Security is a chain, and people are the weakest link in the chain.

Bruce Schneier in Secrets and Lies, 2001.

Security can only be effective if people follow policies and use security tools. Many current security policies are unrealistic, and many security tools place unrealistic demands on users (e.g. superhuman memory ability). The HCS group has a long-standing research activity in establishing a human-centred perspective on security, trust and privacy - how to develop policies and mechanisms that fit into human activity and business processes.

This year, Prof. Sasse chaired the KTN Working Group on Human Vulnerabilities in security [white paper].

Improving usability of security tools

We have been researching usability problems with authentication mechanisms, such as passwords and PINs, since 1996 [Adams & Sasse]. We have also studied graphical authentication mechanisms [Brostoff & Sasse], and biometrics [Sasse].

Publication details

Brostoff & Sasse. Are Passfaces more usable than passwords? A Field Trial Investigation. In Proc. of HCI, 2000.

Adams & Sasse. Users are not the Enemy. In Communications of the ACM, 1999.

Sasse. Red-Eye Blink, Bendy Shuffle, and the Yuck Factor - A User Experience of Biometric Airport Systems. In IEEE Security & Privacy, 2007.

Brostoff. Improving Password System Effectiveness. PhD Thesis, 2004.

There is an ongoing research activity to improve the usability of access control, and to provide and understanding of surveillance tasks, and improve the design and configuration of digital CCTV systems.

Designing security in from the start

In system development, security is too often an afterthought - it is added after basic design decisions have been made.  We have been developing ways of eliciting security requirements from stakeholders, and representing them in design documents. Ivan Flechais, who has been working on this topic during his PhD research in our group, is now a lecturer at the Computer Lab, Oxford University.

Publication details

Flechais & Sasse. Stakeholder Involvement, Motivation, Responsibility, Communication: How to Design Usable Security in e-Science.

Flechais, Mascolo & Sasse. Integrating security and usability into the requirements and design process. In Electronic Security and Digital Forensics, Vol. 1. No. 1, 2007.


Trust is a pervasive, key economic mechanism that governs the interaction between people. We develop ways of reading trust cues in people and environments. Now much of our interaction is mediated by technology, we need to develop new ways of signallinag trust in those systems, and learn to develop technology which includes incentives for trustworthy behaviour [summary of research on Trust by Riegelsberger & Sasse].

Particularly in social systems (e.g. recommender and social networking systems) people need to know who to trust, and when - and when not to [Social Systems].


There is no privacy on the Internet - get over it.

Scott McNealy

We beg to differ. Privacy is a basic human right, and people manage their relationships with other individuals, organisations and government through selective disclosure of information. Much of the current privacy debate is dominated by experts (lawyers and privacy advocates, for instance); their insights are valuable but need to be grounded in how people view and value privacy as they go about their lives. Early research by Adams & Sasse provided a model of how people assess privacy [Adams & Sasse], and we are currently researching people's views on privacy in patient records as part of the CLEF-Services project.

Publication details

Adams & Sasse. Privacy in Multimedia Communications: Protecting Users, Not Just Data. In Proc. of HCI and ICM, 2001.

This page was last modified on 28 Dec 2010.



This year, Prof. Sasse chaired the KTN Working Group on Human Vulnerabilities in security [white paper].


We teach a course on People and Security which covers a broad range of security-related issues.

PhD Theses