COMPGA10 - People and Security

This database contains 2016-17 versions of the syllabuses. For current versions please see here.

Code COMPGA10 (Also taught as: COMPM061)
Year MSc
Prerequisites Knowledge of basic information security principles, and essay-writing skills. Students who are not enrolled in Infosec need to attain permission from the module tutor (AS) to enrol; this requires an interview in person.
Term 1
Taught By Angela Sasse (100%)
Aims Students will be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts; - know the strengths and weaknesses of particular security mechanisms in practice, and hence be able to choose and configure mechanisms for best performance in a given organisational context; and - be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that a user organisation needs to implement to ensure long-term security in practice.
Learning Outcomes Students will be able to apply their knowledge of human factors to computer security


Introduction The Human Factor in Security:
Systems thinking and design
Usability: Users, tasks and context
Performance and Workload
Productivity and performance vs risk and security

Authentication tasks: enrolment, verification, recovery
Knowledge-based authentication: Passwords, -phrases, PINs, graphical Authentication
Token-based authentication
Biometric authentication: physical and behavioural
Continuous authentication via devices, sensors, and biometrics
Payment systems and transaction authentication

Access control
Different access control models, organisational impact and user workload



Attacks and attackers (and how to counter them)
Types of attacks (Guessing, observation, capture and coercion)
Types of attackers: motivation, resources risk propensity
Social engineering attacks
Insider attacks

Online identity vs identity in the physical world
National identity vs socially constructed systems
Digital footprints, shadows and superidentities
Identity as currency

Data protection and user perception
Delivering privacy: Privacy by Design, the PST model
Surveillance, dataveillance and sousveillance online and in the physical world (CCTV)

Model of trust in online interaction
Game theory: incentivising trustworthy behaviour
Reputation systems and their application in online systems

Influencing user behaviour
Security awareness, education and training
User interface design and influencing techniques
Values, attitudes, security culture and security behaviour
Responsibility and communication

Method of Instruction:

Lecture presentations and classroom-based coursework (weekly sessions)


The module has the following assessments:

  • Written Examination (2.5 hours) (75%)
  • Coursework (25%): Individual take-home coursework 

To pass this module, students must: 

  • Obtain a mark of at least 50% for the module overall.




Lorrie Faith Cranor and Simson Garfinkel, 'Security and Usability: Designing Secure Systems that People Can Use', 2005.
Bruce Schneier, 'Beyond Fear - Thinking Sensibly About Security in an Uncertain World', 2005.