COMPGA10 - People and Security

This database contains 2017-18 versions of the syllabuses. For current versions please see here.

Code COMPGA10 (Also taught as COMPM061)
Year MSc
Prerequisites Knowledge of basic information security principles, and essay-writing skills. Students who are not enrolled in Infosec need to attain permission from the module tutor (AS) to enrol; this requires an interview in person.
Term 1
Taught By

Simon Parkin (100%)
Angela Sasse [Module lead]

Aims Students will be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts; - know the strengths and weaknesses of particular security mechanisms in practice, and hence be able to choose and configure mechanisms for best performance in a given organisational context; and - be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that a user organisation needs to implement to ensure long-term security in practice.
Learning Outcomes Students will be able to apply their knowledge of human factors and behavioural economics to specify and implement workable and effective security solutions, and manage security behaviour.


Understanding Human Behaviour in Security

  • Systems thinking and design
  • Usability: Users, tasks and context
  • Performance and Workload
  • Productivity and performance vs risk and security


  • Humans and Risk
  • Risk Biases and Decision-making
  • Friction and the Compliance Budget


  • Authentication tasks: enrolment, verification, recovery
  • Knowledge-based authentication: Passwords, -phrases, PINs, graphical Authentication
  • Token-based authentication
  • Biometric authentication: physical and behavioural
  • Continuous authentication via devices, sensors, and biometrics
  • Payment systems and transaction authentication

Access control

  • Different access control models, organisational impact and user workload

Attacks and attackers (and how to counter them)

  • Types of attacks (Guessing, observation, capture and coercion)
  • Types of attackers: motivation, resources risk propensity
  • Social engineering attacks
  • Insider attacks


  • Online identity vs identity in the physical world
  • National identity vs socially constructed systems
  • Digital footprints, shadows and superidentities
  • Identity as currency


  • Data protection and user perception
  • Delivering privacy: Privacy by Design, the PST model
  • Surveillance, dataveillance and sousveillance online and in the physical world (CCTV)


  • Model of trust in online interaction
  • Game theory: incentivising trustworthy behaviour
  • Reputation systems and their application in online systems

Influencing user behaviour

  • Security awareness, education and training
  • User interface design and influencing techniques
  • Values, attitudes, security culture and security behaviour
  • Responsibility and communication

Method of Instruction

Lecture presentations and classroom-based coursework (weekly sessions)


The module has the following assessments:

  • Written Examination (2.5 hours) (75%)
  • Coursework (25%): Individual take-home coursework

To pass this module, students must: 

  • Obtain a mark of at least 50% for the module overall.


Reading list available via the UCL Library catalogue.