More Web Proxy on the site http://driver.im/

Article

Bringing security home: a process for developing secure and usable systems

Authors:

M. Angela Sasse,

Stephen M. V. HailesAuthors Info & Claims

NSPW '03: Proceedings of the 2003 workshop on New security paradigms

Pages 49 - 57

https://doi.org/10.1145/986655.986664

Published: 13 August 2003 Publication History

Abstract

The aim of this paper is to provide better support for the development of secure systems. We argue that current development practice suffers from two key problems:1. Security requirements tend to be kept separate from other system requirements, and not integrated into any overall strategy.2. The impact of security measures on users and the operational cost of these measures on a day-to-day basis are usually not considered.Our new paradigm is the full integration of security and usability concerns into the software development process, thus enabling developers to build secure systems that work in the real world. We present AEGIS, a secure software engineering method which integrates asset identification, risk and threat analysis and context of use, bound together through the use of UML, and report its application to case studies on Grid projects. An additional benefit of the method is that the involvement of stakeholders in the high-level security analysis improves their understanding of security, and increases their motivation to comply with policies.

References

[1]

CERT. http://www.cert.org

[2]

Security Patterns. http://www.securitypatterns.org/

[3]

Seti@home. http://setiathome.ssl.berkeley.edu

[4]

@stake. The Security of Applications: Not All Are Created Equal. http://www.atstake.com. 2002.

[5]

Abrams, M. D. Security Engineering in an Evolutionary Acquisition Environment. New Security Paradigms Workshop 1998.

Digital Library

[6]

Adams, A. & Sasse, M. A. Users Are Not The Enemy. Communications of the ACM 1999. Vol. 42, No. 12 December

Digital Library

[7]

Adams, J. Risk. 1995. UCL Press.

[8]

Adams, J. & Thompson, M. Taking account of societal concerns about risk: framing the problem. Health and Safety Executive. Research Report 035 2002. http://www.geog.ucl.ac.uk/~jadams/publish.htm

[9]

Beyer, H. & Holtzblatt, K. Contextual Design : Defining Customer-Centered Systems. 1998. Morgan Kaufmann Publishers, Inc.

Digital Library

[10]

Blakley, B., McDermott, E., & Geer, D. Information Security is Information Risk Management. New Security Paradigms Workshop 2001. pp 97--104.

Digital Library

[11]

Boehm, B. W. A spiral model of software development and Enhancement. IEEE Computer 1988. 21(5), pp 61--72.

Digital Library

[12]

Brostoff, S. & Sasse, M. A. Safe and Sound: a safety-critical approach to security design. New Security Paradigms Workshop 2001.

Digital Library

[13]

Darley, J. M. & Lata&nacute;ń, B. Norms and normative behaviour: field studies of social interdependence. Altruism and Helping Behaviour. 1970. New York: Academic Press. J. Macauley & L. Berkowitz (eds).

[14]

Grygus, A. 2003 And Beyond. http://www.aaxnet.com/editor/edit029.html. 2003.

[15]

Herrmann, P. & Krumm, H. Object-Oriented Security Analysis and Modeling. Proceedings of the 9th International Conference on Telecommunication Systems --- Modeling and Analysis 2001. pp 21--32.

[16]

McDermott, J. P. & Fox, C. Using Abuse Case Models for Security Requirements Analysis. Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC'99), Phoenix 1999. pp 55--67. IEEE Computer Society Press.

Digital Library

[17]

Mitnick, K. D. & Simon, W. L. The Art of Deception: Controlling the Human Element of Security. 2002. Wiley Publishing Inc.

Digital Library

[18]

Sasse, M. A., Brostoff, S., & Weirich, D. Transforming the 'weakest link': a human-computer interaction approach to usable and effective security. BT Technical Journal 2001. 19, pp 122--131.

Digital Library

[19]

Viega, J. & McGraw, G. Building Secure Software. 2002. Addison-Wesley.

[20]

Weirich, D. & Sasse, M. A. Pretty Good Persuasion: A first step towards effective password security in the real world. New Security Paradigms Workshop 2001.

Digital Library

[21]

Whitten, A. & Tygar, J. D. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Proceedings of the 8th USENIX Security Symposium, August 1999, Washington 1999.

Digital Library

[22]

Zurko, M. E., Simon, R., & Sanfilippo, T. A User Centered, Modular Authorization Service Built on an RBAC Foundation. IEEE 1999.

