Back to top

Biography

I am a Senior Lecturer in Systems Security Engineering within the Department of Computing and Informatics.

Before joining BU as a lecturer in 2013, I was previously a post-doctoral researcher at the Department of Computer Science at the University of Oxford, and a teaching fellow at the Information Security Group at University College London. I completed my DPhil in Computer Science at the University of Oxford in 2011. Prior to my doctoral research, I was a software engineer within Logica's Space business.

Research

My research explores how both security and usability can be designed into software systems. In doing so, my work not only provides assurance that security is incorporated into the design of software, but that the software will continue to be secure when used in different physical, social, and cultural contexts of use.

I am interested in the role of usability models for providing assurance about a system’s design, and particularly interested in exploring how personas -- a popular technique focussing on archetypes of user behaviour -- can be used to support secure system design.

I am also interested in the role of tool-support in designing secure and usable systems. I maintain CAIRIS (Computer Aided Integration of Requirements and Information Security): an open-source security requirements management tool that is freely available under an Apache License. CAIRIS has been validated in several industry case studies, and has been extended to facilitate model interchange with complementary tools to explore the social aspects of cybersecurity in system design. These include jUCMNav and the FDR model checker.

Journal Articles

  • Favale, M., McDonald, N., Faily, S. and Gatzidis, C., 2016. Human Aspects of Digital Rights Management: the Perspective of Content Developers. SCRIPTed, 13 (3), 289-304.
  • Faily, S., Power, D. and Fléchais, I., 2016. Gulfs of Expectation: Eliciting and Verifying Differences in Trust Expectations using Personas. Journal of Trust Management, 3 (4), 1-22.
  • Faily, S. and Fléchais, I., 2016. Finding and Resolving Security Misusability with Misusability Cases. Requirements Engineering, 21 (2), 209-223.
  • Iacob, C., Faily, S. and Bell, D., 2015. Special section: software quality for mobile apps. Software Quality Journal, 23 (3), 483-484.
  • Faily, S., 2015. Engaging Stakeholders during Late Stage Security Design with Assumption Personas. Information and Computer Security, 23 (4), 435-446.
  • Faily, S. and Flechais, I., 2011. Eliciting Policy Requirements for Critical National Infrastructure using the IRIS Framework. International Journal of Secure Software Engineering, 2, 1-18.
  • Faily, S. and Flechais, I., 2010. Towards tool-support for Usable Secure Requirements Engineering with CAIRIS. International Journal of Secure Software Engineering, 1, 56-70.
  • Faily, S. and Flechais, I., 2010. Designing and Aligning e-Science Security Culture with Design. Information Management & Computer Security, 18.

Books

  • Faily, S., Jiang, N., Dogan, H. and Taylor, J., 2016. Proceedings of the 30th International BCS Human Computer Interaction Conference (HCI 2016). British Computer Society.
  • Proceedings of the 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2015). IEEE.
  • Proceedings of the 1st Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2014). IEEE.
  • Proceedings of the Workshop on Web Applications and Secure Hardware (WASH'13). CEUR-WS.
  • Proceedings of the BCS HCI 2012 Workshop on Designing Interactive Secure Systems. BCS.
  • Faily, S., Živny, S., Fogelberg, C., Salamon, A. and Schäfer, M., 2008. Proceedings of the Oxford University Computing Laboratory Student Conference 2008. Oxford University Computing Laboratory.

Chapters

  • Atzeni, A., Faily, S. and Galloni, R., 2017. Usable Security: HCI-Sec Issues and Motivations. Encyclopedia of Information Science and Technology. IGI Global.
  • Faily, S., 2014. Evaluating the Implications of Attack and Security Patterns with Premortems. In: Blackwell, C. and Zhu, H., eds. Cyberpatterns: Unifying Design Patterns with Security and Attack Patterns. Springer.
  • Atzeni, A., Lyle, J. and Faily, S., 2014. Developing secure, unified multi-device and multi-domain platforms: A case study from the webinos project. Architectures and Protocols for Secure Information Technology. IGI Global, 310-333.
  • Faily, S., Lyle, J. and Parkin, S., 2012. Tool-support Premortems with Attack and Security Patterns. First International Workshop on Cyberpatterns: Unifying Design Patterns with Security, Attack and Forensic Patterns. 10-11.

