Posts By / Shamal Faily

New Security textbook published by BU academic

Shamal Faily has just published the textbook Designing Usable and Secure Software with IRIS and CAIRIS with Springer.

The book was written to help practitioners, be these UX designers, security architects, or software developers, ‘build in’ security and usability. The ACM Code of Ethics states that True security requires usability – security features are of no practical use if users cannot or will not use them. This book explains how usable and secure software can be designed using the IRIS framework and the CAIRIS software platform, and provides real case studies where security and usability is incorporated into software designs at an early stage. This is something most people agree should be done, but few people give advice on how to do it. This book helps fill this gap.

The book also helps educators and students by providing a resource for a course on Security by Design. As explained in the preface, this book was written to support our undergraduate and postgraduate Security by Design unit at BU, and pointers are included on how different parts of this book can support this or similar courses.

More information about this book can be found here. As the book will be used to support teaching at BU, soft and hard copies should be available from the library soon.

‘GDPR for Charities’ workshop: a report

On Monday, June 11th we ran our long planned ‘GDPR for Charities’ workshop at the Enterprise Business Centre.  This workshop was one of the outputs from our Charity Impact Acceleration Scheme funded project to help a local charity with their GDPR readiness activities.  The aim of this workshop was to share the techniques and lessons learned from this project with the wider non-profit community in the Dorset region and beyond.  This was a one-day event attended by around 40 participants working for or with charities of various sizes.

Shamal Faily opened the workshop (slides) by setting out some of the challenges faced by charities making sense of GDPR, before giving an overview of what would be planned for the day.

Jane Henriksen-Bulmer then gave an overview of GDPR and Data Protection Impact Assessments (DPIAs) before presenting the ‘DPIA Data Wheel’ – a step-by-step process for carrying out a DPIA (slides).

The participants were then divided into four groups and, with the assistance of our BU facilitators, used the Data Wheel to conduct a DPIA for a hypothetical but realistic scenario. The groups then came together to present the privacy risks they found to the rest of the participants.

After lunch, Tessa Corner delivered a talk on StreetScene‘s experiences applying the DPIA Data Wheel (slides), before Shamal gave a talk on how to find security & privacy risks, and demonstrated the use of CAIRIS to support the discovery and management of risks (slides).

After these talks, Raian Ali hosted a lively panel on GDPR and its implications for charities before Jane closed the day by summarising some of the results of applying the DPIA Data Wheel with StreetScene (slides) and discussing some next steps to build on the momentum from this workshop (slides).

If you’re interested in finding out more about the workshop, or would like to get involved in any follow-on activities then please contact Jane Henriksen-Bulmer or Shamal Faily.

Fusion project leads to best paper award

Work by BU researchers examining the human aspects of Digital Rights Management has won a best paper award at the Fourth International Workshop on Artificial Intelligence and IP Law. This is joint work carried out by Marcella Favale, Neil McDonald, Shamal Faily, and Christos Gatzidis.

This work, which resulted from research carried out during the FIF funded MADRIGAL project, examines the perspective of DRM from the perspective of content creators using qualitative socio-legal analysis.

In addition to this work, we were also invited to write an extended version of this paper for SCRIPTed, which is currently in press.

Well done Marcella and the rest of the MADRIGAL team!

Security by Design through “Human Centered” Specification Exemplars


A year ago, we received Fusion funding to build the Bournemouth-Athens Network in Critical Infrastructure Security. The aim of this project was to build collaborative links between the BU Cyber Security Research group and the Information Security & Critical Infrastructure Protection Laboratory at Athens University of Economics & Business (AUEB). We built these links by working on a joint project, which we advanced through visits and other activities.

