INFORMATION ABOUT

• Research Themes
  • E-Commerce
  • E-Government
  • Intelligent Interfaces
  • Mobile Systems
  • Multimedia
  • Security
  • Social Systems
• Projects
  • MCB
  • MAESTRO
  • TEVIS
  • HIGHERVIEW
  • SoRecSys
• People
  • Angela Sasse
  • John McCarthy
  • Philip Bonhard
  • Philip Inglesant
  • Hina Keval
  • Hendrik Knoche
  • Sven Laqua
  • Sam Osei-Agyemang
  • Jens Riegelsberger
• Opportunities
• Teaching
  • 3012 Interaction Design
  • 2009 Human Computer Interaction
  • GC02 Design: HCI & User Studies
  • GA10 People and Security
  • Software Engineering
  • Communicating Research
• Blog
• Contact
• News
• Sitemap

GA10 People and Security

Quick Links: Lecture Downloads | Past exam papers | Resources

Remember to subscribe to the GA10 mailing list to stay informed about last minute announcements!!!

The list name is 4061@cs.ucl.ac.uk...How to subscribe to a mailing list..

This page is not maintained and appears here for historical reasons only.

Lecture Downloads & PDFs are available to course members on the Moodle site: http://moodle.ucl.ac.uk/

Lecture Downloads & PDFs

Title of Lecture	Additional Material
01 Introduction [html] [pdf]	K. Renaud (2005): Evaluating Authentication Mechanisms,  in: L. Faith Cranor & S. Garfinkel, chapter 6. M. Just (2005): Designing Authentication Systems with Challenge Questions,  in: L. Faith Cranor & S. Garfinkel, chapter 8. S. Brostoff & M. A. Sasse (2003): "Ten strikes and you're out": Increasing the number of login attempts can improve password usability,  in: Paper presented at the CHI 2003 Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, April 5. M. A. Sasse, S.Brostoff, & D. Weirich (2001): Transforming the "weakest link": a human-computer interaction approach to usable and effective security,  in: BT Technology Journal, Vol 19 (3) July 2001, pp. 122-131. S. Brostoff & M. A. Sasse (2000): Are Passfaces more usable than passwords? A field trial investigation,  in: S. McDonald, Y. Waern & G. Cockton [Eds.]: People and Computers XIV - Usability or Else! Proceedings of HCI 2000 (September 5th - 8th, Sunderland, UK), pp. 405-424: Springer C. Ellison, C. Hall, R. Milbert & B. Schneier (2000): Protecting Secret Keys with Personal Entropy,  in: Future Generation Computer Systems, v. 16, 2000, pp. 311-318. L. Zhuang, F. Zhou & J. D. Tygar (2005): Keyboard Acoustic Emanations Revisited,  in: Proceedings of the 12th ACM Conference on Computer and Communications Security. A. Adams & M. A. Sasse (1999): Users Are Not The Enemy: Why users compromise security mechanisms and how to take remedial measures,  in: Communications of the ACM, 42 (12), pp. 40-46 December 1999. A. Whitten & D. Tygar (1999): Why Johnny can't encrypt: A usability evaluation of PGP 5.0,  in: Proceedings of the 8th USENIX Security Symposium, August 1999, pp. 169-183. (both of these are reprinted in the Faith Cranor & Simpson book) M. E. Zurko & R.Simon (1996): User-centred Security,  in: Proceedings of the New security Paradigms Workshop, Lake Arrowhead, California, United States pp. 27-33. (available from ACM Digital Library) S. Brostoff & M. A. Sasse (2001): Safe and sound: a safety-critical design approach to security,  in: Proceedings of the New Security Paradigms Workshop 2001 (Sept. 10-13, Cloudcroft, NM, USA), pp. 41-50: ACM Press B. Schneier (2000): Secrets and Lies: Digital Security in a Networked World: Wiley M. A. Sasse and I. Fléchais (2005): Usable Security: Why Do We Need It? How Do We Get It?,  in: L. Faith Cranor & S. Garfinkel, chapter 2. P. Dourish, R. E. Grinter, J. Delgado de la Flor & M. Joseph (2004): Security in the wild: user strategies for managing security as an everyday, practical problem,  in: Personal and Ubiquitous Computing vol. 8 iss. 6 pp 391-401. M. A. Sasse, S. Brostoff & D. Weirich (2002): Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security,  in: BT technology journal, 19(3), 122-131.