Conferences

  • M'manga, A., Faily, S., McAlaney, J. and Williams, C., 2017. System Design Considerations for Risk Perception. In: Proceedings of the 11th IEEE International Conference on Research Challenges in Information Science 10-12 May 2017 Brighton, UK.
  • Ki-Aries, D., Faily, S., Dogan, H. and Williams, C., 2017. Re-framing “The AMN”: A Case Study Eliciting and Modelling a System of Systems using the Afghan Mission Network,. In: Proceedings of the 11th IEEE International Conference on Research Challenges in Information Science 10-12 May 2017 Brighton, UK.
  • Iacob, C., Faily, S. and Harrison, R., 2016. MARAM: Tool Support for Mobile App Review Management. In: 8th EAI International Conference on Mobile Computing, Applications and Services 30 November-1 December 2016 Cambridge, UK. ACM.
  • Iacob, C. and Faily, S., 2016. Improving Human-Reviews Interaction: A Study of the Role, Use, and Place of Online Reviews. In: 30th British HCI Group Annual Conference on People and Computers: Fusion 11-15 July 2016 Bournemouth, UK.
  • Faily, S., Iacob, C. and Field, S., 2016. Ethical Hazards and Safeguards in Penetration Testing. In: 30th British HCI Group Annual Conference on People and Computers: Fusion 11-15 July 2016 Bournemouth, UK. British Computer Society.
  • Partridge, A. and Faily, S., 2016. The application of useless japanese inventions for requirements elicitation in information security. In: 30th British HCI Group Annual Conference on People and Computers: Fusion 11-15 July 2016 Bournemouth, UK.
  • Ki-Aries, D., Faily, S. and Beckers, K., 2016. Persona-Driven Information Security Awareness. In: 30th British HCI Group Annual Conference on People and Computers: Fusion 11-15 July 2016 Bournemouth, UK.
  • Faily, S., Lykou, G., Partridge, A., Gritzalis, D., Mylonas, A. and Katos, V., 2016. Human-Centered Specification Exemplars for Critical Infrastructure Environments. In: 30th British HCI Group Annual Conference on People and Computers: Fusion 11-15 July 2016 Bournemouth, UK.
  • Faily, S., Stergiopoulos, G., Katos, V. and Gritzalis, D., 2016. “Water, water, every where”: Nuances for a water industry critical infrastructure specification exemplar. 243-246.
  • Ali, R., McAlaney, J., Faily, S., Phalp, K. and Katos, V., 2015. Mitigating circumstances in cybercrime: A position paper. 1972-1976.
  • Favale, M., McDonald, N., Faily, S. and Gatzidis, C., 2015. Human Aspects in Digital Rights Management: The Perspective of Content Developers​. In: Fourth International Workshop on Artificial Intelligence and IP Law 9 December-9 November 2015 Braga, Portugal.
  • Vallindras, A. and Faily, S., 2015. The Mystery of Security Design. In: British HCI 2015 15-17 July 2015 Lincoln, UK. ACM.
  • McDonald, N., Faily, S., Favale, M. and Gatzidis, C., 2015. Digital Rights Management: The Four Perspectives of Developers, Distributors, Users, and Lawyers. In: 9th International Symposium on Human Aspects of Information Security & Assurance 1-3 July 2015 Lesvos, Greece.
  • Faily, S., McAlaney, J. and Iacob, C., 2015. Ethical Dilemmas and Dimensions in Penetration Testing. In: 9th International Symposium on Human Aspects of Information Security & Assurance 1-3 July 2015 Lesvos, Greece.
  • Faily, S. and Jones, M., 2015. Embedding Professional Practice into the Cybersecurity Curriculum using Ethics. In: 1st UK Workshop on Cybersecurity Training & Education 11 June 2015 Liverpool.
  • McAlaney, J., Taylor, J. and Faily, S., 2015. The Social Psychology of Cybersecurity. In: 1st International Conference on Cyber Security for Sustainable Society 26-27 February 2015 Coventry. Working Papers of the SSN+.
  • Faily, S., Lyle, J., Fléchais, I. and Simpson, A., 2015. Usability and Security by Design: A Case Study in Research and Development. In: NDSS Workshop on Usable Security 8 February-8 January 2015 2015.
  • Faily, S. and Fléchais, I., 2014. Eliciting and Visualising Trust Expectations using Persona Trust Characteristics and Goal Models. In: 6th International Workshop on Social Software Engineering 17 November-17 August 2014 Hong Kong. ACM.
  • Faily, S., Lyle, J., Fléchais, I., Atzeni, A., Cameroni, C., Myrhaug, H., Göker, A. and Kleinfeld, R., 2014. Authorisation in Context: Incorporating Context-Sensitivity into an Access Control Framework. In: 28th British HCI Group Annual Conference on People and Computers: Sand, sea and Sky 9-12 September 2014 Southport, UK. British Computer Society.
  • Faily, S., 2014. Engaging Stakeholders in Security Design: An Assumption-Driven Approach. In: International Symposium on Human Aspects on Information Security & Assurance (HAISA 2014) 8-10 July 2014 Plymouth University.
  • Faily, S., 2014. Ethical Hacking Assessment as a Vehicle for Undergraduate Cyber-Security Education. In: BCS 19th Annual INSPIRE Conference 15 April 2014 Southampton.
  • Iacob, C., Harrison, R. and Faily, S., 2013. Online Reviews as First Class Artifacts in Mobile App Development. In: Fifth International Conference on Mobile Computing, Applications and Services 7-8 November 2013 Paris, France. 47-53.
  • Su, T., Lyle, J., Atzeni, A., Faily, S., Virji, H., Ntanos, C. and Botsikas, C., 2013. Continuous Integration for Web-Based Software Infrastructures: Lessons Learned on the webinos Project. Springer.
  • Faily, S. and Lyle, J., 2013. Security Lessons Learned Building Concept Apps for webinos. In: BCS HCI 2013 Workshops: Human Aspects in Mobile App Engineering 9 September 2013 Brunel University, London.
  • Lyle, J., Faily, S. and Winandy,, M., 2013. The Workshop on Web Applications and Secure Hardware. In: Workshop on Web Applications and Secure Hardware (WASH’13), Co-located with the 6th International Conference on Trust and Trustworthy Computing (TRUST 2013) 20 June 2013 London. CEUR-WS.org.
  • Lyle, J., Nilsson, C., Isberg, A. and Faily, S., 2013. Extending the web to support personal network services. 711-716.
  • Faily, S., Coles-Kemp, L., Dunphy, P., Just, M., Akama, Y. and Luca, A.D., 2013. Designing Interactive Secure Systems: CHI 2013 Special Interest Group. ACM, 2469-2472.
  • Faily, S., Power, D., Armstrong, P. and Flechais, I., 2013. Formal Evaluation of Persona Trustworthiness with EUSTACE (Extended Abstract). 267-268.
  • Faily, S. and Lyle, J., 2013. Guidelines for Integrating Personas into Software Engineering Tools. 69-74.
  • Faily, S., 2013. Security Patterns Considered Harmful? 108-109.
  • Faily, S., Lyle, J., Flechais, I., Atzeni, A., Cameroni, C., Myrhaug, H., Goker, A. and Kleinfeld, R., 2013. Policies in Context: Factors Influencing the Elicitation and Categorisation of Context-Sensitive Security Policies.
  • Faily, S., 2012. Analysing Chindogu: Applying Defamiliarisation to Security Design.
  • Fuhrhop, C., Lyle, J. and Faily, S., 2012. The webinos project. ACM, 259-262.
  • Lyle, J., Monteleone, S., Faily, S., Patti, D. and Ricciato, F., 2012. Cross-platform access control for mobile web applications. 37-44.
  • Lyle, J., Faily, S., Flechais, I., Paul, A., Goker, A., Myrhaug, H., Desruelle, H. and Martin, A., 2012. On the design and development of webinos: a distributed mobile application middleware. 140-147.
  • Lyle, J., Paverd, A., King-Lacroix, J., Atzeni, A., Virji, H., Flechais, I. and Faily, S., 2012. Personal PKI for the smart device era.
  • Faily, S., Lyle, J. and Parkin, S., 2012. Secure System? Challenge Accepted: Finding and Resolving Security Failures Using Security Premortems. In: BCS HCI 2012 Workshops: Designing Interactive Secure Systems 12-14 September 2012 Birmingham, UK. 5:1-5:4.
