Security by Design

Designing software which is both innovative and secure is hard, because innovation and security get in each others way.

As part of my doctoral research, I developed the IRIS (Integrating Requirements and Information Security) framework to guide the selection of the most appropriate design techniques for specifying secure and usable systems.

Building on this work, my research has examined how interaction design techniques could promote security by design. In particular, I have investigated how personas — a popular technique focussing on archetypes of user behaviour — can be used to support secure system design. This work is summarised in the below film.


Interaction design techniques are necessary but not sufficient for security by design. This is because we cannot make assurances about a system’s conceptual design without first making sense of the different kinds of data upon which design decisions are based. Both the quantity and quality of the data associated with such design models means that tool-support is essential when building non-trivial systems.


CAIRIS (Computer Aided Integration of Requirements and Information Security) was created to understand how the design of secure and usable systems can be tool-supported.  CAIRIS is freely available under an Apache License from github.  It has been used commercially to elicit and specify requirements for critical infrastructure software.  More recently, it was used to support the design of webinos.

You can find out more about CAIRIS by visiting its website.


Penetration Testing and Ethics

Image copyright Universal Studios

Image copyright Universal Studios


 Penetration testers rely on technical flair, creativity, an ingenuity to find system insecurity.  They also need to find insecurity without harming the system or encroaching on the dignity of those affect by it.

Given that such professionals are also known as ethical hackers, it seems surprising that very little work has really considered the ethical challenges faced by penetration testers.

I have started exploring the relationship between ethics and penetration testing, and have identified some ethical positions that tests take, and dimensions that shape how testers in these positions address ethical dilemmas.

We are currently using our findings to develop new teaching material to better prepare penetration testers for ethically challenging situations they might find themselves in [1].


[1] [pdf] S. Faily, J. McAlaney, and C. Iacob, “Ethical Dilemmas and Dimensions in Penetration Testing,” in Proceedings of the 9th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), 2015, pp. 233-242.
Author = {Shamal Faily and John McAlaney and Claudia Iacob},
Booktitle = {{Proceedings of the 9th International Symposium on Human Aspects of Information Security \& Assurance (HAISA 2015)}},
Pages = {233--242},
Publisher = {University of Plymouth},
Title = {{Ethical Dilemmas and Dimensions in Penetration Testing}},
Year = {2015}}