People-Centred Information Security: Where It Came From And Why It Matters by Lizzie Coles-Kemp

thank you thank you very much indeed and it's an absolute pleasure to be here and thank you for such great talks i've had a great day really really interesting day um and thank you for hanging on until the end that's also very exciting and as you can see i am nowhere near as cool as the other speakers in terms of my titles right so this looks like a fairly dull title and what i really hope to achieve though over the next sort of 40 minutes is to is to get you to stop and think a little bit get you to challenge some of the things that you perhaps take for granted like people are the problem

like people are the weakest link like we could make security work if there wasn't people in it and i know that you don't really think that but i also know because i've worked in security for a long time that we default to that as a community and i'm going to put the emphasis on we here because i'm as much as a security person as everybody else i just come at this from a little bit of a different angle so what i want to do is i want to first of all orientate you to the position that i'm coming from the direction of travel otherwise it's going to be a very confusing talk and get you

just to get where i'm coming from and then once we've all got on the same page we're going to have a little bit of a a cancer through people centered security there's actually quite a strong tradition now going back over 20 years in terms of thinking about people-centered security so a little bit of sort of where's it come from what's it doing um and then we're going to think about a little bit about why it matters and a lot of what you've been talking about today is exactly it you've been talking about cloud services you've been talking about uh iot you've been talking about connected spaces you've been talking about the internet as an us thing it's

all of that and that actually really changes how we need to think about security and control from a people perspective and then we're going to move into a little bit about futures and then possibly we'll talk a little bit about engagement okay so first slide now i work with a wonderful artist called alice angus if you photograph any of these images with a view to to publishing them through twitter social media all i ask is that you credit alice because alice does just wonderful work and i'm not worried about me but i always want alice to get the credit that she deserves okay so i started in security in about 1990. i'm not a computer scientist and i'm not

an engineer which is going to become extremely apparent very quickly as we go through this talk i was a linguist i did linguistics and scandinavian studies at university i came out of university in the late 80s with an understanding of natural language syntax and semantics kind of and i also spoke fluent swedish that makes for an interesting career path i wound up working in computers because they were hiring and i wound up teaching on the unix equivalent of office uniplex if anybody ever came across it and 1990 i'm working teaching spreadsheets and the swedish military rock up and they have uh using unix 18 are using att's mls so they're using a secure operating system and they want this

office stuff to run on att's mls and one day i'm teaching spreadsheets the next i'm part of a porting team trying to work out how to get this software to work in a restricted environment and that was me in security and i haven't left since because i think it's fascinating i went on to work uh in access control systems i went to work for a unix access control systems company uh who then started to branch out into forerunners of pki move from there into security management work for a large organization with their security management and then moved into accreditation and certification so far so normal it's a pretty normal career trajectory so 2007 2008 i moved to royal holloway as an academic

if you'd met me if we'd had a conversation with me in 2007 i would have told you that information security compliance it's a public good it's important that we protect our information it's important that we look after our systems because if we look after our systems then we ourselves become protected that's what i would have argued and i kind of argue that today but it would it would we'll have some different perspectives on it so if we look at this picture from alice i love this picture because the colored in parts represent how i would have thought in 2007. i would have thought obviously i'm not an engineer i would have thought that we had that we had

cogs but moving on from that point i would have thought about the security of the individual elements i would have thought in terms of the the osi layers and i would have thought about securing from the base and i would have worked upwards and i would have thought about the different security that i put into those layers the people would have been the things that make the systems work and they would have been an extension of the system obviously we treat them nicely because that's what you do you treat people nicely but we would have encouraged compliance we would have done policies we would have done training and awareness but the whole purpose would have been

to work with them to work as the system wants them to work to comply to align with the security of the system and i wouldn't have had any interest in the parts that are grayed out i wouldn't have had any interest in the sorts of lives they led i wouldn't have had any interest in the relationship they had with their employers i wouldn't have had any interest in how they feel about big powerful institutions all that conversation that brilliant conversation we've just had i wouldn't have had a clue about it's its relevance and its importance i go off to royal holloway i was going to teach information systems it was going to be the same thing

and uh we were awarded a project called phone visualization of the methods of expression and we the pro first of the project was to understand why people disclosed what they disclosed online and i was doing the systems a bit uh but we were working with sunderland city council anyone be to sunderland um okay what um sunderland yes sunderland is actually a real sort of trailblazer when it comes to digital civic environments in 1980s they started with the electronic village hall by the time i got there in 2007 2008 they were really pushing with online digital online services and for them politically and philosophically digital engagement was a form of empowerment this is just before the financial crash let's just keep that

in our minds and i started working with groups across sunderland sunderland is is one of the more deprived areas in the uk and i start working with community groups i start working with long-term unemployed i start working with families separated by prison i start working with with refugee groups i start working with families who have a lot of complex needs that need support and they're all using digital services not not out of choice not not because they want to go shopping but because in order to access essential statutory services this is this is just beginning i start running focus groups we start running interviews and i start talking about security and about whether people share passwords and

password sharing being a bad thing and there were two pushbacks that used to come at me pretty much every session why should i and make me i it's a public good everyone wants to do it of course you do it it's really important and i think i don't know how to respond to why should i and make me and that's really interesting because suddenly all the people complying because it's the right thing to do people complying because that's the agreement that we have we're right down at the bare metal what's in it for other people what's in it for me to work with this why should i and we started to build on that decided

to work with that and look at fundamentally why you would comply why you would do secure what is it for people to do and that's really what i want to talk about today the other thing that we learned as academics is that our methods of engagement had to change completely if we wanted to have that conversation we had to really change our the way that we engaged and if we have time at the end we'll talk a little bit about those methods of engagement because it's kind of a neat symmetry because we work with clowns to learn how to do it and that kind of takes us back full circle to where we started this

morning and i think that that's a really it's a really sort of nice to the point so i might get to that the two takeaways from this slide and most slides won't be this long but this is just an important slide to get us onto the same page two takeaways from slides is that people when we think about the osi stack i guess most of us are very familiar with here there are two layers when we're talking about is we need to add on at the base of the stack we need to add the political and economic model that drives the controls because that really shapes the meaning of the controls the security that technologies offer and the breadth of

the power that the technologies have and that's a really important point so we need to think about the political and economic model the context in which these technologies operate and the other thing that we need to think about is at the top of the stack is almost like an hci layer a human computer interaction layer we need to think about how people both interact with those in top technologies individually but also how they connect technologies together because as technologies become more consumable as we start to use different sort of consumer ai cloud driven technologies people can couple those together in different ways to make completely new systems and one of the really interesting things that we learned is how people were

putting what we think of as discrete services bolting them together initially with things like dropbox but now we move on they become more sophisticated and they can start to create whole platforms made out of different systems as sharing information moving information across this platform that we hadn't even imagined for purposes we hadn't even conceived of and there's a really interesting challenge about how we how we work with that so how does people center security help us well usable security the the the tradition here um that we have with security technologies is that the security technologies are typically uncaring they don't care about people they're kind of indifferent towards users of technology now actually i think that's slightly

unfair if you go back to papers from the early to mid 70s there was always a voice that knew that that people mattered it was a question of how you articulated it how you brought it to the fore but we moved to the mid-90s and it was really clear that usable security was beginning to get a voice it was part of the hci movement it wasn't driven from academia it was driven from industry and it was this idea that security technologies were designed for the users not against them users weren't the enemy that security technologies had to include usability design and testing and also consider user needs as a fundamental part of the system we start to see papers we start to see

arguments really also coming from not just coming from from academia but also being driven by by individuals that had a foot in academia of foot and standards a foot in uh industry as yes it gives us three feet but you see where i'm going with this right so that they're they're that they're spread there's a really interesting people that start to argue this in the uk that was led by angela sasser at ucl and her argument was economic that if you turn out poorly designed security technologies it forces people to make choices that are inherently not good choices and that isn't just bad for the individual that's also bad for the organizations and the service providers that they're working

with 2013 angela sasser is still arguing this point she's still arguing that um that that we need to really think about where we put usability the the real battleground for this is in authentication identification and she's arguing that still we're turning out authentication identification technologies where the burden sits with the user and if we ask the user to take the burden people either won't or perhaps they can't they're not able to make maybe it is their capability issues maybe their cost issues and we're going to come on to those in in a minute but also creates friction it creates frustration it creates anger it also creates conflict particularly in the workplace where you're being tasked and driven to

achieve goals to improve performance and you're paid on that performance and security is getting in the way so you've got a real conflict here you've got job security you've got financial security you've got technical security what do you think is going to win out and also that usability and she makes this point usability is not just in the way that i enter my password the where i structure my password what i use to authenticate usability is also in the messaging it's also in the packaging it's also in the support so she's beginning to pull the surface of the system just beginning to make that wider and this authentication identification battleground becomes the beginning for not only usability but also

accessibility and inclusive design so we're beginning to see that come in 2013. and there was a growing body of literature and all the time this literature is pulling the surface of the system wider and wider so we started with with the way that i interact hands on keyboard then we start to think about messaging then we start to think about service design and now we start to think about how we work as a network how we collaborate with security and that starts to emerge how we communicate with each other across a network to agree what the goals and the values are we start to think about how probably things that you take for granted risk assessment audit training

and awareness is also a way in which we communicate what has value and how do we do that communication so it's coming wide it's beginning to come wider it gets support so there starts to become recognition with the research institutes so particularly the research institute associate technical cyber security that's part funded by ncse the engagement is important trust and communication channels how do we open those up and of course these are really important now because we've got rid of a lot of our face-to-face interaction we got rid of face-to-face interaction we start to chain processes together we start to make them more efficient by cutting out human interaction and then we realized that we've also

lost trust in communication channels to have that conversation about what matters and why it matters so we have to start putting that in because we realize that unless we have those contact and interaction points day-to-day frustrations don't get resolved barriers don't get resolved so we need to find a way to have that conversation so whilst we put a lot of money into figuring out how to put make security technical how to make it efficient how to make it effective a lot of the conversations that we've been having today when we get rid of the human we have nowhere we have a really difficult discussion about how do we build up trust how do we work out where this doesn't

work for people people who don't fit the pattern that we've created people who don't fit the archetype user that we thought was going to use the the service or the technology how do we get that to work how do we figure out responsibility you see when we had small processes that were put together with interaction with people we could work out responsibilities as we had that conversation we could work out which bit you were going to do and which bit i was going to do i change services together i put these as one task after another without interaction and if i don't attend to who has responsibility for what i wind up with a problem when either it doesn't work or

where it doesn't work as it should do or it doesn't work in a way that works for me so you start to get real anger building you start to get pushback you start to get these friction points that angela talked about are not friction points they become sort of sort of friction fields if you like that we're working with and that starts to cause unexpected results it starts to cause anomalies it starts to cause problems in in in in services because we can't work out where these problems are coming from because it wasn't in the design it wasn't in the assessment it wasn't in the testing and now we've got problems in the way that services work

2017 ncsc start to make the point that we have to get human factors not only into technologies but also into security policies and this this phrase every solution must survive contact with the user and what does that mean and who is the user because there isn't one user there are many different types of users it's not a universal user there are lots of different types of users so how do we take that on board this push back that this isn't about the weakest link it's about working with people it's like a sports team all the players we can't say they're all weak we we have to work as a unit as a team and we start to get this this strongest

link argument coming out from ncse and we get you shaped security all right u-shaped security is a downloadable piece of guidance from ncsc and what's interesting about it is it's not like normal guidance it starts with the observation that people shape security i think we could possibly argue that people shape security but also technology shapes people so there's a back and forth going on there it's not about just agency with people or just with technology it's actually about the interaction between the two but then it makes the point that security starts with engagement this is a recognition that we don't just have a user that we have lots of different types of users we have people in

different contexts with different constraints with different goals and somehow in our security design we need to take account of that variety of that plurality so we need to put a lot more emphasis on engagement we need to start to understand what are the security issues that people face rather than going to people and going these are the issues i want you to be worried about these are the things i want you to do but to also understand what's causing issues at from the perspective of people and then it's also about dialogue and engagement it's not about one-way translation so there was a brilliant point earlier about educating people i think you're absolutely on but there are lots of reasons why people

can't do what we're asking them to do it might be because that's just not how their job set up it might be because they don't have the resources necessary so there was a brilliant point about accessing uh gps accessing a gp uh virtually not only requires that you have a smartphone but that you've got enough data on your smartphone so when i work with with families particularly in economically deprived areas it's interesting the way families work often the youngest people in the family have the best spec phones older people have much simpler phones i now need to use i need to access a statutory service could be a health service i can't access it from

my phone as an older person so i've now got to negotiate access with my 13 year old son i want to take data off him i want to use the phone i want to share some really sensitive information and possibly some photos and i need to do that from not my phone from his phone that is a serious security issue it really is particularly i mean some of us that might be a cause of amusement if you're in an adversarial relationship with your son this could actually be a serious flash point this actually could become a point of leverage in what's already a very difficult relationship and this is this is really it it's happening i'm taking an extreme example

but you see where i'm going here that actually having access to it's not about having access to a piece of kit it's about having access to the network it's also about having space in which to access it when we looked at home working we looked at home education during covid it's not just about having a laptop with a camera and internet is also about having enough space in the house that you can do the work i don't know how some of my colleagues survived my kids are a bit older but i mean holding down a job teaching with two kids doing homeschooling with one two maybe three rooms to live in i'm cleaning the kitchen

this is just and to do that for months on end i i think they will deserve i mean they're just heroes and to still be standing is incredible so we need to understand much more much bigger understanding of what constitutes usability and accessibility and this is not the lone wolf game this is collaboration collaboration between technologists but also collaboration between users and we saw this again during coven that if if people in in resource challenge environments were to get through digitally they had to collaborate they had to start sharing resources they had to stop sharing understanding start sharing know-how and sharing how to keep themselves safe online so usable security in the last 20 years has

come a long way and u-shaped security was a tight was really as a sea change a really important sea change um in in the way that we we think about security what the start point is and it gave it gave space whatever one's views are about our security institutions it gave space to the fact that engagement interaction and dialogue is important which brings us into why it matters okay so in this is a cross section from one of alice's pictures and this is really highlighting how technology is in and around all of our lives we're working at the top of this picture we're shopping at the bottom we're traveling we're communicating with our environments we've got bits of legacy

security kit here we've talked about all of those today we have an amazon drone at the top so we've got lots of different technologies going on in this environment picking up data sharing data us generating data using it for home for work for getting about this idea that we can separate our environments has long gone left the building completely not how it works we've talked a lot about discrete systems i think today which is interesting and yes that's important for critical national infrastructure it's important for specific environments but for most of the people that i work with their lives are completely enmeshed and they link all of those environments through through cloud services they link it through smart technologies

but they won't be first generation they won't be latest generation smart technologies they'd probably be be hand-me-downs or they'll be or they'll be older technologies that they're hanging on to and they'll be juggling these environments and how we do security in that environment is absolutely i think critical because they're working they're contributing to society they're uh bringing up kids they're supporting parents they're doing all the things we need for a healthy and creative society and all of that is going on and yes absolutely security to individual parts of technology is absolutely critical the more we can do to secure that that stack is really important but we also have to understand that all of this is operating in a

political and economic context for people and that they are joining their environments together using a whole range of services so that means this is first takeaway one but when we talk about working with users we talk about working with people we must understand the bigger picture so we've got to understand when we're designing security awareness security interaction security education because what we wanted to drive up controls and the quality of controls to raise that bar a little bit uh as fc talked about this morning we have to understand what the attitude is towards change and stability we have to understand how much risk people take can take in their environment we have to understand levels of trust

we talked about this in the last talk what is the trust that we have with those institutions whether it's the state whether it's your employer whether it's the health service we've got to understand whether there's trust there what kind of trust relationship is there because i don't really shake what information is shared what are we doing are we just entering data or are we building a relationship if we got a back and forth or are we simply shipping data to somebody so what it what what are we doing are we asking people to do tasks or are we asking a more of a back and forth interaction what's the motivation that people have to do this

how motivated are they is it the if they're on a zero hours contract if there's nothing really coming in terms of a commitment towards providing employment how much motivation comes back the other way to actually protect that data if you're in an environment where i have a good relationship and i'm motivated to do that because i can see how i'm building and working towards something then we have a motivation it might be an economic incentive but probably not just economic there's also a social social values perspective to this if the social values have been taken out of the equation if there's no trust if there's no responsibility then what's my motivation to really to really engage with that so

we have to think about motivation time perspective is super important often i think in our community we think about risks next month next year five years out from now the least the less resources you have the more it's about getting to the end of the day maybe getting to the end of the week it's not about actually about thinking that far into the future because you can't we've got a whole generation coming through now where they're struggling to see how the future is going to pan out you've got massive financial precarity coming across society you've got climate precarity facing society and particularly the generations whereas perhaps my generation yeah we thought about getting a job we're going to build

up a house we're then going to move towards pension how does that work when that's not the horizon you can see in front of you and that massively plays in to how we engage with digital services online because what's how am i thinking about the threats how am i thinking about the risks what do i actually want to get out of that interaction and then we have working styles some people are very individualistic in how they work so if they work in in sort of in in in very sort of smooth service surfaces services that are about individual working that don't offer much space for collaboration that will work well for them for those who like collaborating

for those who like interacting those who like to work not as individuals but to work as a group that has a really important question in terms of whether that service is going to work for them how they build security so this bigger picture is really important to understand and different individuals groups of individuals will will have different characteristics and how we therefore pitch security in that setting is is super important collaboration matters it really matters because we need to it's too big to work on our own these are not individual controls one of the things that has been screaming at me all day is how complex this is how complex these systems are we can't manage this as individuals

we have to collaborate collaborating teams also to collaborate with technology we have to work together with technology to respond to a lot of these issues so once we've worked that out we've we've worked out how we're going to build collaboration we've worked out what the the the mindset is of people their attitudes towards the service uh their attitudes towards the institution once we've understood what their motivation is for security once we've understood what their constraints are we're then into something that that mikoshiponen a security scholar had really talking about from the early 2000s that it then just isn't about pushing controls onto people so once we've got an understanding of the sorts of controls that are going to

work how we're going to frame them we need to work out whether what we're asking people to do has self-efficacy are we a are we asking them to do things that they can actually do so a really good example of this is multi-factor authentication somebody who's visually impaired multi-factor authentication can be massively problematic because by the time the uh text-to-speech reader has articulated what's necessary that box is already gone and before you know where you are you can depending on the setup you can become locked out of services so multi-factor authentication works for some but it doesn't work necessarily for everybody naughty police is this some are you asking somebody to do something perhaps it's surveillance

perhaps it's tracking perhaps is auditing movements is that conflict with the beliefs that they have is this a threat they can relate to all right so you're asking me to update my my my firmware you're asking me to update my iot device why would i care i want to pull the kettle i don't care whether it's been patched or not you might be worried about a botnet but why am i worried as long as i can bore the kettle get my cup of tea and get the kids out in the morning i don't care whether my smart kettle has been patched or not response efficacy so you've asked me to do all that is it actually going to protect me

am i actually going to get the protection that you say i'm going to get and one of the brilliant things about today is that you provided lots of examples of how i might shut the front door but actually people can get around under across the controls people aren't daft are you actually asking me to do something or is it just compliance theater is that something that you need me to do because i need to take a box what is it actually doing for me and then visibility is this something that that is is visible as part of my everyday life that i actually have psycho and it increasingly controls are are partly hidden they're partly submerged

it's really important that people have visibility of the way that they're being controlled so once we've got through that lot we've ticked boxes and people yeah they're willing to comply we then need to get to the actual compliance there has to be reward there has to be a benefit to doing it and there has to be clear sanctions if it doesn't work so when we talk about education and awareness we need to look at that bigger picture and then we need to think about the individual controls that we're asking people to do and we need to think about first of all whether people can comply whether it ties with their view of the world whether it ties with threats that

relate to them whether it's actually going to do something for them because it will come as a cost and then we have to look once we get to the point of deploying a control we have to be really clear and honest really honest about what the benefits are and also what will happen if it doesn't work okay so that's the the the backdrop if we're talking about people and security we're talking about making people aware we're talking about getting people to do the right thing those are two aspects that really need to be kept in mind but we have this wider space and without doubt this type of work has really changed the way that we engage

[Music] one of the things that it's done is really got us to think about who or what is being secured what is actually being secured here is it the company's data is it the person's job is it the health and safety of employees is it the well-being of an individual what actually is being secured here by control because of course initially it's the data it's the computer but what does that stand for what does that mean and that actually really came up with the metaverse talk that's a really important dimension for for for that for the conversation when we get into multi-dimension security who or what is doing securing is it the technology or is it the fact that we all sign up to

the goal and we'll use the technology to do it so what's really the active ingredient in doing the security sometimes it's a technology sometimes it's a will to work with that technology sometimes it's more values and normative beliefs so really understanding what's really got the securing power and that's super important because if you want to tighten up a control if you want to tweak a control you need to go to the bit of the control that's actually doing the main part of the work why do you want to secure something let's be honest why do we want to secure something and that's a really important conversation particularly as people have more and more options to opt out of the

infrastructure that they're working with and what are what are the threats and it's perfectly possible to have multiple answers to those questions and to develop ways of doing security that accommodates different answers to that model but we at least have to know what the answers are so how do we do that lego it's obvious isn't it lego so back in about 2012 we started doing some risk modeling it's part of a project called trespass and we did some risk assessment and this of course did you know what this is this is an iptv micro payment system that is of course what this is and it was a small community organization that was looking at rolling

