| STUDENTS
> People and Security
|
People and Security
Note:
Whilst every effort is made to keep the syllabus and assessment records correct
for this course, the precise details must be checked with the lecturer(s).
| Code: | M061
(Also taught as: GA10)
|
| Year: | 4 |
| Prerequisites: | None |
| Term: | 2 |
| Taught By: | Angela Sasse (100%)
|
| Aims: | Sudents will be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts; - know the strengths and weaknesses of particular security mechanisms in practice, and hence be able to chose and configure mechanisms for best performance in a given organisational context; and - be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that a user organisation needs to implement to ensure long-term security in practice. |
| Learning Outcomes: | Students will be able to apply their knowledge of human factors to computer security |
Content:
| Introduction: The Human Factor in Security | Systemic approach to security design
Users, tasks and context
Why only usable security is effective security?
Basic concepts from security and risk analysis |
| Authentication mechanisms and their usability issues | Knowledge-based authentication
Passwords
PINs
Passphrases
Graphical Passwords
Challenge-Response systems
Improving KBA: personal entropy
Credential recovery
Token-based authentication
Securid tokens
Smartcards
Biometric authentication
Physical Biometrics: Finger, Iris, Face
Behavioural Biometrics: Voice, digital signature, gait, typing
Enrolment
Verification
User perception and acceptance of biometrics |
| Security tasks and business processes | Security as a supporting task
Deriving performance requirements from production tasks
Security mechanisms and context of use
Risk analysis and risk management
The AEGIS method |
| User education and training | Identifying user perceptions
Designing security training
Changing user perceptions and behaviour
Motivational approaches
Security tests
User interfaces to security tools
Social engineering |
| Organisational issues | Security culture
Responsibility and communication
Designing security policies
Monitoring and compliance
Insider threats
Trust |
| Enterprise security | Customer requirements for security
Data protection
Privacy |
| Attacks and Attackers | |
| Surveillance and monitoring | CCTV
RFID
Automated Detection |
Method of Instruction:
Lecture presentations and classroom-based coursework
Assessment:
The course has the following assessment components:
- Written Examination (2.5 hours, 100%)
To pass this course, students must:
The examination rubric is:
Answer any THREE questions out of FIVE. N.B. This course is examined in the pre-Easter examination session.Resources:
Lorrie Faith Cranor and Simson Garfinkel, "Security and Usability: Designing Secure Systems that People Can Use", 2005.
Bruce Schneier, "Beyond Fear - Thinking Sensibly About Security in an Uncertain World", 2005.
Lecture notes
|
+44 (0)20 7679 7214 - Copyright © 1999-2007
UCL
