m
Theory
re
User
ui
Grounded
Centered
q
Design
Design
re
e
th
Task
t
Participative Usage
ou
Analysis
Design Centered
ab
Design
Value-
Centered
t
ha
HCI
W
Horses for courses?
6. HCI can help
Ethno-
Methodology
s?
Contextual Interaction
W s
t
Design
en
Programming
Activity
m
ha u
Theory
re
User
t a ri
ui
Grounded
Centered
q
Design
Design
re
bo ?
ec
e
th
ut
Task
t
Participative Usage
ou
Analysis
ty
Design
th
Centered
ab
Design
Value-
Centered
e
t
ha
HCI
W
Horses for courses?
7. It’s just an engineering
problem?
“there are many tensions that engineers have still not
begun to explore. For example, ease of use is a
priority in control systems design, and security
usability is known to be hard. Will we see conflicts
between security and safety usability? As a typical
plant operator earns less than $40,000, the ‘Homer
Simpson’ problem is a real one. How do we design
security that Homer can use safely?”
Anderson, R., Fuloria, S. Security Economics and
Critical National Infrastruture. In Eighth Workshop
on the Economics of Information Security (WEIS
2009). 2009
15. Current problems
• Values and Contextfor lack of industrial uptake!
Reasons
• Goals
ts?
en
m
re
ui
q
re
e
th
t
ou
ab
t
ha
W
16. Current problems
• Values and Contextfor lack of industrial uptake!
Reasons
• Goals
W
ts?
en
ha cu
m
re
t a ri
ui
se
q
ebo ty?
reut
tth
th
ou
e
ab
t
ha
W
17. Some Good News
• Environments and Contexts of Use
Environment
User Task
Affordance
Object
18. Some Good News
Elicit Validate &
Scope Analyse
Empirical / Specify Manage
Problem Problem
Conceptual System System
Domain Concerns
Data Evolution
19. Some Good News
ts?
en
m
re
qui
re
Elicit Validate &
Scope Analyse
Empirical / Specify Manage
he
Problem Problem
Conceptual tt System System
Domain Concerns
Data Evolution
ou
t ab
ha
W
20. What is IRIS?
A framework for specifying software systems that are
secure for their contexts of use.
Context of Use
Goal
Task Persona
Misuse
1..*
1..*
Case
Threat 1..* 1
1..*
Motive Accept Transfer Mitigate
* * *Response 1..* Persona
Asset*
1..* Attacker* Task *
1..*
Capability 1..* * 1 *
11 1 *
1..* * Risk * * Response Goal
Risk 1..* * Environment 1*
* 1..* Asset *
* Scenario
*
* 1 1
* *
1 1..* *
1..* Threat * Vulnerability Requirement
Vulnerability * * 1* 4
Countermeasure *
1..* 1..*
1..*1..* Misuse Usability *
Misuse Asset Case Attribute
Countermeasure
Case
* Attacker *
*
Obstacle *
1..4
Security 0..4
Attribute
A Meta-Model for
Usable Secure
Requirements
Engineering
21. What is IRIS?
A framework for specifying software systems that are
secure for their contexts of use.
Empirical Data Participant data
Context of Use
Goal
Establish
Task Persona Scope
Misuse
1..*
1..*
Case
Threat 1..* 1
1..*
CAIRIS
Motive Accept Transfer Mitigate
* * *Response 1..* Persona Database
Asset*
1..* Attacker Task *
* 1..*
Capability 1..* * 1 *
11 1 * Investigate
1..* * Risk * * Response Goal
Risk 1..* * Environment 1*
* 1..* Asset * Contexts
* Scenario
*
* 1 1
* *
1 1..* *
1..* Threat * Vulnerability Requirement
Vulnerability * * 1* 4
Countermeasure * 9*,*"(2+.
NeuroGrid data upload/data download
Requirements Specification
1..* 1..* i
Requirements
%2().1(4",*45"923(&2*+"+*,* %2().1(4",*45"7?&2*+"+*,*
1..*1..* Misuse Usability * :&').
