GA10 People and Security

Quick Links: Lecture Downloads | Past exam papers | Resources

Remember to subscribe to the GA10 mailing list to stay informed about last minute announcements!!!

The list name is 4061@cs.ucl.ac.uk...How to subscribe to a mailing list..

This page is not maintained and appears here for historical reasons only.

Lecture Downloads & PDFs are available to course members on the Moodle site: http://moodle.ucl.ac.uk/

Lecture Downloads & PDFs

Title of Lecture Additional Material
01 Introduction [html] [pdf] K. Renaud (2005): Evaluating Authentication Mechanisms,  in: L. Faith Cranor & S. Garfinkel, chapter 6.

M. Just (2005): Designing Authentication Systems with Challenge Questions,  in: L. Faith Cranor & S. Garfinkel, chapter 8.

S. Brostoff & M. A. Sasse (2003): "Ten strikes and you're out": Increasing the number of login attempts can improve password usability,  in: Paper presented at the CHI 2003 Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, April 5.

M. A. Sasse, S.Brostoff, & D. Weirich (2001): Transforming the "weakest link": a human-computer interaction approach to usable and effective security,  in: BT Technology Journal, Vol 19 (3) July 2001, pp. 122-131.

S. Brostoff & M. A. Sasse (2000): Are Passfaces more usable than passwords? A field trial investigation,  in: S. McDonald, Y. Waern & G. Cockton [Eds.]: People and Computers XIV - Usability or Else! Proceedings of HCI 2000 (September 5th - 8th, Sunderland, UK), pp. 405-424: Springer

C. Ellison, C. Hall, R. Milbert & B. Schneier (2000): Protecting Secret Keys with Personal Entropy,  in: Future Generation Computer Systems, v. 16, 2000, pp. 311-318.

L. Zhuang, F. Zhou & J. D. Tygar (2005): Keyboard Acoustic Emanations Revisited,  in: Proceedings of the 12th ACM Conference on Computer and Communications Security.

A. Adams & M. A. Sasse (1999): Users Are Not The Enemy: Why users compromise security mechanisms and how to take remedial measures,  in: Communications of the ACM, 42 (12), pp. 40-46 December 1999.

A. Whitten & D. Tygar (1999): Why Johnny can't encrypt: A usability evaluation of PGP 5.0,  in: Proceedings of the 8th USENIX Security Symposium, August 1999, pp. 169-183. (both of these are reprinted in the Faith Cranor & Simpson book)

M. E. Zurko & R.Simon (1996): User-centred Security,  in: Proceedings of the New security Paradigms Workshop, Lake Arrowhead, California, United States pp. 27-33. (available from ACM Digital Library)

S. Brostoff & M. A. Sasse (2001): Safe and sound: a safety-critical design approach to security,  in: Proceedings of the New Security Paradigms Workshop 2001 (Sept. 10-13, Cloudcroft, NM, USA), pp. 41-50: ACM Press

B. Schneier (2000): Secrets and Lies: Digital Security in a Networked World: Wiley

M. A. Sasse and I. Fléchais (2005): Usable Security: Why Do We Need It? How Do We Get It?,  in: L. Faith Cranor & S. Garfinkel, chapter 2.

P. Dourish, R. E. Grinter, J. Delgado de la Flor & M. Joseph (2004): Security in the wild: user strategies for managing security as an everyday, practical problem,  in: Personal and Ubiquitous Computing vol. 8 iss. 6 pp 391-401.

M. A. Sasse, S. Brostoff & D. Weirich (2002): Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security,  in: BT technology journal, 19(3), 122-131.
02 Authentication, Part 2 [html] [pdf] F. Monrose & M. Reiter (2005): Graphical Passwords,  in: L. Faith Cranor & S. Garfinkel book: Chapter 9.