The aim of our joint activities was to build human-centered specification exemplars of Critical Infrastructure (CI) operating environments.
We depend on infrastructure associated with things like water, gas, electricity, or transport, but the criticality of such infrastructure is usually lost on us because it fades into the background of our everyday lives. The damage or loss of such infrastructure is only felt when it becomes unavailable, and its significance can range from mild annoyance if its means the trains are late, through to civil disorder and loss of life if we are unable to access clean water for a prolonged period. Despite their importance, there are no useful models of environments that people can use when developing or evaluating technology for CI. Our work aimed to remedy this by building specification exemplars for typical CI companies. In doing so, these would capture the human nuances associated with different aspects of CI, and help people identify possible security issues associated with new ideas before, rather than after, they are deployed in the field.

Together, a team of BU and AUEB researchers carried out work to build two specification exemplars of hypothetical CI companies. One of these was a UK Water Company (ACME Water). The other was a rail company in South East Europe (Balkan Rail). BU hosted researchers from AUEB and ran a number of workshops to identify different security aspects of these companies. In return, AUEB hosted BU undergraduate research assistants as they collected data from a Greek CI company, and ran workshops to develop and evaluate different aspects of the exemplars with AUEB researchers.

The exemplars have been made publicly available, and are modelled using CAIRIS – an open-source security design tool maintained by researchers at BU. To date, several publications have so far arisen from our preliminary work building [1] and applying the ACME Water exemplar [2, 3, 4]. We’re also using the exemplars as part of our teaching to provide case studies for Forensic & Computer Security lab exercises and seminars. Although the studies provided are hypothetical, they are grounded in real world data, and make visible to students the root causes of a variety of cybersecurity risks.

Looking forward, our work has gained the interest of a number of UK and international collaborators, and we’re looking for opportunities to build a library of human-cantered specification exemplars for many other, non-CI, environments. Such environments might include homes, and different types of ‘soft target’. Our long term aim is to make sure people don’t design security as an afterthought. Our work on BANCIS has made a small, but significant, step towards achieving this goal.


[1] S. Faily, G. Lykou, A. Partridge, D. Gritzalis, A. Mylonas, and V. Katos, “Human-Centered Specification Exemplars for Critical Infrastructure Environments,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers, 2016.

[2] S. Faily, C. Iacob, and S. Field, “Ethical Hazards and Safeguards in Penetration Testing,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion, 2016. 

[3] D. Ki-Aries, S. Faily, and K. Beckers, “Persona-Driven Information Security Awareness,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion, 2016. 

[4] A. Partridge and S. Faily, “The application of useless japanese inventions for requirements elicitation in information security,” in Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion, 2016. 

Fusion Investment Fund — Introducing the Bournemouth-Athens Network in Critical Infrastructure Security (BANCIS)

Although largely invisible to us, our lives are dependent on critical infrastructure (CI).  CI is made up of roads, rail, pipelines, power lines, together with buildings, technology, and people.  Some of this infrastructure is modern, but much of it is ageing and interconnected in so many ways that we fail to realise our dependency on CI or its dependencies until its loss disrupts our day-to-day lives.



This dependency has not been lost on governments, which now invest significant sums on securing this infrastructure from cybersecurity threats. Unfortunately, in most cases, this investment entails bolting security mechanisms onto existing infrastructure.  Such investment decisions are made by people with little knowledge of the infrastructure they are securing and, has such, little visibility of the impact that poorly designed security might have on the day-to-day delivery of these critical services.  Moreover, because technology innovation does not evolve at the same pace in different cultures, and security which mitigate the risks faced by critical infrastructure in one country may not be as effective in another.   The reason for these differences are myriad, and range from differences in working practices to expectations about the scale of infrastructure being secured.  There is, therefore, a need to evaluate security solutions against specification exemplars based on these nuanced, representative environments.  However, to develop exemplars of such environments requires data collection and knowledge sharing about nuances associated with particular forms of critical infrastructure for different cultures.