  • Faily, S. and Flechais, I., 2012. Software for Interactive Secure Systems Design: Lessons Learned Developing and Applying CAIRIS. In: BCS HCI 2012 Workshops: Designing Interactive Secure Systems 12-14 September 2012 Birmingham, UK. 3:1-3:4.
  • Faily, S., Lyle, J., Paul, A., Atzeni, A., Blomme, D., Desruelle, H. and Bangalore, K., 2012. Requirements Sensemaking using Concept Maps. Springer, 217-232.
  • Faily, S., Lyle, J., Namiluko, C., Atzeni, A. and Cameroni, C., 2012. Model-driven architectural risk analysis using architectural and contextualised attack patterns. ACM, 3:1-3:6.
  • Gionis, G., Desruelle, H., Blomme, D., Lyle, J., Faily, S. and Bassbouss, L., 2011. “Do we know each other or is it just our Devices?”: A Federated Context Model for Describing Social Activity Across Devices.
  • Faily, S. and Flechais, I., 2011. User-Centered Information Security Policy Development in a Post-Stuxnet World. IEEE Computer Society, 716-721.
  • Atzeni, A.S., Cameroni, C., Faily, S., Lyle, J. and Flechais, I., 2011. Here's Johnny: A Methodology for Developing Attacker Personas. IEEE, 722-727.
  • Faily, S. and Flechais, I., 2011. Persona Cases: A Technique for grounding Personas. Vancouver, BC, Canada: ACM, 2267-2270.
  • Faily, S., 2011. Two Requirements for Usable and Secure Software Engineering. In: 1st Software and Usable Security Aligned for Good Engineering (SAUSAGE) Workshop 5-6 April 2011 National Institute of Standards and Technology Gaithersburg, MD USA.
  • Faily, S., 2011. Security goes to ground: on the applicability of Security Entrepreneurship to Grassroot Activism. In: CHI Workshop on HCI, Politics and the City: Engaging with Urban Grassroots Movements for Reflection and Action 7-12 May 2011 Vancouver, BC, Canada.
  • Faily, S. and Flechais, I., 2011. Eliciting Usable Security Requirements with Misusability Cases. IEEE Computer Society, 339-340.
  • Faily, S., 2011. Bridging User-Centered Design and Requirements Engineering with GRL and Persona Cases. In: CEUR iStar 2011 5th International i* Workshop 28-29 August 2011 Trento, Italy. 114-119.
  • Faily, S. and Flechais, I., 2010. A Meta-Model for Usable Secure Requirements Engineering. 29-35.
  • Faily, S. and Flechais, I., 2010. Analysing and Visualising Security and Usability in IRIS.
  • Faily, S. and Flechais, I., 2010. Improving Secure Systems Design with Security Culture.
  • Faily, S. and Flechais, I., 2010. A Model of Security Culture for e-Science. University of Plymouth, 154-164.
  • Faily, S. and Flechais, I., 2010. To boldly go where invention isn’t secure: applying Security Entrepreneurship to secure systems design. New York, NY, USA: ACM, 73-84.
  • Faily, S. and Flechais, I., 2010. The Secret Lives of Assumptions: Developing and Refining Assumption Personas for Secure System Design. Springer, 111-118.
  • Flechais, I. and Faily, S., 2010. Security and Usability: Searching for the philosopher’s stone.
  • Faily, S. and Flechais, I., 2010. Security through Usability: a user-centered approach for balanced security policy requirements.
  • Faily, S. and Flechais, I., 2010. Barry is not the weakest link: eliciting secure system requirements with personas. ACM, 124-132.
  • Faily, S. and Flechais, I., 2009. Context-Sensitive Requirements and Risk Management with IRIS.
  • Faily, S., 2008. Towards Requirements Engineering Practice for Professional End User Developers: A Case Study. IEEE, 38-44.
  • Faily, S. and Flechais, I., 2008. Making the invisible visible: a theory of security culture for secure and usable grids.
  • Faily, S., 2007. Living with Flight Dynamics : Proposals and Possible Pitfalls for Harmonising Flight Dynamics Systems with EGOS.