G. Blonder (1996): Graphical Passwords. United States patent 5559961

R. Dhamija & A. Perrig (2000): Deja Vu: User study using images for authentication,  in: 9th Usenix Security Symposium.

S. Brostoff & M. A. Sasse (2000): Are Passfaces More Usable Than Passwords? A Field Trial Investigation,  in: S. McDonald, Y. Waern & G. Cockton [Eds.] Proceedings of CHI 2000, People and Computers XIV pp. 405-424 (also for Lecture 1): Springer

I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter & A. D. Rubin (1999): The Design and Analysis of Graphical Passwords,  in: Proceedings of the 8th USENIX Security Symposium, August 23-36, 1999, Washington, D.C., USA.

S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy & N. Memon (2005): PassPoints: Design and longitudinal evaluation of a graphical password system,  in: International Journal of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), 63, pp. 102-127.

A. De Angeli, L. Coventry, G. Johnson & K. Renaud (2005): Is a picture really worth a thousand words? Exploring the feasibilityof graphical authentication systems,  in: International Journal of Human-Computer Studies 63 pp. 128-152.
03 Biometrics [html] [pdf] L. Coventry (2005): Usable Biometrics,  in: L. Faith Cranor & S. Garfinkel book: Chapter 10.

Atos Origin (May 2005): UK Passport Service Biometrics Enrolment Trial: Report
04 Attacks & Attackers [html] [pdf] I. Flechais, J. Riegelsberger & M. A. Sasse (2005): Divide and Conquer: The role of trust and assurance in the design of secure socio-technical systems,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, California, Sept 20-23.

Kevin D. Mitnick & William L. Simon (2003): The Art of Deception: Controlling the Human Element of Security: Wiley

Kevin D. Mitnick & William L. Simon (2005): The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers: Wiley

M.R. Randazzo, M.M. Keeney, E.F. Kowalski, D.M. Cappelli & A.P. Moore (August 2004): Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector: Joint SEI and U.S. Secret Service Report

Leonard R. Sayles & Cynthia Smith (2005): The Rise of the Rogue Executive: How Good Companies Go Bad and How to Stop the Destruction: Prentice Hall ISBN: 0131477722

E. E. Schultz (2002): A framework for understanding and predicting insider attacks,  in: Proceedings of Computers & Security conference, London 30 October 2002.

D. Weirich & M. A. Sasse (2001): Pretty Good Persuasion: A first step towards effective password security for the Real World,  in: Proceedings of the New Security Paradigms. Workshop (Sept. 10-13 2001, Cloudcroft, NM, USA), pp. 137-143: ACM Press

I. Winkler (1997): Corporate Espionage: Prima Publishing ISBN: 0761508406

A. H. Phyo & S. M. Furnell (2004): A Detection-Oriented Classification of Insider IT Misuse,  in: Proceedings of the 3rd Security Conference, Las Vegas, USA, 14-15 April 2004.

Y. Lafrance (2004): Psychology: A precious security tool. SANS Institute InfoSec white paper
05 Credential Recovery [html] [pdf] A. Nosseir, R. Connor & M. Dunlop (2005): Internet Authentication Based on Personal History – A Feasibility Test,  in: Proceedings of "Customer Focused Mobile Services Workshop" at WWW2005.

M. Just (2005): Designing Authentication Systems with Challenge Questions,  in: L. Faith Cranor & S. Garfinkel book: Chapter 8.
06 CCTV [html] [pdf]

Hina Keval

Email: h.keval@cs.ucl.ac.uk

H. Keval (2006): CCTV Control Room Collaboration and Communication: Does it Work?,  in: Proceedings of Human Centred Technology Workshop, 11-12 September, Brighton, UK.

H. Keval & M. A. Sasse (2006): Man or Gorilla? Performance Issues with CCTV Technology in Security Control Rooms,  in: presented at the 16th World Congress on Ergonomics Conference, International Ergonomics Association, 10-14 July, Maastricht, Netherlands.