The Bournemouth-Athens Network in Critical Infrastructure Security (BANCIS) project will examine and model the nuances associated with two forms of critical infrastructure in different national cultures.  It will do so by building a network between Cybersecurity researchers at BU, and the Information Security & Critical Infrastructure Protection Laboratory at Athens University of Economics & Business (AUB). These nuances will be modelled as specification exemplars of UK and Greek water and rail companies. By developing these exemplars, researchers and practitioners will be able to conduct a cost-effective evaluation of new ideas based on realistic CI environments.  The exemplars will also help students appreciate the challenges associated with designing security for complex, real-world systems.  The exemplars will be modelled using the CAIRIS security design tool; this is an open-source software product maintained by researchers at BU. The data necessary to build these exemplars will be collected over a series of visits by AUB researchers to BU, and BU researcher to AUB.

Please contact Shamal Faily if you’re interested in finding out more about BANCIS, or getting involved in the project.

Cyber Security Seminar: Persuasive Technology for Information Security – Today, 4pm

Our next Interdisciplinary Cyber Security Seminar will take place TODAY (Tuesday, 27th January) at 4pm. The seminar will take place at Poole House in P335 LT, and will be free and open to all.

Our speaker will be Marc Busch. Marc is scientist at the AIT – Austrian Institute of Technology and is active at the intersection of persuasive technology and usable privacy and security. Furthermore, he is specialized in advanced quantitative and qualitative usability and user experience methodology, research methods and statistics in Human-computer interaction. Marc is involved in several international and national research and industrial projects, such as MUSES – Multiplatform Usable Endpoint Security. Before joining AIT, Marc was at CURE – Center for Usability Research & Engineering, where he focused on user experience and usability.

Abstract: Persuasive Technology is a vibrant field of research and practice, aiming to change the attitude or behavior of people. Persuasive technology has various different application areas, e.g. games motivating physical activity. An emerging application area is persuasive technology to increase information security and to engage people to protect their privacy. In the seminar, participants will hear about design principles for persuasive technology for promoting information security and also about methods to evaluate persuasive technology. Concrete examples and “best practices” will be given from a recent research project, in which persuasive technology is used in organizations to make employees comply with information security policies.

Cyber Security seminars for 2014-2015 start with a bang

Yesterday, we held the first of this academic year’s cyber security seminars.  We hosted Dr John Lyle from Facebook, who spoke to a packed audience in the Barnes Lecture Theatre about some of the challenges fighting spam at Facebook.  After his talk, John described how impressed he was with some of the thought provoking questions raised by audience.

Our next seminar will be on Tuesday, 25th November and will be delivered by Dr Andrea Atzeni from the Computer and Network Security group at Politecnico di Torino.  Andrea will be visiting us that week as part of our Fusion funded Bournemouth European Network in Interdisciplinary Cyber Security (BENICS) project.  Watch this space for more details about  Andrea’s talk.

Our interdisciplinary seminar series on Cyber Security is a wonderful opportunity to hear interesting, thought-provoking talks on a variety of topics related to security and privacy.  Although some of these speakers will be academic, their talks will be approachable and require nothing more than a general interest in security, and an enquiring mind.  We’re also interested in ideas about possible speakers or seminar topics, so please get in touch if you have any suggestions.

BU helping to evolve security and privacy by design

On Monday, BU researchers co-organised a workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) at the 22nd IEEE International Requirements Engineering Conference (RE 2014) in Karlskrona, Sweden.  The workshop brought together practitioners and researchers from around the world, who shared their thoughts about how security and privacy can be incorporated into the design of software as early as possible, without compromising productivity or sacrificing innovation.  The RE conference series is one of the premier conferences in software engineering, and the ESPRE workshop is the successor of several successful secure software engineering workshops.  Shamal Faily (SciTech) organised this workshop, together with colleagues from Germany (University of Duisberg-Essen), South Korea (Ajou University), and the USA (Carnegie Mellon University).

