Security by Design through “Human Centered” Specification Exemplars


A year ago, we received Fusion funding to build the Bournemouth-Athens Network in Critical Infrastructure Security. The aim of this project was to build collaborative links between the BU Cyber Security Research group and the Information Security & Critical Infrastructure Protection Laboratory at Athens University of Economics & Business (AUEB). We built these links by working on a joint project, which we advanced through visits and other activities.

The aim of our joint activities was to build human-centered specification exemplars of Critical Infrastructure (CI) operating environments.
We depend on infrastructure associated with things like water, gas, electricity, or transport, but the criticality of such infrastructure is usually lost on us because it fades into the background of our everyday lives. The damage or loss of such infrastructure is only felt when it becomes unavailable, and its significance can range from mild annoyance if its means the trains are late, through to civil disorder and loss of life if we are unable to access clean water for a prolonged period. Despite their importance, there are no useful models of environments that people can use when developing or evaluating technology for CI. Our work aimed to remedy this by building specification exemplars for typical CI companies. In doing so, these would capture the human nuances associated with different aspects of CI, and help people identify possible security issues associated with new ideas before, rather than after, they are deployed in the field.

Together, a team of BU and AUEB researchers carried out work to build two specification exemplars of hypothetical CI companies. One of these was a UK Water Company (ACME Water). The other was a rail company in South East Europe (Balkan Rail). BU hosted researchers from AUEB and ran a number of workshops to identify different security aspects of these companies. In return, AUEB hosted BU undergraduate research assistants as they collected data from a Greek CI company, and ran workshops to develop and evaluate different aspects of the exemplars with AUEB researchers.

The exemplars have been made publicly available, and are modelled using CAIRIS – an open-source security design tool maintained by researchers at BU. To date, several publications have so far arisen from our preliminary work building [1] and applying the ACME Water exemplar [2, 3, 4]. We’re also using the exemplars as part of our teaching to provide case studies for Forensic & Computer Security lab exercises and seminars. Although the studies provided are hypothetical, they are grounded in real world data, and make visible to students the root causes of a variety of cybersecurity risks.

Looking forward, our work has gained the interest of a number of UK and international collaborators, and we’re looking for opportunities to build a library of human-cantered specification exemplars for many other, non-CI, environments. Such environments might include homes, and different types of ‘soft target’. Our long term aim is to make sure people don’t design security as an afterthought. Our work on BANCIS has made a small, but significant, step towards achieving this goal.


[1] S. Faily, G. Lykou, A. Partridge, D. Gritzalis, A. Mylonas, and V. Katos, “Human-Centered Specification Exemplars for Critical Infrastructure Environments,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers, 2016.

[2] S. Faily, C. Iacob, and S. Field, “Ethical Hazards and Safeguards in Penetration Testing,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion, 2016. 

[3] D. Ki-Aries, S. Faily, and K. Beckers, “Persona-Driven Information Security Awareness,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion, 2016. 

[4] A. Partridge and S. Faily, “The application of useless japanese inventions for requirements elicitation in information security,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion, 2016.