Theses

Software

Others

PhD Students

  • Duncan Ki-Aries (Risk Assessment for Complex Systems of Systems)
  • Andrew M'Manga (Designing Systems for Risk-based Decision Making and Assurance)
  • Jane Henriksen-Bulmer (A Framework for Public Bodies for Managing the Secure and Appropriate Release of Open Source Data)

Profile of Teaching PG

  • Security by Design (Level M)

Profile of Teaching UG

  • Security by Design (Level H)
  • Ethical Hacking and Countermeasures (Level I)

Invited Lectures

  • HCI-Security: An Overview. Cranfield University. April 2014.
  • Bringing Security, Usability, and Software Engineering together with Personas. Oxford Brookes University. 2013.

Grants

  • Commercialisation of CAIRIS (DCMS / SETsquared, 27 Jan 2017). In Progress
  • Bournemouth-Athens Network in Critical Infrastructure Security (BANCIS) (BU Fusion Investment Fund, 01 Sep 2016). Completed
  • Bournemouth University Computer Human Interaction (BUCHI) (BU Fusion Investment Fund, 01 Mar 2015). Completed
  • Making sense of DRM in game development (Madrigal) (Bournemouth University - Fusion Investment Fund, 01 Feb 2015). Completed
  • Bournemouth European Network In Cyber Security (BENICS) (BU Fusion Investment Fund, 01 Mar 2014). Completed
  • Evaluating the Usability, Security, and Trustworthiness of Ad-hoc Collaborative Environments (EUSTACE) (EPSRC, 30 May 2012). Completed

External Responsibilities

  • Computers & Security (Elsevier), Reviewer
  • European Intelligence and Security Informatics Conference (EISIC) 2015, Programme Committee (2015-)
  • 1st International Workshop on Evolving Security & Privacy Requirements Engineering, Organising Co-Chair (2014-), http://espre2014.org/
  • IEEE Joint Intelligence and Security Informatics Conference (JISIC), Programme Committee (2014-)
  • Designing Interactive Secure Systems: Workshop at British HCI 2012, Workshop Co-Chair (2012-)
  • 6th International Conference on Trust & Trustworthy Computing, Publicity Co-Chair (2013-)
  • Designing Interactive Secure Systems SIG at ACM Conference on Human Factors in Computer System, Organiser (2013-)
  • Workshop on Web Applications and Secure Hardware (Co-located with Trust 2013), Workshop Co-Chair (2013-)
  • Human Aspects in Mobile App Engineering: Workshop at British HCI 2013, Workshop Co-Chair (2013-)
  • ACM Conference on Human Factors in Computer Systems, Reviewer (2010-2016)
  • BCS Conference on Human-Computer Interaction, Reviewer (2011-2014)
  • ACM SIGCHI Symposium on Engineering Interactive Computing Systems, Reviewer (2011-2012)
  • European Intelligence and Security Informatics Conference, Programme Committee (2013-)
  • Second International Workshop on Cyberpatterns: Unifying Design Patterns with Security, Attack, and Forensic Patterns, Programme Committee (2013-)
  • International Conference on Trust & Trustworthy Computing (Socio-economics Strand, Programme Committee (2013-)
  • International Journal of Secure Software Engineering (IGI Global), Reviewer
  • Behaviour & Information Technology (Taylor & Francis), Reviewer
  • Pervasive and Mobile Computing (Elsevier), Reviewer
  • Journal of Systems and Software (Elsevier), Reviewer

Conference Presentations

  • First International Conference on Cyber Security for Sustainable Society 2015, The Social Psychology of Cybersecurity, 26 February 2015, Coventry

Qualifications

  • PG Cert in Education Practice (Bournemouth University, 2015)
  • Postgraduate Certificate in Software Engineering (University of Oxford, 2008)
  • BSc (Hons) in Business Computing Systems (City University, 1998)
  • DPhil in Computer Science (University of Oxford, 2011)

Memberships

  • ACM, Member,
  • British Computer Society, Member,
  • Higher Education Academy, Fellow,
The data on this page was last updated at 04:03 on March 27, 2017.