Cited By

Khan RAkbar MRafi SAlmagrabi AAlzahrani M(2023)Evaluation of requirement engineering best practices for secure software development in GSD: An ISM analysisJournal of Software: Evolution and Process10.1002/smr.2594Online publication date: 4-Jul-2023
https://doi.org/10.1002/smr.2594
Verma PBreslin JO’Shea D(2022)FLDID: Federated Learning Enabled Deep Intrusion Detection in Smart Manufacturing IndustriesSensors10.3390/s2222897422:22(8974)Online publication date: 19-Nov-2022
https://doi.org/10.3390/s22228974
Parkin SChua YGroß TViganò L(2022)A cyber-risk framework for coordination of the prevention and preservation of behavioursJournal of Computer Security10.3233/JCS-21004730:3(327-356)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/JCS-210047
Show More Cited By

Bringing security home: a process for developing secure and usable systems
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Home Automation and RFID-Based Internet of Things Security: Challenges and Issues
Internet of Things (IoT) protection refers to the software field related to securing the Internet of Things and associated linked devices and systems. The IoT is a system of interconnected computers, sensors, actuators, or people on the World Wide Web (...
Security in smart home environment: issues, challenges, and countermeasures - a survey

The accelerated spread of the IoT and rapid development of modern communication networks and technologies have connected the physical world with computational elements in the smart home environment. The smart home is based on IoT technology which ...
Security in intelligent home
Papers of the 23rd Annual CCSC Northwestern Conference

As human needs of intelligent aid are growing higher and higher, people's lives are becoming more dependent on various technologies. One of the fastest-growing Internet of Things' (IoT') technologies, Intelligent Home is becoming more involved in people'...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

NSPW '03: Proceedings of the 2003 workshop on New security paradigms

August 2003

127 pages

ISBN:1581138806

DOI:10.1145/986655

Editors:
Christian F. Hempelmann,
Victor Raskin,
General Chair:
O. Sami Saydjari,
Program Chairs:
Simon Foley,
R. Sekar

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 August 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

NSPW03

Sponsor:

SIGSAC
ACSA

NSPW03: New Security Paradigms and Workshop

August 18 - 21, 2003

Ascona, Switzerland

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

52
Total Citations
View Citations
2,409
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)5

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Khan RAkbar MRafi SAlmagrabi AAlzahrani M(2023)Evaluation of requirement engineering best practices for secure software development in GSD: An ISM analysisJournal of Software: Evolution and Process10.1002/smr.2594Online publication date: 4-Jul-2023
https://doi.org/10.1002/smr.2594
Verma PBreslin JO’Shea D(2022)FLDID: Federated Learning Enabled Deep Intrusion Detection in Smart Manufacturing IndustriesSensors10.3390/s2222897422:22(8974)Online publication date: 19-Nov-2022
https://doi.org/10.3390/s22228974
Parkin SChua YGroß TViganò L(2022)A cyber-risk framework for coordination of the prevention and preservation of behavioursJournal of Computer Security10.3233/JCS-21004730:3(327-356)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/JCS-210047
Gutfleisch MSchöPs MHielscher JCheney MSayin SSchuhmacher NMohamad ASasse M(2022)Caring About IoT-Security – An Interview Study in the Healthcare SectorProceedings of the 2022 European Symposium on Usable Security10.1145/3549015.3554209(202-215)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1145/3549015.3554209
Renaud K(2022)Human-centred cyber secure software engineeringCybersicherheit durch menschzentrierte SoftwareentwicklungZeitschrift für Arbeitswissenschaft10.1007/s41449-022-00346-277:1(45-55)Online publication date: 23-Dec-2022
https://doi.org/10.1007/s41449-022-00346-2
Alenezi MBasit HBeg MShaukat M(2022)Synthesizing secure software development activities for linear and agile lifecycle modelsSoftware: Practice and Experience10.1002/spe.307252:6(1426-1453)Online publication date: 30-Jan-2022
https://doi.org/10.1002/spe.3072
Boenisch FBattis VBuchmann NPoikela M(2021)“I Never Thought About Securing My Machine Learning Systems”: A Study of Security and Privacy Awareness of Machine Learning PractitionersProceedings of Mensch und Computer 202110.1145/3473856.3473869(520-546)Online publication date: 5-Sep-2021
https://dl.acm.org/doi/10.1145/3473856.3473869
Khan RKhan SKhan HIlyas M(2021)Systematic Mapping Study on Security Approaches in Secure Software EngineeringIEEE Access10.1109/ACCESS.2021.30523119(19139-19160)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3052311
Chalhoub GFlechais INthala NAbu-Salma RLipford H(2020)Innovation inaction or in action? the role of user experience in the security and privacy design of smart home camerasProceedings of the Sixteenth USENIX Conference on Usable Privacy and Security10.5555/3488905.3488916(185-204)Online publication date: 10-Aug-2020
https://dl.acm.org/doi/10.5555/3488905.3488916
Ashenden DOllis G(2020)Putting the Sec in DevSecOps: Using Social Practice Theory to Improve Secure Software DevelopmentProceedings of the New Security Paradigms Workshop 202010.1145/3442167.3442178(34-44)Online publication date: 26-Oct-2020
https://dl.acm.org/doi/10.1145/3442167.3442178
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents