Eliciting Persona Characteristics for Risk Based Decision Making

Personas are behavioural specifications of archetypical users in Human Factors Engineering and User Interaction research aimed at preventing biased views system designers may have of users. Personas are therefore nuanced representations of goals and expectations that should be addressed when designing systems. Previous work has shown how personas may be validated by grounding in qualitative models; however, more evidence is needed on the applicability for grounding models in risk decision making research. We present an approach for eliciting persona characteristics for risk-based decision making by using Observe Orient Decide Act (OODA) as a modelling baseline. The approach illustrates how modelling personas based on decision makers’ understanding of risk facilitates designing for risk and uncertainty

Qualitative Adaptation: Informing Design for Risk-based Decision Making

Research on decision making during risk and uncertainty facilitates risk-based decision making by understanding techniques decision makers use to arrive at informed decisions. Approaches to the research usually involve a mix of cognitive techniques for information discovery and sense-making; these were methodologically not intended to inform design. We detail our experience in applying qualitative techniques to elicit persona characteristics from risk-based decision making data

Eliciting Policy Requirements for Critical National Infrastructure Using the IRIS Framework.

Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. This paper presents the IRIS process framework, which guides technique selection when specifying usable and secure systems. The authors illustrate the framework by describing a case study where the process framework was used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. The authors conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design

Persona cases: a technique for grounding personas.

Personas are a popular technique in User-Centered Design, however their validity can be called into question. While the techniques used to developed personas and their integration with other design activities provide some measure of validity, a persona's legitimacy can be threatened by challenging its characteristics. This note presents Persona Cases: personas whose characteristics are both grounded in, and traceable to their originating source of empirical data. This approach builds on the premise that sense-making in qualitative data analysis is an argumentative activity, and aligns concepts associated with a Grounded Theory analysis with recent work on arguing the characteristics of personas. We illustrate this approach using a case study in the Critical Infrastructure Protection domain. Copyright 2011 ACM

Towards Tool-Support for Usable Secure Requirements Engineering with CAIRIS.

Understanding how to better elicit, specify, and manage requirements for secure and usable software systems is a key challenge in security software engineering, however, there lacks tool-support for specifying and managing the voluminous amounts of data the associated analysis yields. Without these tools, the subjectivity of analysis may increase as design activities progress. This paper describes CAIRIS (Computer Aided Integration of Requirements and Information Security), a step toward tool-support for usable secure requirements engineering. CAIRIS not only manages the elements associated with task, requirements, and risk analysis, it also supports subsequent analysis using novel approaches for analysing and visualising security and usability. The authors illustrate an application of CAIRIS by describing how it was used to support requirements analysis in a critical infrastructure case study

Usability and Security by Design: A Case Study in Research and Development

There is ongoing interest in utilising user expe- riences associated with security and privacy to better inform system design and development. However, there are few studies demonstrating how, together, security and usability design tech- niques can help in the design of secure systems; such studies provide practical examples and lessons learned that practitioners and researchers can use to inform best practice, and underpin future research. This paper describes a three-year study where security and usability techniques were used in a research and development project to develop webinos — a secure, cross- platform software environment for web applications. Because they value innovation over both security and usability, research and development projects are a particularly difficult context of study. We describe the difficulties faced in applying these security and usability techniques, the approaches taken to overcome them, and lessons that can be learned by others trying to build usability and security into software systems

Persona cases: a technique for grounding personas.

Personas are a popular technique in User-Centered Design, however their validity can be called into question. While the techniques used to developed personas and their integration with other design activities provide some measure of validity, a persona's legitimacy can be threatened by challenging its characteristics. This note presents Persona Cases: personas whose characteristics are both grounded in, and traceable to their originating source of empirical data. This approach builds on the premise that sense-making in qualitative data analysis is an argumentative activity, and aligns concepts associated with a Grounded Theory analysis with recent work on arguing the characteristics of personas. We illustrate this approach using a case study in the Critical Infrastructure Protection domain. Copyright 2011 ACM