NewScientist.Com, 4th January 2006: Activist hijack public CCTV signal

BBC News, 10th January 2006: Right groups criticise "Asbo TV"

BBC News, 2nd June 2006: Web users to "patrol" US border

Defeating the Hacker: The Age of the Video Ham: Surveillance cameras inadvertently exposed, says Robert Schifreen

Secure Engineering: Fascinating CCTV facts
07 Risk Analysis and Risk Management [html] [pdf] University of Cambridge Risk Register (June 2004 version)

Detmar W. Straub & Richard J. Welke (1998): Coping with Systems Risk: Security Planning Models for Management Decision-Making,  in: MIS Quarterly Vol. 22 No. 4 (December) pp. 441-469.

J. Adams (1999): Cars, Cholera and Cows: the management of Risk and Uncertainty,  in: Policy Analysis, No 335, March 1999.

J. Adams (1995): Risk: Taylor & Francis ISBN: 1857280687

Amoroso, E., W.E. Kleppinger & D. Majette (1994): An Engineering Approach to Secure System Analysis, Design and Integration,  in: AT&T Technical Journal Vol. 73 No. 5 pp. 40-51.

R. Baskerville (1993): Information Systems Security Design Methods: Implications for Information Systems Development,  in: ACM Computing Surveys Vol. 25 No. 4 pp. 375-414.

D. Borge (2001): The Book of Risk: Wiley

D. Kahneman, P. Slovic, & A. Tversky (2000): Judgment Under Uncertainty: Heuristics and Biases: Cambridge University Press
08 Security Awareness, Education, & Training [html] [pdf] B. J. Fogg (2002): Persuasive Computing: Using Technology to Change Attitudes and Behaviors: Morgan Kaufmann ISBN: 1558606432

The Information Warfare site

D.Weirich & M. A. Sasse (2001): Pretty Good Persuasion: A first step towards effective password security for the Real World,  in: Proceedings of the New Security Paradigms Workshop 2001 (Sept. 10-13, Cloudcroft, NM, USA), pp. 137-143: ACM Press

M. Wilson & J. Hash (2003): Building an Information Technology Security Awareness and Training Programme. NIST Special Publication 800-50

M. Wilson (Editor), D. E. de Zafra, S. I. Pitcher, J. D. Tressler & J. B. Ippolito (1998): Information Technology Security Training Requirements: A Role- and Performance-Based Model. NIST Special Publication 800-16
09 Usability of Security Tools [html] [pdf] Ka-Ping Yee (2005): Guidelines and Strategies for Secure Interaction Design,  in: L. Faith Cranor & S. Garfinkel, Chapter 13.

B. Friedman, P. Lin & J. K. Miller (2005): Informed Consent by Design,  in: L. Faith Cranor & S. Garfinkel, Chapter 24.

S. Garfinkel (2005): Sanitization and Usability,  in: L. Faith Cranor & S. Garfinkel, Chapter 15.

A. Whitten & D. Tygar (2005): Why Johnny can't encrypt,  in: L. Faith Cranor & S. Garfinkel, Appendix 3.
11 Security Policies [html] [pdf] S. Barman (2001): Writing Information Security Policies: New Riders ISBN: 157870264X

NIST: An Introduction to Computer Security - The NIST Handbook. NIST Special Publication 800-12, broken into chapters

JISC guide to writing information security policies
12 Privacy [html] [pdf]

Dr. Ian Brown

Email: I.Brown@cs.ucl.ac.uk

A. Adams & M. A. Sasse (2001): Privacy in Multimedia Communications: Protecting Users, Not Just Data,  in: A. Blandford, J. Vanderdonkt & P. Gray [Eds.]: People and Computers XV - Interaction without frontiers. Joint Proceedings of HCI2001 and ICM2001, Lille, Sept. 2001. pp. 49-64: Springer

Data Protection Act

I. Flechais, J. Riegelsberger & M. A. Sasse (2005): Divide and Conquer: The role of trust and assurance in the design of secure socio-technical systems,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, California, Sept 20-23. (also for lecture 14)

J. Riegelsberger, M. A. Sasse & J. D. McCarthy (2005): The Mechanics of Trust: A Framework for Research and Design,  in: International Journal of Human-Computer Studies, Vol. 62 No. 3 pp 381-422. (also for lecture 14)

