Project ideas

This list contains a number of suggestions for projects related to courses I teach, or research I undertake.  These projects are suitable as undergraduate or taught-course postgraduate projects.  These descriptions are just suggestions, to indicate projects of interest to me.  If you’re interested in a different project along the same lines, please do get in touch.

An Asset Elicitation mobile app

Security is all about the protection of assets, and — while designing for security — designers need to ensure they understand what assets needed to be protected, and what security/privacy properties need to be safeguarded in different contexts of use. To date, however, there has been little in the way of tool-support to help designers elicit, elaborate and specify software assets during fieldwork activities.

The objective of this project is to build a prototype mobile app to help designers elicit and specify assets during fieldwork. The prototype should allow a designer to photograph and capture information about assets, and its design should not get in the way of other activities that a designer might be simultaneously carrying out, e.g. interviewing or observing participants. The app should store any data collected locally, but should also be sync to CAIRIS via its web services API.

Privacy Impact Assessments with CAIRIS

Many organisations are readying themselves for the EU General Data Protection Regulation (GDPR). However, like security, privacy is a process not a product, and the GDPR requires organisations to not only comply, but to demonstrate compliance to an appropriate authority. CAIRIS was designed to tool-support Security-by-Design practices, but it appears to support many of the elements required for a Privacy Impact Assessment (PIA) as well, thereby providing evidence of Privacy-by-Design practices required by GDPR.

The objective of this project is to use and, where required, adapt CAIRIS to support a PIA. The possible artefacts from such a product might vary. It could be a case study report illustrating the use of CAIRIS in support of a PIA, or adaptations to CAIRIS (e.g. a output document format) that will allow a PIA report to be automatically generated from a CAIRIS model.

Integrating Dradis with CAIRIS for improved penetration test reporting

Penetration test reporting entails merging the output from multiple tools into a coherent document to cases made by testers for the presence of significant risks, and proposing responses to address them. Tools like Dradis Framework leverage the interoperable nature of many common penetration testing tools, but while Dradis is effective at generating documentation, it doesn’t natively support concepts like risk. The objective of this project is to integrate the use of Dradis and CAIRIS to develop improved penetration testing reports. This would entail using the Dradis and CAIRIS APIs to generate CAIRIS models that represent penetration test risks and responses. Typical artefacts would be evaluated using a sample penetration test where the target system has known vulnerabilities and risks.

Evaluating CAIRIS for different security & privacy requirements engineering methodologies

Although designed to support the IRIS framework, there is growing evidence that CAIRIS can be used to support other security and privacy requirements engineering methodologies too, e.g. SQUARE. The objective of this project is to take an existing security and privacy requirements engineering approach to elicit, specify and validate security requirements for a target system. The artefact associated with this project would be a tool-support instantiation of the selected methodology, and adaptations to CAIRIS, e.g. to develop a requirements specification consistent with the selected methodology.

Integrating Security, Safety, and Human Factors Engineering in Critical Infrastructure with CAIRIS

Technology now encroaches on the operation of critical infrastructure in ways not envisaged by safety, security, or human factors engineers. Given the myriad of models used by different engineers, tool-support plays an important role in identifying the human impact of security on safety, and vice-versa. Working with a pre-arranged client, the objective of this project is to explore the use of CAIRIS for integrating techniques from security, safety, and human factors engineering. The client will provide a case study, and the artefact is expected to be a tool-supported process to elicit and specify risks and hazards, together with their human impact.

Tool-support for Persona Cases

Persona Cases are personas whose characteristics are both grounded in, and traceable to their originating source of empirical data.  There are various tools, ranging from spreadsheets to CAIRIS, that can be used to help construct Persona Cases, but there is no single tool-supported approach that practitioners or researchers can use.   This project aims to develop such an approach by integrating the existing non-CAIRIS tools either into CAIRIS or CAIRIS  apps.  The approach will be validated either via a client which will be provided, re-using an existing Grounded Theory  analysis, or carrying out a small scale study to validate the tool-support and the approach in general.

Security & Privacy Risks associated with NHS Data Sharing

These are challenging times for the NHS and related organisations in the UK health sector.  In the context of continued austerity and increasing risks of cybercrime, the NHS is under pressure to treat increasing number of patients with fewer resources.   In this climate, there is growing interest in data sharing to support data science innovation, but there are obvious tensions associated with innovation, security, and privacy.  Working with a pre-arranged client, the objective of this project is to elicit security and privacy risks associated with data sharing in the NHS.   The client will provide a case study, and the artefact is expected to be a tool-supported process to elicit and specify security & privacy risks, together with a report on these risks and recommendations for addressing them that will be delivered to the client.