The workshop began with a keynote talk from Professor Angela Sasse (UCL), who described some recent research examining how companies build security into products they develop, and the need to change the discourse around usability and security.  Three technical paper sessions followed, before the workshop was concluded with an invited talk by Aljosa Pasic (Atos Research & Innovation) on some of the market trends and business challenges in security engineering.  Further information about the workshop itself can be found at .

We’re grateful to the Faculty of Science & Technology for co-sponsoring this workshop, and to all the workshop attendees for sharing their work.

Bournemouth European Network in Cyber Security (BENICS)

In recent years, the field of Cybersecurity has attracted researchers and practitioners from academic fields ranging from Computer Science and Design, through to Psychology and Business Studies. To date, however, these communities have not been influenced by each other. Their research are disseminated in a variety of workshops and conferences across these fields. As a result, there is a misunderstanding of the role these different fields play in improving cybersecurity. For example, some researchers describe people are “the weakest link” and encourage designers to build systems that “Homer Simpson” can use safely. Unfortunately, treating users as a problem limits opportunities for innovation when people are engaged as part of a solution. Similarly, treating practitioners like cartoon characters disenfranchises the very people that a design is meant to support. Bournemouth University is one of the few institutions in the world with interests across the disciplines contributing to Cybersecurity, a small enough size for academics across these disciplines to engage with each other, and the vision necessary to fuel this engagement. To take advantage of the opportunities afforded to Bournemouth, an interdisciplinary seminar series in cybersecurity was launched in September 2013. The seminar series has attracted both staff and students from across the university, together with practitioners from local industry with interests in cybersecurity. So far, this has led to connections forming across the Faculty of Science & Technology, and the Media and Business schools. Resulting collaborations with our seminar speakers have also led to prospective KTP and Horizon 2020 proposals, and invitations to deliver guest lectures at other universities.

To build on this momentum in interdisciplinary cybersecurity activity at Bournemouth, we have created the Bournemouth European Network for Interdisciplinary Cyber Security (BENICS): a FUSION funded SMN activity. Over the coming year, BENICS will bring five invited European cybersecurity academics to Bournemouth to engage in short (one-week), focused collaborative visits. These visits will introduce invited academics to Bournemouth’s cybersecurity capabilities, allow them to share their interests with us as part of the cybersecurity seminar series, and engage in short and focused proposal building, research, or teaching resource creation activities.

Following each visit, Bournemouth and the visiting academic will engage in pump-priming activities; these will refine deliverables produced to sustain the momentum created during the visit. These deliverables will form the basis of a joint publication at an agreed international conference or journal.

Watch this space for more information about these visits, and please get in touch if you’re interested in engaging with BENICS and our cybersecurity research in general.

Cyber Security Seminar: Everyday Security for Everyday Lives (Lizzie Coles-Kemp, Royal Holloway)

Our next Interdisciplinary Cyber Security Seminar will take place on Tuesday, 4th March at 5pm.
The seminar will take place in EB202 in the Executive Business Centre, and will be free and open to all. If you would like to attend, please register at

Our speaker will be Dr Lizzie Coles-Kemp. Lizzie is a qualitative researcher, interested in the everyday practices of information production, circulation, curation and consumption within a broad range of communities. She works in Possible Futures Lab within the Information Security Group at Royal Holloway University of London. Her main focus is the interaction between people and security and privacy technologies, how each influences the other and the communities of practice that emerge. As part of this focus, she explores topics such as identity and technology use, gender and information management and information control as a means of power. Current interdisciplinary work includes: value sensitive design in public service delivery, cultural analysis in institutional security and the use of visual research methods in interdisciplinary research.

Abstract: Over the last five years at the Information Security Group, Royal Holloway, a research group called Possible Futures Lab has been working on projects that explore what notions of information control mean in the context of everyday lives. We have two primary objectives: to improve designs related to everyday information production and control and to influence thinking on topics of everyday information security. Each of our projects has started with ethnographic research that has enabled us to identify and observe the relevant spaces and places. From there we have co-designed with each community discovery tools for seeing, experiencing and exploring these spaces. These tools help us to better understand the community viewpoints on information and its control and to design/re-design services and technologies to better support this position. This talk gives examples of this approach in two of our projects that focus on cyber security decision making.