out micro payments over iptv television because that's a television of course and we did a regular risk assessment and they all took parts the service providers all took part and then we went back the next week and we've done the analysis and they didn't relate to what was on the paper at all so i worked with a researcher called claude heath and we had a couple of failures and then he thought about lego and he bought a box of lego in and he worked with the service providers and the intended users of the service and some of the regulators to model the service in lego and that was it we we were off using lego and it was amazingly effective so

the blue just to translate it for you the uh the little blue dots that's data blue dots with pink bits on is encrypted data the uh the the two elements you can see to to the uh to the foreground that have witch's hats that's the regulators and what was really interesting is that the they were all parties were unified on how the regulators were going to be represented which i thought was really interesting they were big threat actors now conventional risk assessment would never have flushed that out um what's also very interesting so in in in the front of this picture you've got a family accessing a television to make a payment you've got the mum at the back there and

it's the 13 year old son who is making the payment because he's the one in the family that does technology that big blue and green slab that's an 80 pound bill we probably make it 380 now that has come in through the door for utilities and the size of the bill and the size of that object reflects what a big impact that is on the household budget because the bigger the dent on the household budget the more decisions get made as to how that's going to get handled and compliance is not necessarily top of the agenda it's a topic i'm going to come back to what's very interesting at the back of that model is the constellation of service

providers that come together to provide that service and again we wouldn't have seen that in a normal risk assessment and the communication that's going on between them what's also interesting is the role that people play and the later version of this model has people gatekeepers doing the communication getting the values in line dealing with that big picture stuff that was on the slide so we started to work with lego travelled transfer australia was lego actually we went all the way around the world with lego getting and we didn't do the building communities did their building service providers did their building what we found very interesting was that whereas it might have taken us 30 hours to do a

risk assessment we could do it in about three with lego once asked on the accuracy of the lego um but actually it's a pretty it's a pretty good approximation for what the risks are it's actually a pretty good way to get groups to start to think and to get service providers to think about what the service provider actually means what's also really interesting with this approach is you start to see things coming to the fore that we don't really have good words for insecurity a lot of it's about availability the flow and the reflow of information and the importance of availability resilience is not just technical obsidian resiliences if things go wrong but emotional financial social

resiliences resistance so those those fabulatory figures those um those regular those regulation figures a lot of conversation about the pushback against the regulators about how the regulator would be handled and so you see how much resistance is coming in to a particular picture and of course you want to reduce the amount of resistance because that just takes up time and the importance of careful relations the importance of having those human gatekeepers point of having human nodes that would support that process because that helps to to direct information but it also helps to to align values

and the other really interesting thing about the lego was that it gave people a sense of perspective because we were putting them on big long tables and actually the service providers would see just how far away they were from the endpoints and that was a real shock they hadn't in their minds thought about the distance between them and the people they were providing services to and there's something really interesting about walking around a lego model and seeing what you can see from different vantage points and it helped to really help to move this this idea of distance this idea of not all being on the same page this idea of people having different goals different objectives

different outlooks there's also a way if we we did that interaction properly of bringing up missing and hidden voices people who aren't usually part of the discussion that's always been a big part of our work since we started in 2008 and understanding how people see security differently you can't solve it with lego but you can at least get it on the table you can actually at least see where the conflict points are and we then decided to see if we could use lego to measure the effectiveness of controls bear with me so claude started to to digitize the lego images and started to see where we get clusters of responses and attitudes and feelings started to build bar charts

around the different types of controls the different roles that people played whether these were security roles that were about protection or whether they were security roles that were about enablement so here for example you've got the different you've got the different um you you you've got the different roles that people play but you've also got at the top here you've also got the number of supportive keywords around those roles you've got the amount of adversarial where people see this as adversarial you start to also see which bits of it are infrastructure both social and technical and you also get to see how much the data is actually flowing through that infrastructure so these are just ways in which we've

played with experimented we're seeing the strength of security controls through this lens of resistance through this lens of availability through this lens of resilience and also through the lens of sort of careful and supportive relationships something that we've lost as we start to to make services more efficient but something that's clearly very necessary to making this work from people's center perspective where does the future go with this well i think that we are going to have to move away i think you've really highlighted this today in the talks that you've given we're going to have to get move away from this idea of the universal user as we move increasingly to a point where people can work with these technologies

