Related Projects


Human aspects of computer security


Security, human factor



Computer security has been traditionally addressed from a technical standpoint. For example, research has been extensively done in the area of encryption, firewalls, and intrusion detection systems. Although this standpoint remains valid, there has been an increasing demand for the human components of computer-based system to be taken into consideration when dealing with security.

Humans – through their actions – can both improve or weaken the security of a system. For example, human operators can detect anomalous patterns in the system, which indicate that an attack is in progress. They can then take preventive actions (such as isolating or removing the system in question from the network) in order to avoid more serious breaches. On the other hand, humans are susceptible to social engineering attacks, where they could be tricked into revealing passwords or other sensitive information that can compromise the system’s security.

The human component can be divided into two groups: attackers (also called hackers or crackers) and legitimate users. Of course, the frontier between these two groups is permeable since a legitimate user might become an attacker (an insider). Studying attackers’ strategies and motives provides a better insight into how they work, and why they have many advantages over those trying to protect the system (Arief and Besnard, 2003). One obvious conclusion was that as soon as you connect your system to the internet, it becomes a potential target for attack. Legitimate users can open security breaches because the cost (time, effort) implied by security measures is higher than the perceived risk or the expected benefits. For instance, passwords get temporarily “lent” for colleagues to access a resource instead of a new account be created. From this perspective, the notion of a cost-benefit trade-off is a key to analyse legitimate users’ impairments to security (Besnard and Arief, 2004)

Therefore, in order to improve computer-based systems’ security, a combination of technical and human–oriented measures must be adopted. Security induction/training should be provided to new users in order to give them sound security practices. This will also raise their awareness of social engineering and the potentially devastating effect caused through it. Users need to be able to spot the tell-tale signs of social engineering so that they do not fall victim to it. Also, the user interface of security products (such as firewalls, anti-virus and encryption software) should be allocated more importance by designers so that the efforts for deploying and using them are kept as low as reasonably practicable.


DIRC's Security and Privacy in Computer-based Systems



Budi Arief and Denis Besnard, Technical and human issues in computer-based systems security, Technical Report CS-TR-790, School of Computing Science, University of Newcastle upon Tyne, March 2003

Denis Besnard and Budi Arief, Computer security impaired by legitimate users, Computers & Security, Volume 23, Issue 3, pp. 253-264, May 2004

Jeremy Bryans and Budi Arief, Security implications of structure, in Denis Besnard, Cristina Gacek and Cliff Jones (Eds.) Structure for dependability: computer-based systems from an interdisciplinary perspective, Springer, pp. 217-227, 2005


Budi Arief (Newcastle)


Page Maintainer: Credits      Project Members only Last Modified: 10 August, 2005