Web sites of some organisations

Privacy International

Open Rights Group

Foundation for Information Policy Research

European Digital Rights

American Civil Liberties Union
13 Encryption [html] [pdf] Y. Desmedt (in press): Why some network protocols are so user-unfriendly,  in: Security Protocols: Springer LNCS

I. Flechais (2005): Designing Secure and Usable Systems: PhD Thesis, Department of Computer Science, UCL

N. Ferguson & B. Schneier (2003): Practical Cryptography: Wiley

S. Garfinkel et al. (2005): How to make secure email easier to use,  in: Proceedings of CHI 2005.

S. Garfinkel & R. C. Miller (2005): Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express,  in: Proceedings of SOUPS 2005.

M. A. Sasse, S. Brostoff & D. Weirich (2001): Transforming the "weakest link": a human-computer interaction approach to usable and effective security,  in: BT Technology Journal, Vol 19 (3) July 2001, pp. 122-131. (also for lecture 1)

A. Whitten (2004): Making security usable: Doctoral thesis Carnegie Mellon University, CMU-CS-04-135

A. Whitten & D. Tygar (1999): Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0,  in: Proceedings of the 8th USENIX Security Symposium, August 23-36, 1999, Washington, D.C., USA, pp169-184.

M. E. Zurko & R. T. Simon (1996): User-centered security,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, CA, USA, pp. 27-33.

Simson L. Garfinkel, David Margrave, Jeffrey I. Schiller, Erik Nordlander, & Robert C. Miller (2005): How to Make Secure Email Easier To Use,  in: Proceedings of CHI2005, Portland, OR, USA.
14 Trust [html] [pdf] J. Riegelsberger, M. A. Sasse & J. D. McCarthy (2005): The Mechanics of Trust: A Framework for Research and Design,  in: International Journal of Human-Computer Studies, Vol. 62 No. 3 pp. 381-422.

I. Flechais, J. Riegelsberger & M. A. Sasse (2005): Divide and Conquer: The role of trust and assurance in the design of secure socio-technical systems,  in: Proceedings of the New Security Paradigms Workshop, Lake Arrowhead, California, USA, Sept 20-23.
15 Building Secure and Usable Systems with AEGIS [html] [pdf]

Dr. Ivan Fléchais, Oxford University

Email: ivan.flechais@comlab.ox.ac.uk

G. Dhillon & J. Backhouse (2001): Current directions in IS security research: towards socioorganizational perspectives,  in: Information Systems Journal Vol. 11 No. 2.

D. W. Straub & R. J. Welke (1998): Coping with Systems Risk: Security Planning Models for Management Decision-Making,  in: MIS Quarterly, Volume 22, Issue 4.

H. L. James (1996): Managing Information Systems Security: a Soft Approach,  in: Proceedings of Information Systems Conferences of New Zealand.

R. Anderson (1998): The DeCODE Proposal for an Icelandic Health Database
16 Phishing [html] [pdf] Anti-phishing Working Group. Committed to wiping out Internet scams and fraud

Criminals 'target tech students'. BBC News item, 8th December 2006

R. Dhamija, D. Tygar & M. Hearst (2006): Why phishingworks,  in: Proceedings of the Second Conference on Global e-Security.

M. Wu, R. C. Miller & S. L. Garfinkel (2006): Do Security Toolbars Actually Prevent Phishing Attacks?,  in: Proceedings of CHI 2006.

 

Past exam papers

2006 Attachments
March 2006: COMPGA10 AOL advert on Internet security

 

Resources

Websites
Schneier blog and monthly Crytogram
HCISec bibliography
HCISec group mailing list at Yahoo
Books
Lorrie Faith Cranor, Simson Garfinkel (2005) Security and Usability: Designing Secure Systems that People Can Use O'Reilly  
Bruce Schneier (2003) Beyond Fear - Thinking Sensibly About Security in an Uncertain World Wiley  

 

Lecturers

M. Angela Sasse (responsible)

NoticeBoard

This will contain important announcements about useful links, room changes, etc.

Search inside this Course beta