Barriers to Usable Security? Three Organizational Case Studies

Caputo, Deanna D.; Pfleeger, Shari Lawrence; Sasse, M. Angela; Ammann, Paul; Offutt, Jeff; Deng, Lin

doi:10.1109/msp.2016.95

Cited by 42 publications

(26 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…But the idea of a general trade-off between security and usability is disputed. For example, Caputo et al (2016) use three case studies showing that a trade-off does not always exist.…”

Section: Related Workmentioning

confidence: 99%

Secure or usable computers? Revealing employees’ perceptions and trade-offs by means of a discrete choice experiment

Molin

Meeuwisse²,

Pieters

et al. 2018

Computers & Security

View full text Add to dashboard Cite

show abstract

“…But the idea of a general trade-off between security and usability is disputed. For example, Caputo et al (2016) use three case studies showing that a trade-off does not always exist.…”

Section: Related Workmentioning

confidence: 99%

Secure or usable computers? Revealing employees’ perceptions and trade-offs by means of a discrete choice experiment

Molin

Meeuwisse²,

Pieters

et al. 2018

Computers & Security

View full text Add to dashboard Cite

show abstract

“…Behavioural sciences have mapped out several promising areas to help make security more usable these areas are heuristics, biases, framing and reducing cognitive load. Caputo states that the next step in advancing research in this area will be in making security usable by integrating actions that include security at every stage of the software development (Caputo et al 2016).…”

Section: Security and Providing An Actual Trustworthy Systemmentioning

confidence: 99%

Faceless Internet Lawyers – Can They Be Trusted? A study of Usable Security for Legal Services

Whittle

2018

Electronic Workshops in Computing

View full text Add to dashboard Cite

Details on the context and background of work: Legal service has lagged behind other online services this is because lawyers are traditional risk adverse, trained to poke holes in ideas and look to the past for how things should be done. There have been many articles wrote about client confidentiality and solicitors duty of care, that have expressed a concern about internet safety. Having the clients trust and actually being trustworthy is of the utmost important to our legal system, if we are to move legal service on-line.  We need to understand how we can design a system, that is both?  A system that not only feels safe and secure but actually is.  A system that is a joy to use and can be trusted the way that you would trust your solicitor, enabling the sharing of sensitive correspondence with the convenience of never having to leave your home. Usable security, maybe the answer to this but it is a relatively new field in computer science and has provided some good theories that could be applied to legal services, yet there have been very few actual case studies.

show abstract

“…Caputo et al used three case studies to explore several theories about what changes in software development might lead to more usable security, concluding a need for the alignment of security goals with business goals. Recently, Assal and Chiasson interviewed developers from 13 different teams and organizations about their security practices, concluding “a need for new, lightweight best practices that take into account the realities and pressures of development.”…”

Section: Introductionmentioning

confidence: 99%

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

et al. 2019

Self Cite

View full text Add to dashboard Cite

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long-lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

show abstract

Barriers to Usable Security? Three Organizational Case Studies

Cited by 42 publications

References 7 publications

Secure or usable computers? Revealing employees’ perceptions and trade-offs by means of a discrete choice experiment

Secure or usable computers? Revealing employees’ perceptions and trade-offs by means of a discrete choice experiment

Faceless Internet Lawyers – Can They Be Trusted? A study of Usable Security for Legal Services

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

Contact Info

Product

Resources

About