Cyber Security Seminars: Suggestions for Speakers and Topics

If you have been following my previous posts then you will know that today is the final Cyber Security Seminar for this semester.  We hope you have found the seminar series interesting so far.

We are currently planning the seminars for next semester.  Please get in touch if you have suggestions for potential speakers, or topics you would like to hear more about. Although the budget we have available is modest, we will do our best to accommodate your suggestions.

Cyber Security Seminar: Approaching the Measurement of User Security Behaviour in Organisations

Our final Interdisciplinary Cyber Security Seminar this semester will take place on Tuesday, 10th December at 5pm. The seminar will take place in EB202 in the Executive Business Centre, and will be free and open to all. If you would like to attend, please register at

Our speaker will be Dr. Simon Parkin from UCL. Simon is a Senior Research Associate in the Information Security group at University College London, contributing to the Productive Security project within the Research Institute in the Science of Cyber Security (RISCS). He was previously a member of the Innovation Team at Hewlett Packard Enterprise Security Services (HP ESS) until mid-2012. From 2007 to 2011, Simon was a Postdoctoral Research Associate in the School of Computing Science at Newcastle University, where he also obtained his PhD. His research interests include: IT-security policy management metrics, models and tools; holistic IT-security management principles, and; IT-security risk management approaches and knowledge formalisation.

Abstract: Individuals working within organisations must complete their tasks, and are often expected to do so using secured IT systems. There can be times when the expectations for productivity and security are in competition, and so how would an organisation measure the outcomes in practice? We will review a series of interdisciplinary research efforts that characterise the human factor in IT-security within large organisations, as part of a holistic view of security. There are furthermore a variety of modelling approaches and frameworks that have emerged and informed this view. We will consider the challenges that remain in affording measurement of the human factor in IT-security within organisations, and some of the changes that are required for such activities to be sustainable and effective.

Cyber Security Seminar: Shiny Expensive Things: The Global Problem of Mobile Phone Theft (David Rogers, Copper Horse)

Our next Interdisciplinary Cyber Security Seminar will take place on Tuesday, 3rd December at 5pm. Our seminars are approachable, and require nothing more than a general interest in security, and an enquiring mind.

Our speaker will be David Rogers, who is Founder and Director of Copper Horse Solutions Ltd: a software and security company based in Windsor, UK. Alongside this he teaches the Mobile Systems Security course at the University of Oxford and Chairs the Device Security Steering Group at the GSM Association. He has worked in the mobile industry for over 14 years in security and engineering roles. Prior to this he worked in the semiconductor industry. David’s articles and comments on mobile security topics have been regularly covered by the media worldwide including The Guardian, The Wall Street Journal and Sophos’ Naked Security blog. His book ‘Mobile Security: A Guide for Users’ was published in 2013. David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside.

Abstract: Technology in mobile devices is continuing to advance at an incredible rate, but some of the old security themes continue to persist, mobile phone theft being one of them. This talk looks at the topic of mobile phone theft and what industry’s role has been in helping to prevent it and whether that has been entirely successful. The talk looks at what could happen next and whether it is possible to standardise usable anti-theft mechanisms within devices. It will also look at technologies such as biometrics for access control and whether Police and Government actions have been adequate in dealing with the modus operandi of thieves and fencers of stolen phones.

The seminar will take place in EB202 in the Executive Business Centre, and will be free and open to all. If you would like to attend, please register at

Can We Sell Security Like Soap? A New Approach to Behaviour Change

Our next Interdisciplinary Cyber Security Seminar will take place on Tuesday, 19th November at 5pm. Our seminars are approachable, and require nothing more than a general interest in security, and an enquiring mind.

