Current students

COMPM061 - People and Security

This database contains 2016-17 versions of the syllabuses. For current versions please see here.

Code COMPM061 (Also taught as: COMPGA10)
Year 4
Prerequisites None
Term 1
Taught By Angela Sasse (100%)
Aims Sudents will be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts; - know the strengths and weaknesses of particular security mechanisms in practice, and hence be able to chose and configure mechanisms for best performance in a given organisational context; and - be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that a user organisation needs to implement to ensure long-term security in practice.
Learning Outcomes Students will be able to apply their knowledge of human factors to computer security


Introduction: The Human Factor in Security
Systemic approach to security design
Users, tasks and context
Why only usable security is effective security?
Basic concepts from security and risk analysis

Authentication mechanisms and their usability issues

Knowledge-based authentication
Graphical Passwords
Challenge-Response systems
Improving KBA: personal entropy
Credential recovery
Token-based authentication
Securid tokens
Biometric authentication
Physical Biometrics: Finger, Iris, Face
Behavioural Biometrics: Voice, digital signature, gait, typing
User perception and acceptance of biometrics

Security tasks and business processes

Security as a supporting task
Deriving performance requirements from production tasks
Security mechanisms and context of use
Risk analysis and risk management
The AEGIS method

User education and training

Identifying user perceptions
Designing security training
Changing user perceptions and behaviour
Motivational approaches
Security tests
User interfaces to security tools
Social engineering

Organisational issues

Security culture
Responsibility and communication
Designing security policies
Monitoring and compliance
Insider threats

Enterprise security
Customer requirements for security
Data protection
Attacks and Attackers

Surveillance and monitoring
Automated Detection

Method of Instruction:

Lecture presentations and classroom-based coursework


The course has the following assessment components:

  • Written Examination (2.5 hours, 90%)
  • Coursework (10%)

To pass this course, students must:

  •  Achieve a mark of 50% or above when all sections are combined.
  •  Obtain a minimum mark of 40% in each component worth ≥ 30% of the module  as a whole.


    Lorrie Faith Cranor and Simson Garfinkel, 'Security and Usability: Designing Secure Systems that People Can Use', 2005.

    Bruce Schneier, 'Beyond Fear - Thinking Sensibly About Security in an Uncertain World', 2005.