Equitable cybersecurity: Towards generating requirements through the lens of security literacy

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-08-30 DOI:10.1016/j.infsof.2025.107891

Bilal Naqvi , Annika Wolff , Domenico Racanelli

{"title":"Equitable cybersecurity: Towards generating requirements through the lens of security literacy","authors":"Bilal Naqvi , Annika Wolff , Domenico Racanelli","doi":"10.1016/j.infsof.2025.107891","DOIUrl":null,"url":null,"abstract":"<div><h3>Context</h3><div>Users of modern-day systems must understand how these systems operate and their roles in protecting these systems. This requires a degree of security literacy, but, as with all literacies, this varies across the general population. Improving literacy requires time for learning and gaining practical experience, and that does not happen overnight. Therefore, a two-pronged approach is necessary, whereby we ensure that everyone who uses these systems possesses an appropriate level of security literacy and design systems that are intuitive and usable by all users, regardless of their level of security literacy.</div></div><div><h3>Objectives</h3><div>This paper aims to demonstrate that traditional requirements-gathering approaches often overlook important requirements related to security literacy. The paper does so by considering a case study featuring the development of a novel biometric e-ID across six cases in five European countries.</div></div><div><h3>Methods</h3><div>To address this objective, firstly, the paper synthesized elements from academic and gray literature to conceptualize security literacy. The co-design approach was then used to draft scenarios based on the six cases (in the case study) and to identify security literacy-specific requirements.</div></div><div><h3>Results</h3><div>The paper presents a conceptual model of security literacy structured into pillars, core, and specialized knowledge areas and abilities, respectively. Using this model as an analytical lens, the paper presents six co-created scenarios and 11 security literacy-specific requirements that were not captured using standard requirement-gathering approaches.</div></div><div><h3>Conclusion</h3><div>The paper demonstrates that traditional requirement-gathering approaches can overlook important, nuanced requirements, particularly those relevant to user groups with lower security literacy. The model presented in this paper helps identify requirements from a security literacy perspective, thereby enhancing user security engagement and interactions.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"188 ","pages":"Article 107891"},"PeriodicalIF":4.3000,"publicationDate":"2025-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925002307","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context

Users of modern-day systems must understand how these systems operate and their roles in protecting these systems. This requires a degree of security literacy, but, as with all literacies, this varies across the general population. Improving literacy requires time for learning and gaining practical experience, and that does not happen overnight. Therefore, a two-pronged approach is necessary, whereby we ensure that everyone who uses these systems possesses an appropriate level of security literacy and design systems that are intuitive and usable by all users, regardless of their level of security literacy.

Objectives

This paper aims to demonstrate that traditional requirements-gathering approaches often overlook important requirements related to security literacy. The paper does so by considering a case study featuring the development of a novel biometric e-ID across six cases in five European countries.

Methods

To address this objective, firstly, the paper synthesized elements from academic and gray literature to conceptualize security literacy. The co-design approach was then used to draft scenarios based on the six cases (in the case study) and to identify security literacy-specific requirements.

Results

The paper presents a conceptual model of security literacy structured into pillars, core, and specialized knowledge areas and abilities, respectively. Using this model as an analytical lens, the paper presents six co-created scenarios and 11 security literacy-specific requirements that were not captured using standard requirement-gathering approaches.

Conclusion

The paper demonstrates that traditional requirement-gathering approaches can overlook important, nuanced requirements, particularly those relevant to user groups with lower security literacy. The model presented in this paper helps identify requirements from a security literacy perspective, thereby enhancing user security engagement and interactions.

查看原文本刊更多论文

公平的网络安全：通过安全素养的视角生成需求

现代系统的用户必须了解这些系统是如何运行的，以及它们在保护这些系统中的作用。这需要一定程度的安全知识，但是，与所有的知识一样，这在一般人群中是不同的。提高读写能力需要时间来学习和获得实践经验，而这不是一蹴而就的。因此，一个双管齐下的方法是必要的，由此我们确保使用这些系统的每个人都具有适当的安全知识水平，并且设计的系统直观且可供所有用户使用，而不管他们的安全知识水平如何。本文旨在证明传统的需求收集方法经常忽略与安全素养相关的重要需求。本文通过考虑一个案例研究来实现这一目标，该案例研究的特点是在五个欧洲国家的六个案例中开发一种新型生物识别电子身份证。方法为了实现这一目标，本文首先综合学术文献和灰色文献的内容，对安全素养进行概念化。然后使用协同设计方法来根据六个案例（在案例研究中）起草场景，并确定特定于安全素养的需求。结果提出了一个安全素养的概念模型，该模型分别由支柱、核心和专业知识领域和能力构成。使用此模型作为分析视角，本文提出了6个共同创建的场景和11个使用标准需求收集方法无法捕获的特定于安全素养的需求。本文表明，传统的需求收集方法可能会忽略重要的、细微的需求，特别是那些与安全素养较低的用户群体相关的需求。本文中提出的模型有助于从安全素养的角度确定需求，从而增强用户安全参与和交互。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.