02 Authentication, Part 2 [html] [pdf]	F. Monrose & M. Reiter (2005): Graphical Passwords,  in: L. Faith Cranor & S. Garfinkel book: Chapter 9. G. Blonder (1996): Graphical Passwords. United States patent 5559961 R. Dhamija & A. Perrig (2000): Deja Vu: User study using images for authentication,  in: 9th Usenix Security Symposium. S. Brostoff & M. A. Sasse (2000): Are Passfaces More Usable Than Passwords? A Field Trial Investigation,  in: S. McDonald, Y. Waern & G. Cockton [Eds.] Proceedings of CHI 2000, People and Computers XIV pp. 405-424 (also for Lecture 1): Springer I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter & A. D. Rubin (1999): The Design and Analysis of Graphical Passwords,  in: Proceedings of the 8th USENIX Security Symposium, August 23-36, 1999, Washington, D.C., USA. S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy & N. Memon (2005): PassPoints: Design and longitudinal evaluation of a graphical password system,  in: International Journal of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), 63, pp. 102-127. A. De Angeli, L. Coventry, G. Johnson & K. Renaud (2005): Is a picture really worth a thousand words? Exploring the feasibilityof graphical authentication systems,  in: International Journal of Human-Computer Studies 63 pp. 128-152.
03 Biometrics [html] [pdf]	L. Coventry (2005): Usable Biometrics,  in: L. Faith Cranor & S. Garfinkel book: Chapter 10. Atos Origin (May 2005): UK Passport Service Biometrics Enrolment Trial: Report
04 Attacks & Attackers [html] [pdf]	I. Flechais, J. Riegelsberger & M. A. Sasse (2005): Divide and Conquer: The role of trust and assurance in the design of secure socio-technical systems,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, California, Sept 20-23. Kevin D. Mitnick & William L. Simon (2003): The Art of Deception: Controlling the Human Element of Security: Wiley Kevin D. Mitnick & William L. Simon (2005): The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers: Wiley M.R. Randazzo, M.M. Keeney, E.F. Kowalski, D.M. Cappelli & A.P. Moore (August 2004): Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector: Joint SEI and U.S. Secret Service Report Leonard R. Sayles & Cynthia Smith (2005): The Rise of the Rogue Executive: How Good Companies Go Bad and How to Stop the Destruction: Prentice Hall ISBN: 0131477722 E. E. Schultz (2002): A framework for understanding and predicting insider attacks,  in: Proceedings of Computers & Security conference, London 30 October 2002. D. Weirich & M. A. Sasse (2001): Pretty Good Persuasion: A first step towards effective password security for the Real World,  in: Proceedings of the New Security Paradigms. Workshop (Sept. 10-13 2001, Cloudcroft, NM, USA), pp. 137-143: ACM Press I. Winkler (1997): Corporate Espionage: Prima Publishing ISBN: 0761508406 A. H. Phyo & S. M. Furnell (2004): A Detection-Oriented Classification of Insider IT Misuse,  in: Proceedings of the 3rd Security Conference, Las Vegas, USA, 14-15 April 2004. Y. Lafrance (2004): Psychology: A precious security tool. SANS Institute InfoSec white paper
05 Credential Recovery [html] [pdf]	A. Nosseir, R. Connor & M. Dunlop (2005): Internet Authentication Based on Personal History – A Feasibility Test,  in: Proceedings of "Customer Focused Mobile Services Workshop" at WWW2005. M. Just (2005): Designing Authentication Systems with Challenge Questions,  in: L. Faith Cranor & S. Garfinkel book: Chapter 8.
