Title: Integrating security and usability into the requirements and design process

Authors: Ivan Flechais, Cecilia Mascolo, M. Angela Sasse

Addresses: Oxford University Computing Laboratory, Wolfson Building, Oxford OX1 3QD, UK. ' Department of Computer Science, University College London, London WC1E 6BT, UK. ' Department of Computer Science, University College London, London WC1E 6BT, UK

Abstract: According to Ross Anderson, |Many systems fail because their designers protect the wrong things or protect the right things in the wrong way|. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing good security. Some recent approaches have targeted security from the technological perspective, others from the human–computer interaction angle, offering better User Interfaces (UIs) for improved usability of security mechanisms. However, usability issues also extend beyond the user interface and should be considered during system requirements and design. In this paper, we describe Appropriate and Effective Guidance for Information Security (AEGIS), a methodology for the development of secure and usable systems. AEGIS defines a development process and a UML meta-model of the definition and the reasoning over the system|s assets. AEGIS has been applied to case studies in the area of Grid computing and we report on one of these.

Keywords: electronic security; usability; security requirements; security design; security modelling; system design; information security; UML metamodelling; grid computing; secure software system; semantics; e-security.

DOI: 10.1504/IJESDF.2007.013589

International Journal of Electronic Security and Digital Forensics, 2007 Vol.1 No.1, pp.12 - 26

Published online: 09 May 2007 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article