Code

COMPM061 (Also taught as: COMPGA10)

Year

4

Prerequisites

None

Term

1

Taught By

Shamal Faily (100%)

Aims

Sudents will be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts; - know the strengths and weaknesses of particular security mechanisms in practice, and hence be able to chose and configure mechanisms for best performance in a given organisational context; and - be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that a user organisation needs to implement to ensure long-term security in practice.

Learning Outcomes

Students will be able to apply their knowledge of human factors to computer security

Introduction: The Human Factor in Security

Systemic approach to security design
Users, tasks and context
Why only usable security is effective security?
Basic concepts from security and risk analysis

Authentication mechanisms and their usability issues

Knowledge-based authentication
Passwords
PINs
Passphrases
Graphical Passwords
Challenge-Response systems
Improving KBA: personal entropy
Credential recovery
Token-based authentication
Securid tokens
Smartcards
Biometric authentication
Physical Biometrics: Finger, Iris, Face
Behavioural Biometrics: Voice, digital signature, gait, typing
Enrolment
Verification
User perception and acceptance of biometrics

Security tasks and business processes

Security as a supporting task
Deriving performance requirements from production tasks
Security mechanisms and context of use
Risk analysis and risk management
The AEGIS method

User education and training

Identifying user perceptions
Designing security training
Changing user perceptions and behaviour
Motivational approaches
Security tests
User interfaces to security tools
Social engineering

Organisational issues

Security culture
Responsibility and communication
Designing security policies
Monitoring and compliance
Insider threats
Trust

Enterprise security

Customer requirements for security
Data protection
Privacy

Attacks and Attackers

Surveillance and monitoring

CCTV
RFID
Automated Detection

Lecture presentations and classroom-based coursework

The course has the following assessment components:

• Written Examination (2.5 hours, 90%)
• Coursework (10%)

To pass this course, students must:

The examination rubric is:
Answer any THREE questions out of FIVE.

Lorrie Faith Cranor and Simson Garfinkel, 'Security and Usability: Designing Secure Systems that People Can Use', 2005.

Bruce Schneier, 'Beyond Fear - Thinking Sensibly About Security in an Uncertain World', 2005.

Lecture notes