06 CCTV [html] [pdf] Hina Keval Email: h.keval@cs.ucl.ac.uk	H. Keval (2006): CCTV Control Room Collaboration and Communication: Does it Work?,  in: Proceedings of Human Centred Technology Workshop, 11-12 September, Brighton, UK. H. Keval & M. A. Sasse (2006): Man or Gorilla? Performance Issues with CCTV Technology in Security Control Rooms,  in: presented at the 16th World Congress on Ergonomics Conference, International Ergonomics Association, 10-14 July, Maastricht, Netherlands. NewScientist.Com, 4th January 2006: Activist hijack public CCTV signal BBC News, 10th January 2006: Right groups criticise "Asbo TV" BBC News, 2nd June 2006: Web users to "patrol" US border Defeating the Hacker: The Age of the Video Ham: Surveillance cameras inadvertently exposed, says Robert Schifreen Secure Engineering: Fascinating CCTV facts
07 Risk Analysis and Risk Management [html] [pdf]	University of Cambridge Risk Register (June 2004 version) Detmar W. Straub & Richard J. Welke (1998): Coping with Systems Risk: Security Planning Models for Management Decision-Making,  in: MIS Quarterly Vol. 22 No. 4 (December) pp. 441-469. J. Adams (1999): Cars, Cholera and Cows: the management of Risk and Uncertainty,  in: Policy Analysis, No 335, March 1999. J. Adams (1995): Risk: Taylor & Francis ISBN: 1857280687 Amoroso, E., W.E. Kleppinger & D. Majette (1994): An Engineering Approach to Secure System Analysis, Design and Integration,  in: AT&T Technical Journal Vol. 73 No. 5 pp. 40-51. R. Baskerville (1993): Information Systems Security Design Methods: Implications for Information Systems Development,  in: ACM Computing Surveys Vol. 25 No. 4 pp. 375-414. D. Borge (2001): The Book of Risk: Wiley D. Kahneman, P. Slovic, & A. Tversky (2000): Judgment Under Uncertainty: Heuristics and Biases: Cambridge University Press
08 Security Awareness, Education, & Training [html] [pdf]	B. J. Fogg (2002): Persuasive Computing: Using Technology to Change Attitudes and Behaviors: Morgan Kaufmann ISBN: 1558606432 The Information Warfare site D.Weirich & M. A. Sasse (2001): Pretty Good Persuasion: A first step towards effective password security for the Real World,  in: Proceedings of the New Security Paradigms Workshop 2001 (Sept. 10-13, Cloudcroft, NM, USA), pp. 137-143: ACM Press M. Wilson & J. Hash (2003): Building an Information Technology Security Awareness and Training Programme. NIST Special Publication 800-50 M. Wilson (Editor), D. E. de Zafra, S. I. Pitcher, J. D. Tressler & J. B. Ippolito (1998): Information Technology Security Training Requirements: A Role- and Performance-Based Model. NIST Special Publication 800-16
09 Usability of Security Tools [html] [pdf]	Ka-Ping Yee (2005): Guidelines and Strategies for Secure Interaction Design,  in: L. Faith Cranor & S. Garfinkel, Chapter 13. B. Friedman, P. Lin & J. K. Miller (2005): Informed Consent by Design,  in: L. Faith Cranor & S. Garfinkel, Chapter 24. S. Garfinkel (2005): Sanitization and Usability,  in: L. Faith Cranor & S. Garfinkel, Chapter 15. A. Whitten & D. Tygar (2005): Why Johnny can't encrypt,  in: L. Faith Cranor & S. Garfinkel, Appendix 3.
11 Security Policies [html] [pdf]	S. Barman (2001): Writing Information Security Policies: New Riders ISBN: 157870264X NIST: An Introduction to Computer Security - The NIST Handbook. NIST Special Publication 800-12, broken into chapters JISC guide to writing information security policies
12 Privacy [html] [pdf] Dr. Ian Brown Email: I.Brown@cs.ucl.ac.uk	A. Adams & M. A. Sasse (2001): Privacy in Multimedia Communications: Protecting Users, Not Just Data,  in: A. Blandford, J. Vanderdonkt & P. Gray [Eds.]: People and Computers XV - Interaction without frontiers. Joint Proceedings of HCI2001 and ICM2001, Lille, Sept. 2001. pp. 49-64: Springer Data Protection Act I. Flechais, J. Riegelsberger & M. A. Sasse (2005): Divide and Conquer: The role of trust and assurance in the design of secure socio-technical systems,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, California, Sept 20-23. (also for lecture 14) J. Riegelsberger, M. A. Sasse & J. D. McCarthy (2005): The Mechanics of Trust: A Framework for Research and Design,  in: International Journal of Human-Computer Studies, Vol. 62 No. 3 pp 381-422. (also for lecture 14) Web sites of some organisations Privacy International Open Rights Group Foundation for Information Policy Research European Digital Rights American Civil Liberties Union