in different ways in different contexts and different configurations we need to start thinking about those different contexts and those different configurations that's somebody somebody's back um and yes so we need to think about that and how do we do that this is not simply about user requirements it's also about understanding how people connect those technologies together and what that means for them we need to understand it in the everyday we need to understand how we could people can have different attitudes and different different reactions towards technologies they can feel differently about different technologies and different services and understand what that means from a security point of view and you can't just capture that as lines on a

requirement specification you need to understand how it all fits together how it fits together into people's day to day we're beginning to see narrative driven analysis and by that what i mean is that you start to create archetypes of users and then you put those archetypes into typical day-to-day interactions into different day-to-day experiences and you start to see how the security works across those different experiences and that gives us a way of understanding how people experience technology and experience security and where it breaks down and then we can start to think about what we do with that so an example of that where we're looking at this for example digital digital identity technologies and how inclusive some of those

technologies actually are so we're creating archetypes of people who might use digital identity technologies and then we're looking at their typical day-to-day experiences the sorts of things they do and where they have to use their technologies and we're seeing which parts work where those technologies don't give the kind of functionality that's needed or where the technology prevents them from carrying out some of their identity activities wider surface design understanding how economic political and social contexts shape people's ability to use technologies enhancements to civic capabilities this was something i think that came up quite a bit with the metaphors absolutely came up in in the last talk what is it that we expect people to do

with technologies how do we expect people to regulate or to self-regulate technologies how far does regulation come into this building up this idea of what is a digital citizen it's fascinating to me that the scouts have a badge on digital citizenry i find that really really interesting i it's it's about engagement it's about interaction it's about safety it's about privacy it's really interesting it's a really interesting program and of course they're not the only ones we also have to start to deal with this point about where digital security stops and starts so we've talked about it today largely as a protection of information we've talked about it largely about the protection of technologies stopping people from getting in

or what to do with them when they do get in but those digital platforms and i think you mentioned it a bit um when we were when you were talking about television it means a lot it means it doesn't just it isn't just about the provisioning of tasks it's about safety and well-being my phone is probably got a very similar bill to some of you in this room but it holds memories it holds connections to people that matter to me there are things that actually really matter to me on that phone and what matters to me and what matters to you they're going to be very different things it's also about my well-being on that

phone it's quite a bit that could be about my well-being perhaps might be about my financial security perhaps depending on what you use it for but i think what's important here is to understand that digital security it's important to think about it in its own right but it also bleeds into so many other forms of security so when that digital security goes wrong it's not just that the data can be accessed it's not just the systems that can be accessed but people's well-being can be seriously compromised and that's something we're going to have to get our heads around because once people lose trust in the technology and we've given them no out at that point we are

stuffed i would say that would be my academic argument at that point we are stuffed and i'm going to finish on that point before possibly briefly talking about clams so this is a picture that alice drew of a street this is a really important scene it's the full civic picture and people going about their every day digital in lots of different aspects and what makes that str what makes that scene a safe scene how that is civic safety is because we're all pretty much swimming in the same direction we're all pretty much signed up to the same principles i guess what always fascinates me in a picture like this is not why people's data or

technology gets nicked it's why [Music] it doesn't get nicked that's the fascinating question always how come it works how come payment systems work i'm truly mystified by how that works particular thing to you all today i mean how does this work and the reason why it works is because broadly speaking people will sign up to the rules of the road we're coming into an autumn and a winter where people are going to get stretched in ways that we can't imagine we're going to get stretched in ways that we can't imagine and our social contract with the institutions powerful institutions going to get tested quite possibly like they've never been tested before at this point when there's nobody in the

local council building because it's all digital there's nobody to talk to to kind of get on board with what i should be doing i'm left to fend pretty much for myself this is going to test the theory of compliance in a way that i don't think we've ever seen it tested here before and that is going to be quite an interesting live live lab really to work with to understand what happens things are going to play out in ways that we can't foresee now but that is really emphasizing the importance of what we've been talking about today of understanding where people are coming from understanding what keeps them aligned keeps them going in the same direction

understanding what frustrations are and dealing with those frustrations before it gets to a point where that safety that we're just we're just taking for granted is no longer there and with that i'm going to say thank you very much there's a bit of a annex to this i'm going to say thank you to alice for these brilliant pictures thank you to claude for the lego um all the citations you can find they're all they're all put in one place on a monograph