Home

 

















Intel logo

The materials for this module were created with the support of the Intel Faculty Award.

Website of GA10: People and Security

This is the website for the UCL module on People and Security. Information for students is available via UCL Moodle. The curriculum for this module was supported by the Intel Faculty Award.

Syllabus

After completing GA10: People and Security students will be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts. They will also know the strengths and weaknesses of particular security mechanisms in practice, and hence be able to choose and configure mechanisms for best performance in a given organisational context. Finally, students will be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that a user organisation needs to implement to ensure long-term security in practice.

Introduction & Basic Concepts (slides) What causes security problems?
What's the price?
Security as a socio-technical system
Security is secondary to business
Human errors and their sources
Violations
Risk (slides) Risk analysis
Security measures
Risk of countermeasures
Risk and uncertainty
People and risk
Impact on security
Economics of Security (slides) Cost/benefit analysis
Preference and indifference
Security trade-offs
Compliance budget
Technical security vs effective security
Productive security
Security management
Attacks and Attackers (slides) Types of attacks
Opportunists
Insider attacks
Social engineering
Personalised attacks
Conjunction of criminal opportunity
Attack scripts and script clashes
Authentication Part 1: Passwords and Pins (slides) Knowledge-based authentication
Attacks on passwords and pins
Security vs usability
Why passwords cause problems?
Passwords vs PINs
Sharing PINs and passwords
Improvement apporaches and strategies
Two-factor authentication
Authentication Part 2: Graphical Authentication (slides) Types of graphical authentications
User biases
Security and usability of graphical passwords
CAPTCHAs
Authentication Part 3: Biometrics (slides) Physical vs behavioural biometrics
Error rates
Performance
Usability issues
Attacks on biometrics
Authentication Part 4: Issues and Implications (slides) Authentication fatigue
Coping strategies
Distinguishing between identification, authentication and authorisation
Access Control (slides) Access control and authorisation
Beyond restricting access
Stakeholders
Access control lists
Models of access control
Usability-security trade-off
Why and how users bypass access control
Access control and abstraction
Solutions to increasing access control usability
Trust (slides) What is trust?
Trust in technology-mediated interactions
Symbols and symptoms
Trust and security
Privacy (slides) What is privacy?
Privacy perceptions and invasions
Inadvertent disclosure
Designing for privacy
over-disclosure
Data protection legislation
Privacy impact assessments
Big data and data mining CCTV and surveillance
Identity (slides) What is identity?
History of identity
Human-centred identity
Anonymisation
Federated identity

Interactive Tools

For a richer experience as part of the module, interactive learning materials have been developed. Notice that these are only experimental research prototypes and thus are limited in functionality.

CCO Toolkit preview

The CCO Toolkit is an gamified web wizard, based on a holistic prevention framework from Crime Science. CCO stands for Conjunction of Criminal Opportunity and models the combination of circumstances that lead to attacks. The toolkit takes users through an analytic experience of identifying causes, interventions and corresponding influences for security incidents. It is designed for end-users, with or without security expertise.

SPRKS preview

The Security Policy Risk and Cost Simulator is an open source project hosting a number of different experiments about awareness development. The intention of these experiments is to demonstrate potential responses of compliance and non-compliance with security policies. This behaviour is modelled after the Compliance Budget framework. Target users are novice security officers.

This page was last modified on?04 November, 2014