Abstract

In order to be effective, secure systems need to be both correct (i.e. effective used as intended) and dependable (i.e. actually being used as intended). Given that most secure systems involve people, a strategy for achieving dependable security must address both people and technology. Current research in Human-Computer Interactions in Security (HCISec) aims to increase dependability of the human element by reducing mistakes (e.g. through better user interfaces to security tools). We argue that a successful strategy also needs to consider the impact of social interaction on security, and in this respect is a central concept. We compare the understanding of in secure systems with the more differentiated models of in social science research. The security definition of turns out to map onto strategies that would be correctly described as in the more differentiated model. We argue that distinguishing between and assurance yields a wider range of strategies for ensuring dependability of the human element in a secure socio-technical system. Furthermore, correctly placed can also benefit an organisation's culture and performance. We conclude by presenting design principles to help security designers decide when to trust and when to assure, and give examples of how both strategies would be implemented in practice.