User‐centred security applied to the development of a management information system

This paper aims to use user‐centred security development of a prototype graphical interface for a management information system dealing with information security with upper‐level management as the intended users.

The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group.

The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces.

This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds.

This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects.

This paper gives an example of a successful user‐centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.