Usable Security. A Systematic Literature Review

Usable security involves designing security measures that accommodate users’ needs and behaviors. Balancing usability and security poses challenges: the more secure the systems, the less usable they will be. On the contrary, more usable systems will be less secure. Numerous studies have addressed this balance. These studies, spanning psychology and computer science/engineering, contribute diverse perspectives, necessitating a systematic review to understand strategies and findings in this area. This systematic literature review examined articles on usable security from 2005 to 2022. A total of 55 research studies were selected after evaluation. The studies have been broadly categorized into four main clusters, each addressing different aspects: (1) usability of authentication methods, (2) helping security developers improve usability, (3) design strategies for influencing user security behavior, and (4) formal models for usable security evaluation. Based on this review, we report that the field’s current state reveals a certain immaturity, with studies tending toward system comparisons rather than establishing robust design guidelines based on a thorough analysis of user behavior. A common theoretical and methodological background is one of the main areas for improvement in this area of research. Moreover, the absence of requirements for Usable security in almost all development contexts greatly discourages implementing good practices since the earlier stages of development

Goal-oriented requirements engineering: an extended systematic mapping study.

Over the last two decades, much attention has been paid to the area of goal-oriented requirements engineering (GORE), where goals are used as a useful conceptualization to elicit, model, and analyze requirements, capturing alternatives and conflicts. Goal modeling has been adapted and applied to many sub-topics within requirements engineering (RE) and beyond, such as agent orientation, aspect orientation, business intelligence, model-driven development, and security. Despite extensive efforts in this field, the RE community lacks a recent, general systematic literature review of the area. In this work, we present a systematic mapping study, covering the 246 top-cited GORE-related conference and journal papers, according to Scopus. Our literature map addresses several research questions: we classify the types of papers (e.g., proposals, formalizations, meta-studies), look at the presence of evaluation, the topics covered (e.g., security, agents, scenarios), frameworks used, venues, citations, author networks, and overall publication numbers. For most questions, we evaluate trends over time. Our findings show a proliferation of papers with new ideas and few citations, with a small number of authors and papers dominating citations; however, there is a slight rise in papers which build upon past work (implementations, integrations, and extensions). We see a rise in papers concerning adaptation/variability/evolution and a slight rise in case studies. Overall, interest in GORE has increased. We use our analysis results to make recommendations concerning future GORE research and make our data publicly available

App development in a sports science setting: A systematic review and lessons learned from an exemplary setting to generate recommendations for the app development process

The digital health sector is rapidly growing. With only 4% of publishers out of academic settings, it is under-represented in app development. The objective of this study is to assess the current state of app development with a systematic review and a survey within an exemplary academic setting along the following research questions: (Q1) Are software engineering principles sufficiently known in the sports science app development context? (Q2) Is the role of sports scientists in the context of app development sufficiently understood? The systematic review was conducted by two independent reviewers within databases Pubmed, Scopus, Web of Science, and IEEE Xplore. The PICO schema was used to identify the search term. We subtracted information about five main topics: development process, functional requirements and features, security, technology, and dissemination. The survey was developed by a multidisciplinary team and focused on five main topics. Out of 701 matches, 21 were included in the review. The development process was only described in seven studies. Functional requirements and features were considered in 11 studies, security in 3, technology in 13, and dissemination in 12 with varying details. Twelve respondents [mean age 33(7) years, 58% women] replied to the survey. The survey revealed limited knowledge in realization of security measures, underlying technology and source code management, and dissemination. Respondents were able to provide input on development processes as well as functional requirements and features. The involvement of domain experts is given in seven review studies and described in two more. In 50% of survey respondents, the role in app development is defined as a research assistant. We conclude that there is a varying degree of software engineering knowledge in the sports science app development context (Q1). Furthermore, we found that the role of sports scientists within app development is not sufficiently defined (Q2). We present recommendations for improving the success probability and sustainability of app development and give orientation on the potential roles of sports scientists as domain experts. Future research should focus on the generalizability of these findings and the reporting of the app development process

App development in a sports science setting: A systematic review and lessons learned from an exemplary setting to generate recommendations for the app development process.

The digital health sector is rapidly growing. With only 4% of publishers out of academic settings, it is under-represented in app development. The objective of this study is to assess the current state of app development with a systematic review and a survey within an exemplary academic setting along the following research questions: (Q1) Are software engineering principles sufficiently known in the sports science app development context? (Q2) Is the role of sports scientists in the context of app development sufficiently understood? The systematic review was conducted by two independent reviewers within databases Pubmed, Scopus, Web of Science, and IEEE Xplore. The PICO schema was used to identify the search term. We subtracted information about five main topics: development process, functional requirements and features, security, technology, and dissemination. The survey was developed by a multidisciplinary team and focused on five main topics. Out of 701 matches, 21 were included in the review. The development process was only described in seven studies. Functional requirements and features were considered in 11 studies, security in 3, technology in 13, and dissemination in 12 with varying details. Twelve respondents [mean age 33(7) years, 58% women] replied to the survey. The survey revealed limited knowledge in realization of security measures, underlying technology and source code management, and dissemination. Respondents were able to provide input on development processes as well as functional requirements and features. The involvement of domain experts is given in seven review studies and described in two more. In 50% of survey respondents, the role in app development is defined as a research assistant. We conclude that there is a varying degree of software engineering knowledge in the sports science app development context (Q1). Furthermore, we found that the role of sports scientists within app development is not sufficiently defined (Q2). We present recommendations for improving the success probability and sustainability of app development and give orientation on the potential roles of sports scientists as domain experts. Future research should focus on the generalizability of these findings and the reporting of the app development process

A Systematic Literature Review of Requirements Engineering Education

Requirements engineering (RE) has established itself as a core software engineering discipline. It is well acknowledged that good RE leads to higher quality software and considerably reduces the risk of failure or budget-overspending of software development projects. It is of vital importance to train future software engineers in RE and educate future requirements engineers to adequately manage requirements in various projects. To this date, there exists no central concept of what RE education shall comprise. To lay a foundation, we report on a systematic literature review of the feld and provide a systematic map describing the current state of RE education. Doing so allows us to describe how the educational landscape has changed over the last decade. Results show that only a few established author collaborations exist and that RE education research is predominantly published in venues other than the top RE research venues (i.e., in venues other than the RE conference and journal). Key trends in RE instruction of the past decade include involvement of real or realistic stakeholders, teaching predominantly elicitation as an RE activity, and increasing student factors such as motivation or communication skills. Finally, we discuss open opportunities in RE education, such as training for security requirements and supply chain risk management, as well as developing a pedagogical foundation grounded in evidence of effective instructional approaches

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature