Abstract
Constant integration of new technologies in our daily lives exposes us to various security threats. While numerous security solutions have been developed to protect us from these threats, they fail due to users’ insufficient comprehension of how to employ them optimally. This challenge often stems from inadequate capture of Usable Security (USec) requirements, leading to these requirements being overlooked or not properly considered in the final solution, resulting in barely usable security solutions. A viable solution is to adeptly capturing USec requirements. Although techniques like User Stories (US) have gained popularity for focusing on users’ needs, they encounter difficulties when dealing with non-functional requirements (NFR), like USec. This occurs due to the lack of well-defined US models explicitly tailored to address these particular requirements. This paper aims to tackle this issue by proposing US4USec, a US model tailored for USec. US4USec has been constructed based on best practices for the consideration and integration of NFR into US models that have been identified via a Systematic Literature Review (SLR). The coverage and completeness of US4USec have been demonstrated by applying it to a set of security US.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Detailed information about papers selection, summary of their contributions, and pros and cons of each used method of the final selected papers can be found at https://zenodo.org/records/10806824.
- 2.
A security feature may not always depend on a functional feature. Consequently, the functional feature and its AC are optional.
- 3.
The list of 35 security US is available at https://github.com/OWASP/user-security-stories/blob/master/user-security-stories.md.
- 4.
The results of applying the US4USec model to the set of security US can be found at https://zenodo.org/records/10806824.
References
Lennartsson, M., Kavrestad, J., Nohlberg, M.: Exploring the meaning of usable security - a literature review. Info. Comput. Secur. 29(4), 647–663 (2021)
Jean Camp, L.: Mental models of privacy and security. IEEE Technol. Soc. Mag. 28(3), 37–46 (2009)
Groen, E.C., et al.: Achieving Usable Security and Privacy Through Human-Centered Design. In: Gerber, N., Stöver, A., Marky, K. (eds.) Human Factors in Privacy Research, pp. 83–113. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-28643-8_5
Gutfleisch, M., Klemmer, J.H., Busch, N., Acar, Y., Sasse, M.A., Fahl, S.: How does usable security (not) end up in software products? Results from a qualitative interview study. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 893–910 (2022)
Medeiros, J., Vasconcelos, A., Goulao, M., Silva, C., Araujo, J.: An approach based on design practices to specify requirements in agile projects. In: The ACM Symposium on Applied Computing, pp. 1114–1121 (2017)
Hudson, W.: User stories don’t help users: introducing persona stories. Interactions 20(6), 50–53 (2013)
Cohn, M.: User Stories Applied for Agile Software Development (2004)
Choma, J., Zaina, L.A.M., Beraldo, D.: UserX story: incorporating UX aspects into user stories elaboration. In: Kurosu, M. (ed.) HCI 2016. LNCS, vol. 9731, pp. 131–140. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39510-4_13
Moreno, A.M., Yagüe, A.: Agile user stories enriched with usability. In: Wohlin, C. (ed.) XP 2012. LNBIP, vol. 111, pp. 168–176. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30350-0_12
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004)
Kitchenham, B., Brereton, P., Budgen, D., Turner, M., Bailey, J., Limkman, S.: Systematic literature reviews in software engineering - a systematic literature review. Inf. Softw. Technol. 51(1), 7–15 (2009)
Marques, A.B., Costa, A.F., Santos, I., Maria Castro De Andrade, R.: Enriching user stories with usability features in a remote agile project: a case study. In: ACM International Conference Proceeding Series, pp. 1–10 (2022)
Lopes, L.A., Pinheiro, E.G., Da Silva, T.S., Zaina, L.A.M.: Using UxD artefacts to support the writing of user stories: findings of an empirical study with agile developers. In: ACM International Conference Proceeding Series, vol. Part F1477, pp. 1–4. Association for Computing Machinery (2018)
Nielsen, J.: 10 Usability Heuristics for User Interface. TR (1995)
Domah, D., Mitropoulos, F.J.: The NERV methodology: a lightweight process for addressing non-functional requirements in agile software development. In: IEEE SOUTHEASTCON, pp. 1–7 (2015)
Ionita, D., van der Velden, C., Ikkink, HJ.K., Neven, E., Daneva, M., Kuipers, M.: Towards risk-driven security requirements management in agile software development. In: Cappiello, C., Ruiz, M. (eds.) Information Systems Engineering in Responsible Information Systems, CAiSE 2019. LNBIP, vol. 350, pp. 133–144. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21297-1_12
Lucassen, G., Dalpiaz, F., Martijn, J., Van Der Werf, E.M., Brinkkemper, S.: Forging high-quality user stories: towards a discipline for agile requirements. In: Requirements Engineering Conference, pp. 126–135. IEEE (2015)
Lindland, O.I., Sindre, G., Solvberg, A.: Understanding quality in conceptual modeling. IEEE Softw. 11(2), 42–49 (1994)
Mujinga, M., Eloff, M.M., Kroeze, J.H.: Towards a heuristic model for usable and secure online banking. In: Proceedings of the 24th Australasian Conference on Information Systems, pp. 1–12 (2013)
Yeratziotis, A., Pottas, D., van Greunen, D.: A usable security heuristic evaluation for the online health social networking paradigm. Int. J. Hum. Comput. Interact. 28(10), 678–694 (2012)
Wautelet, Y., Heng, S., Kolp, M., Mirbel, I.: Unifying and extending user story models. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 211–225. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07881-6_15
Acknowledgment
This study was performed within the framework of COST Action CA22104 (Behavioral Next Generation in Wireless Networks for Cyber Security), supported by COST (European Cooperation in Science and Technology; www.cost.eu).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gharib, M. (2024). US4USec: A User Story Model for Usable Security. In: Araújo, J., de la Vara, J.L., Santos, M.Y., Assar, S. (eds) Research Challenges in Information Science. RCIS 2024. Lecture Notes in Business Information Processing, vol 513. Springer, Cham. https://doi.org/10.1007/978-3-031-59465-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-59465-6_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-59464-9
Online ISBN: 978-3-031-59465-6
eBook Packages: Computer ScienceComputer Science (R0)