Our speaker will be Debi Ashenden, who is a Reader in Cyber Security and Head of the Centre for Cyber Security and Information Assurance at Cranfield University, based at the Defence Academy of the UK, Shrivenham. Prior to taking up her post at Cranfield University she was Managing Consultant within QinetiQ’s Trusted Information Management Dept (formerly DERA). She has been working in cyber security since 1998 and specialises in the social and behavioural aspects of cyber security. Her research is built on a socio-technical vision of cyber security that sees people as solutions rather than as the problem. Debi is the co-author of, ‘Risk Management for Computer Security: Protecting Your Network and Information Assets’, Butterworth Heinneman (2004).

Talk Abstract: Many organisations run security awareness programmes with the aim of improving end user behaviours around information security. Yet behavioural research tells us that raising awareness will not necessarily lead to behaviour change. This talk examines the challenge of changing end user behaviour and puts forward social marketing as a new paradigm. Social marketing is a proven framework for achieving behavioural change and has traditionally been used in health care interventions, although there is an increasing recognition that it could be successfully applied to a broader range of behaviour change issues. It has yet to be applied however, to information security in an organisational context. This talk will explore the social marketing framework in relation to information security behavioural change and highlight the key challenges that this approach poses for information security managers. We conclude with suggestions for future research.

The seminar will take place in EB202 in the Executive Business Centre, and will be free and open to all. If you would like to attend, we encourage you to register at

Cyber Security Seminar: Incident Management (David Parker, Bournemouth University Cyber Security Unit)

I am delighted to announce that our next Interdisciplinary Cyber Security Seminar will take place on Tuesday, 29th October at 5pm. The seminar will take place in EB202 in the Executive Business Centre, and will be open to all. Our seminars are approachable, and require nothing more than a general interest in security, and an enquiring mind.

Our speaker will be David Parker from the Bournemouth University Cyber Security Unit. David is an experienced Information Security specialist with 21 years in government level security. For 17 years, he was the head of a UK Government CERT and has a global reputation for his knowledge and expertise amongst the CERT incident management community.

Abstract: The term CERT or Computer Emergency Response Team, in relation to cyber security, is increasingly mentioned in the media by those who have little understanding of what the term means or its functions. It is even seen by some as a panacea to many cyber security problems. The purpose of the presentation is to provide attendees with a basic understanding of what a CERT is, some of the associated operational issues and why more CERTs are increasingly needed in a global interconnected society.

Cyber Security Seminar: “Will people use this? Will they comply?” – Can we answer these questions (Chris Porter, UCL)

I am delighted to announce that our first Interdisciplinary Cyber Security Seminar will take place on Tuesday, 15th October at 5pm.  The seminar will take place in EB202 in the Executive Business Centre, and will be open to all.  As promised in my previous post, these seminars will be approachable, and require nothing more than a general interest in security, and an enquiring mind.

Our speaker will be Chris Porter from University College London. Chris Porter is a PhD candidate within the Information Security Research Group in the Department of Computer Science at University College London. His research focuses on the design process of identity-centric e-government services together with associated collaborative tools.

Talk Abstract: Design decisions have an impact on the end-user’s experience, and this could in turn influence the end user’s decision making process (e.g. on whether to use an e-service and/or comply with given security requirements). This talk will introduce Sentire, a technique that adapts and merges traditional software engineering techniques with UX (User Experience) and human-centric design principles. This technique, together with associated collaborative tools, helps designers and system developers quantitatively assess and compare the impact that various design decisions can have on the user’s experience (e.g. workload, willingness to complete the task). Persona Calibration, the driving technique behind Sentire, aims at eliminating the turn-around time (and costs) required to get feedback from end-users (required to pinpoint potentially risky decisions) and the concept of a re-usable persona library becomes central to the whole idea. Calibrated Personas are introduced as part of the requirements specification process. The technique has been applied to design decisions specific to e-government service enrolment processes, and some initial results will be presented giving us more scope for a general discussion/Q&A.