Developers should be taught to design security using flash cards
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
May 6, 2015
Researchers at the University of Nottingham and Microsoft's R&D department say developers should be taught to design better internet security using flash cards if they find that regulation documents are too complex.
The security team, including Redmond's Ewa Luger and the University's Lachlan Urquhart, Tom Rodden, and Michael Golembewski say that rules are simply out-of-touch and can be better explained with printable image cards.
Of course, not everyone agrees, but the so-called deck of cards, available for printing, are specifically designed to push a human-centric approach to systems development in-line with the emergent European General Data Protection Regulation.
"Where once designers and systems architects were only subject to the influence of regulation at the point of product market entry, they are now being called to account from the minute pen hits paper," the research team said in the paper Playing the Legal Card: Using Ideation Cards to Raise Data Protection Issues within the Design Process.
"Overall, privacy and security will soon be expected ‘by design and by default’ and with this regulatory turn, comes a whole slew of new responsibilities for a lot of people. Rather than bolting on onerous terms and conditions or parachuting in lawyers after the fact, what if we were to take our human-centered skills and then methodologically ply them to advance the regulatory field?," the team asserts.
The group of four developers notes that ideation cards have been successful at everything from family counselling to security awareness training, and says it helps define issues within a broader context.
The cards are designed following consultation with the legal community covering areas of privacy, consent, security and data breach notifications.
It's designed to convey the full importance of overall accuracy over speed in terms of data breach notification.
The need is to gain meaningful consent from disinterested users, and the difficulty of balancing the potential commercial gain in personal data against the right to be forgotten.
As curious as this may sound, they tested the deck with twenty-one programmers, engineers and system architects of varying experience and found mixed results in terms of individual priorities and how each identified their individual roles.
IT professionals with skill gaps could benefit from some supplemental information in conjunction with the cards, the researchers say.
The research group will look to expand the cards beyond the EU context so that it applies to U.S. regulations as well, with further international studies planned in the next 10 to 12 months.
Source: The University of Nottingham.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!