Security Fictions: Bridging Speculative Design and Computer Security

This paper begins with an observation: that threat identification is an intrinsically speculative practice. It requires imagining possible futures. Drawing on methods from speculative design, this paper presents an improvisational role-playing game designed to help software developers identify security threats. It deploys this game with seven software developers, who used the game to successfully identify diverse threats in their software. The insights from this deployment motivate future work on both the game itself and on organizational accounts of security. I call on the design research community to continue to apply its methods and perspectives to computer security, locating threat identification itself, like all speculation, as a site of social and political power.

[1]  Adam Shostack,et al.  Elevation of Privilege: Drawing Developers into Threat Modeling , 2014, 3GSE.

[2]  Tadayoshi Kohno,et al.  Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education , 2013, CCS.

[3]  Shamal Faily,et al.  Secure System? Challenge Accepted: Finding and Resolving Security Failures Using Security Premortems , 2012 .

[4]  Predrag V. Klasnja,et al.  Value scenarios: a technique for envisioning systemic effects of new technologies , 2007, CHI Extended Abstracts.

[5]  Alan Borning,et al.  Patients, pacemakers, and implantable defibrillators: human values and security for wireless implantable medical devices , 2010, CHI.

[6]  William Newhouse,et al.  National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (Portuguese translation) , 2017 .

[7]  ชวิตรา ตันติมาลา Constructing Grounded Theory: A Practical Guide through Qualitative Analysis , 2017 .

[8]  Zinaida Benenson,et al.  Security Managers Are Not The Enemy Either , 2019, CHI.

[9]  Lilly Irani,et al.  Ways of Knowing When Research Subjects Care , 2019, CHI.

[10]  J. Dilevko Hate Crimes in Cyberspace , 2017 .

[11]  Mark Blythe,et al.  Research through design fiction: narrative in real and imaginary abstracts , 2014, CHI.

[12]  Michael Freed,et al.  RADAR: A Personal Assistant that Learns to Reduce Email Overload , 2008, AAAI.

[13]  J. Wirtz Red team: how to succeed by thinking like the enemy , 2017 .

[14]  Daniela Karin Rosner,et al.  Who Gets to Future?: Race, Representation, and Design Methods in Africatown , 2019, CHI.

[15]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[16]  Batya Friedman,et al.  The envisioning cards: a toolkit for catalyzing humanistic and technical imaginations , 2012, CHI.

[17]  James A. Landay,et al.  Privacy risk models for designing privacy-sensitive ubiquitous computing systems , 2004, DIS '04.

[18]  Stephanie Ballard,et al.  Judgment Call the Game: Using Value Sensitive Design and Design Fiction to Surface Ethical Concerns Related to Technology , 2019, Conference on Designing Interactive Systems.

[19]  Paul Dourish,et al.  Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena , 2006, Hum. Comput. Interact..

[20]  Anthony Dunne,et al.  Speculative Everything: Design, Fiction, and Social Dreaming , 2013 .

[21]  Richmond Y. Wong,et al.  Real-Fictional Entanglements: Using Science Fiction and Design Fiction to Interrogate Sensing Technologies , 2017, Conference on Designing Interactive Systems.

[22]  B. Asher The Professional Vision , 1994 .

[23]  Bettina Nissen,et al.  On Speculative Enactments , 2017, CHI.

[24]  Stuart Candy Gaming Futures Literacy : The Thing from the Future , 2018 .

[25]  Helen Nissenbaum,et al.  Where Computer Security Meets National Security1 , 2005, Ethics and Information Technology.

[26]  Roxanne Leitão,et al.  Anticipating Smart Home Security and Privacy Threats with Survivors of Intimate Partner Abuse , 2019, Conference on Designing Interactive Systems.

[27]  Lizzie Coles-Kemp,et al.  Information security management: An entangled research challenge , 2009, Inf. Secur. Tech. Rep..

[28]  Sylvain Frey,et al.  The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game , 2018, IEEE Transactions on Software Engineering.

[29]  James Noble,et al.  Light-Touch Interventions to Improve Software Development Security , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[30]  Nicola Dell,et al.  “A Stalker's Paradise”: How Intimate Partner Abusers Exploit Technology , 2018, CHI.

[31]  Richmond Y. Wong,et al.  An Interface without A User: An Exploratory Design Study of Online Privacy Policies and Digital Legalese , 2018, Conference on Designing Interactive Systems.