“They’re requirements, Jim, but not as we know them” –
managing usability and security requirements during the development process
Angela Sasse, University College London
The need for more usable security solutions was established by 2 papers published in 1999 – Whitten & Tygar’s “Why Johnny Can’t Encrypt” and Adams & Sasse’s “Users Are Not The Enemy”. But 15 years on, there are still few examples of software that is secure and usable, and many with security that users either ignore or bypass. Based on an as yet unpublished study, I will argue that not eliciting and specifying security and usability attributes in sufficient detail at the requirement stage is the cause of the problem, and discuss what changes to processes and tools should be made to overcome this.
M. Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer
Science at University College London (UCL), UK. Over the past 15 years, her team has conducted pioneering research to understand how humans understand security, privacy, identity and trust. She has 200 peer-reviewed publications, and is currently the Director of the UK Research Institute in Science of Cyber Security (RISCS).