Socio-technical security

Security is often characterised as an ongoing process of identifying and assessing threats, selecting countermeasures and checking their efficacy. In this framing of security as “what” and “how”, it is easy to overlook “why”. Why does this software component have repeated security vulnerabilities? Why is this VPN misconfigured? Why are threat information sharing procedures not always followed? Or simply, why is my system secure?

The user/developer often plays a central role in these questions, and we turn to Qualitative Research methods from the Social Sciences to help understand and diagnose how humans experience security systems. These methods can help us to ask why, and are useful in identifying unknown knowns: those security practices in our socio-technical system, both human and technical, good and bad, that we don’t know we know about.

Publications

Foley, S. N., & Rooney, V. M. (2019). Social Constructionism in security protocols: A position on human experience, psychology and security. In Proceedings of the 27th International Workshop on Security Protocols, in press. Springer LNCS. Retrieved from https://simonnfoley.github.io/pubs/spw2019.pdf [link]

Foley, S. N., & Rooney, V. M. (2019). Social Constructionism in security protocols: Transcript of discussion. In Proceedings of the 27th International Workshop on Security Protocols, in press. Springer LNCS. Retrieved from https://simonnfoley.github.io/pubs/spw2019t.pdf [link]

Rooney, V. M., & Foley, S. N. (2018). An online consent maturity model: moving from acceptable use towards ethical practice. In New Security Paradigms Workshop (NSPW 2018). ACM press. Retrieved from https://simonnfoley.github.io/pubs/nspw2018.pdf [link]

Foley, S. N., & Rooney, V. M. (2018). A Grounded Theory approach to security policy elicitation. Information and Computer Security Journal, 26(4), 454–471. https://doi.org/10.1108/ICS-12-2017-0086 [link]

Rooney, V. M., & Foley, S. N. (2018). What you can change and what you can’t: human experience in computer network defenses. In In proceedings Nordic Conference on Secure IT Systems. Springer LNCS 11252. Retrieved from https://simonnfoley.github.io/pubs/nordsec2018.pdf [link]

Pieczul, O., Foley, S. N., & Zurko, M. E. (2017). Developer-centered security and the symmetry of ignorance. In New Security Paradigms Workshop (NSPW 2017). Retrieved from https://simonnfoley.github.io/pubs/nspw2017.pdf [link]

Foley, S. N. (2017). Getting security objectives wrong: a cautionary tale of an Industrial Control System. In International Workshop on Security Protocols. Retrieved from https://simonnfoley.github.io/pubs/spw2017.pdf [link]

Rooney, V. M., & Foley, S. N. (2017). What users want: adapting qualitative research methods to security policy requirements elicitation. In Proceedings of the International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017. Retrieved from https://simonnfoley.github.io/pubs/secpre2017.pdf [link]

Pieczul, O., & Foley, S. N. (2016). The evolution of a security control. In International Workshop on Security Protocols, to appear. Retrieved from https://simonnfoley.github.io/pubs/secprot2016.pdf [link]

Pieczul, O., Foley, S. N., & Rooney, V. M. (2014). I’m OK, You’re OK, the System’s OK: Normative Security for Systems. In Proceedings of the 2014 workshop on New Security Paradigms Workshop, Victoria, BC, Canada, September 15-18, 2014 (pp. 95–104). https://doi.org/10.1145/2683467.2683476 [link]

Foley, S. N., & Rooney, V. M. (2009). Qualitative Analysis for Trust Management. In Security Protocols XVII, 17th International Workshop, Cambridge, UK, April 1-3, 2009. Revised Selected Papers (pp. 298–307). https://doi.org/10.1007/978-3-642-36213-2_33 [link]