Abstract
Purpose – This paper aims to present an approach where assumption personas are used to engage stakeholders in the elicitation and specification of security requirements at a late stage of a system’s design. Design/methodology/approach – The author has devised an approach for developing assumption personas for use in participatory design sessions during the later stages of a system’s design. The author validates this approach using a case study in the e-Science domain. Findings – Engagement follows by focusing on the indirect, rather than direct, implications of security. More design approaches are needed for treating security at a comparatively late stage. Security design techniques should scale to working with sub-optimal input data. Originality/value – This paper contributes an approach where assumption personas engage project team members when eliciting and specifying security requirements at the late stages of a project.
Highlights
When building software, security is considered as an after-thought, and security requirements are not properly considered until a comparatively late stage
To explore the power of challenging such assumptions, this paper presents an approach for eliciting and specifying security requirements using assumption-based personas, scenarios and risks to engage system developers to think more about security for a medical research portal, how the portal might be misused
A scenario session involves modelling scenarios carried out by the assumption personas in their respective contexts
Summary
Security is considered as an after-thought, and security requirements are not properly considered until a comparatively late stage. Stakeholders need to be engaged to provide insights into potential vulnerabilities and threats, but this can be difficult. Stakeholders dedicate significant time and resources to understanding the complexity of a problem domain, leaving themselves little time for engaging with standard security design techniques. Such stakeholders may find security a distant topic, with media reports on security threats and privacy invasions as somehow irrelevant to a system they are trying to build. One way of engaging the security unengaged is to rely on evocation, and people’s natural bias towards personified, rather than anonymous, risk (Schneier 2012)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
