Use this URL to cite or link to this record in EThOS:
Title: A framework for usable and secure system design
Author: Faily, Shamal
ISNI:       0000 0004 2714 3853
Awarding Body: University of Oxford
Current Institution: University of Oxford
Date of Award: 2011
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. The research problem this thesis addresses is how techniques and tools can be integrated and improved to support the design of usable and secure systems. To develop this understanding, we present IRIS (Integrating Requirements and Information Security) --- a framework for specifying usable and secure systems. IRIS considers the system design process from three different perspectives --- Usability, Security, and Requirements --- and guides the selection of techniques towards integrative Security, Usability, and Requirements Engineering processes. This thesis claims that IRIS is an exemplar for integrating existing techniques and tools towards the design of usable and secure systems. In particular, IRIS makes three significant contributions towards the stated research problem. First, a conceptual model for usable secure Requirements Engineering is presented, upon which the IRIS framework is founded; this meta-model informs changes to elicitation and specification techniques for improved interoperability in the design process. Second, several characteristics of tool-support needed to elicit and specify usable and secure systems are introduced; the CAIRIS (Computer Aided Integration of Requirements and Information Security) software tool is presented to illustrate how these characteristics can be embodied. Third, we describe how the results of applying IRIS can be used to improve the design of existing User-Centered Design techniques for secure systems design. We validate the thesis by applying the IRIS framework to three case studies. In the first, IRIS is used to specify requirements for a software repository used by a UK water company. In the second, IRIS is used to specify security requirements for a meta-data repository supporting the sharing of medical research data. In the final case study, IRIS is used to analyse a proposed security policy at a UK water company, and identify missing policy requirements. In each case study, IRIS is applied within the context of an Action Research intervention, where findings and lessons from one case study are fed into the action plan of the next.
Supervisor: Flechais, Ivan Sponsor: Engineering and Physical Sciences Research Council
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available
Keywords: Computing ; Software engineering ; Requirements Engineering ; Information Security