13 Encryption [html] [pdf]	Y. Desmedt (in press): Why some network protocols are so user-unfriendly,  in: Security Protocols: Springer LNCS I. Flechais (2005): Designing Secure and Usable Systems: PhD Thesis, Department of Computer Science, UCL N. Ferguson & B. Schneier (2003): Practical Cryptography: Wiley S. Garfinkel et al. (2005): How to make secure email easier to use,  in: Proceedings of CHI 2005. S. Garfinkel & R. C. Miller (2005): Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express,  in: Proceedings of SOUPS 2005. M. A. Sasse, S. Brostoff & D. Weirich (2001): Transforming the "weakest link": a human-computer interaction approach to usable and effective security,  in: BT Technology Journal, Vol 19 (3) July 2001, pp. 122-131. (also for lecture 1) A. Whitten (2004): Making security usable: Doctoral thesis Carnegie Mellon University, CMU-CS-04-135 A. Whitten & D. Tygar (1999): Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0,  in: Proceedings of the 8th USENIX Security Symposium, August 23-36, 1999, Washington, D.C., USA, pp169-184. M. E. Zurko & R. T. Simon (1996): User-centered security,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, CA, USA, pp. 27-33. Simson L. Garfinkel, David Margrave, Jeffrey I. Schiller, Erik Nordlander, & Robert C. Miller (2005): How to Make Secure Email Easier To Use,  in: Proceedings of CHI2005, Portland, OR, USA.
14 Trust [html] [pdf]	J. Riegelsberger, M. A. Sasse & J. D. McCarthy (2005): The Mechanics of Trust: A Framework for Research and Design,  in: International Journal of Human-Computer Studies, Vol. 62 No. 3 pp. 381-422. I. Flechais, J. Riegelsberger & M. A. Sasse (2005): Divide and Conquer: The role of trust and assurance in the design of secure socio-technical systems,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, California, USA, Sept 20-23.
15 Building Secure and Usable Systems with AEGIS [html] [pdf] Dr. Ivan Fléchais, Oxford University Email: ivan.flechais@comlab.ox.ac.uk	G. Dhillon & J. Backhouse (2001): Current directions in IS security research: towards socioorganizational perspectives,  in: Information Systems Journal Vol. 11 No. 2. D. W. Straub & R. J. Welke (1998): Coping with Systems Risk: Security Planning Models for Management Decision-Making,  in: MIS Quarterly, Volume 22, Issue 4. H. L. James (1996): Managing Information Systems Security: a Soft Approach,  in: Proceedings of Information Systems Conferences of New Zealand. R. Anderson (1998): The DeCODE Proposal for an Icelandic Health Database
16 Phishing [html] [pdf]	Anti-phishing Working Group. Committed to wiping out Internet scams and fraud Criminals 'target tech students'. BBC News item, 8th December 2006 R. Dhamija, D. Tygar & M. Hearst (2006): Why phishingworks,  in: Proceedings of the Second Conference on Global e-Security. M. Wu, R. C. Miller & S. L. Garfinkel (2006): Do Security Toolbars Actually Prevent Phishing Attacks?,  in: Proceedings of CHI 2006.

 

Past exam papers

2006	Attachments
March 2006: COMPGA10	AOL advert on Internet security

 

Resources

Websites

Schneier blog and monthly Crytogram

HCISec bibliography

HCISec group mailing list at Yahoo

Books

Lorrie Faith Cranor, Simson Garfinkel (2005)	Security and Usability: Designing Secure Systems that People Can Use	O'Reilly
Bruce Schneier (2003)	Beyond Fear - Thinking Sensibly About Security in an Uncertain World	Wiley

 

Lecturers

M. Angela Sasse (responsible)

NoticeBoard

This will contain important announcements about useful links, room changes, etc.

Search inside this Course beta