!""
!"#$%&&'$()*)$+(',+-+'#*'.%/"#0"),
!""
!"" #""
Misuse Asset Case Attribute
Countermeasure Workshops 12(#+,'$()*)$+(',+-+'-#'.%/"#0"),
!$$#""
!"#$%&'()*+,-.'(%#/-#00+**
3#4*(#+,'+*+(5&)&',+-+ ;%$/"%',+-+'+*+(5&)&
!$$#""
;%$/"%'4#"?@#4'&/A7)&&)#*
Case
* Attacker * %&'.(,"32154,*,'2( :(*&;4'4"+*,*
!$$#""
%&'(')*&"+*,* -215<23
*
*
1..4 Obstacle
!$$#""
12(#+,'+/-8#")&+-)#* 6*#*57)&%',+-+ ;%$/"%',+-+'-"+*&7)&&)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#*
3.4(2',A*5(*))/
"45($-.-$&$
!$$#""
Security 0..4 93<= 93<>
-./0/1234.1
!<= !<> .%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#*
%2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(>
Attribute 1+(%)20#%+-*&#()"3 !"" 1'"%('/-4+5-5('4*+(
ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11
1*+/-8#")&%,'2#"-+('+$$%&&
!2/.'
:(#$,$/#"%-0+(%)20#%+-#../)0#%)'"
!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33
&#%
NeuroGrid data upload/data download Requirements
Specification
!"" #"" &#$
E)9#9/.-1)/
3.4(2',)*5(*))/(*5
25*1,
12(#+,',+-+
!"" !"""
&./+2'
6*28+B./(1)<,!)/+(742+),@44)11
".-*'.2<,<2+2
!"" !"" &)/1.*2',4)/+(742+)
!'()*+,-./01+2+(.*
74.1"%.1,'8)*,. 621,*& 6.142(*&").1,'8)*,.
9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%" F"+/,/(+*-'$%"-):$+-%'+22()$+-)#*
!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33
6(7#5($-.-$&$
[unresolved
61)/,!)/+(742+)
@*2';1(1,<2+2
8945(*&."#$%&'()*+,-./,)&*01$&,.211,++
!)/+(742+),89(:8(+;
>*?(1(9'),!.'')5)
/$)(5
6C'.2<,<2+2
C;;'DE2(#)- 1*+--%*,%,'4#"?&-+-)#*'+$$%&&
!)/+(742+),1B2/(*5
contexts]
677-89./')% !"#%%+",+,-4'(;*%#%)'"-#00+**
!'(*(42',<2+2
!"#$
!"#%
&2/+(2',2*.*;=(12+(.*
A Meta-Model for Models Requirements Documentation
Usable Secure
Requirements Design Method Tool-support
Engineering
23. Requirements
Engineering
Requirements GORE (KAOS)
User-
Centered
Scenarios Relevant Misuse-Cases Security
Requirements
Design
Personas Concepts Meta-Models
Engineering
Risk
Environments
Analysis
Tasks Responsibility
Modelling
Information
HCI
Security
24. Example: Modifying PLC
Software
• Programmable Logic
Controllers (PLC) control
clean and waste water
processes.
• Modifications may be
made under duress.
• Accidental or deliberate
errors can be catastrophic.
31. Workshop
Walkthrough
• Persona Validation
Alan
• “There’s a lot of ignorance out there”
• Conscious of vulnerabilities arising from
complex tools.
• Hopes the repository will encourage a
standardised approach to software changes
and backups.
Wednesday, 16 December 2009
32. Workshop
Walkthrough
• Persona Validation
• Asset Modelling
37. Observations
• A natural process to participants.
• Modelling environments increases
participant sensitivity to them.
• Risk Analysis is more about the destination
than the journey.
• We can’t replace creativity, but we can help
innovation.
38. Thank you for listening!
• Any questions?
Acknowledgements
This research was funded by the
EPSRC CASE Studentship R07437/
CN001.
We are also grateful to Qinetiq Ltd
for their sponsorship of this work.