Publications

2023

1. Engaging Students in Threat Thinking with the Cyber Security Cinema

   Joseph Maguire, Rosanne English, and Steve Draper

   In Computing Education Practice, Jan 2023
2. Exploring Student Perceptions and Expectations of Cyber Security

   Rosanne English, and Joseph Maguire

   In Computing Education Practice, Jan 2023
3. Research-led Active Learning Sessions in Cyber Security through Research Paper Reading

   Joseph Maguire, Rosanne English, and Steve Draper

   In Computing Education Practice, Jan 2023

2022

1. Criteria and Scrutiny in Computing Education Research

   Kate Sanders, Joseph Maguire, and Monica M. McGill

   In Dagstuhl Seminar 22442: Toward Scientific Evidence Standards in Empirical Computer Science, Nov 2022

   Abs

   In 2020, a working group was convened at the Innovation and Technology in Computer Science Education (ITiCSE) conference, led by Marian Petre, Kate Sanders and Robert McCartney on Mapping the Landscape of Peer Review in Computing Education Research (CER). The working group considered 17 venues, including CER conferences and journals, as well as overlapping conferences in Software Engineering and Human Factors. In this presentation, we consider some of the common review criteria observed across venues as well as some of the ethical concerns that emerge in peer-review and the process itself. These elements are considered through the lens of excerpts and vignettes drawn from conference chairs and journal editors interviewed by the working group that reflect aspects of the conversations and debates that have happened during the week at the present seminar.

2. CER in the UK & Ireland

   Brett A. Becker, Steven Bradley, Joseph Maguire, and 5 more authors

   In Past, Present and Future of Computing Education Research: a Global Perspective, Sep 2022

   Abs

   No abstract available.

3. Challenges and opportunities of teaching cybersecurity in mainstream computing programmes in the UK

   Tom Prickett, Longzhi Yang, Alastair Irons, and 9 more authors

   In Cybersecurity Teaching in Higher Education, Jun 2022

   Abs

   No abstract available.

4. Shaping Software Engineering with Lessons from the Past

   Joseph Maguire

   In University of Edinburgh Informatics Teaching Festival 2022, May 2022

   Abs

   The talk presents published work on some of the research performed in advance of designing a work-based Software Engineering degree at the University of Glasgow. A brief history of the history of Software Engineering education is considered as well as a history of apprenticeship-style education in professional and Higher Education contexts. An overview of case studies developed from visiting three international institutions are presented and discussed. Lastly, principles are devised for work-based learning within Higher Education for Software Engineering education are presented and discussed.

5. The different types of contributions to knowledge (in CER): All needed, but not all recognised

   Steve Draper, and Joseph Maguire

   ACM Transactions on Computing Education, Apr 2022

   Abs

   The overall aim of this paper is to stimulate discussion about the activities within CER, and to develop a more thoughtful and explicit perspective on the different types of research activity within CER, and their relationships with each other. While theories may be the most valuable outputs of research to those wishing to apply them, for researchers themselves there are other kinds of contribution important to progress in the field. This is what relates it to the immediate subject of this special journal issue on theory in CER. We adopt as our criterion for value ?contribution to knowledge?. This paper?s main contributions are: ? A set of 12 categories of contribution which together indicate the extent of this terrain of contributions to research. ? Leading into that is a collection of ideas and misconceptions which are drawn on in defining and motivating ?ground rules?, which are hints and guidance on the need for various often neglected categories. These are also helpful in justifying some additional categories which make the set as a whole more useful in combination. These are followed by some suggested uses for the categories, and a discussion assessing how the success of the paper might be judged. These are followed by some suggested uses for the categories, and a discussion assessing how the success of the paper might be judged.

6. Promoting Engagement in Remote Computing Ethics Education

   Joseph Maguire, and Steve Draper

   Jan 2022

   Abs

   Remote delivery of course content was a rapid and practical solution to the challenges presented to education by the coronavirus pandemic. However, the solution also provided the opportunity to promote engagement and interaction among a student cohort that was largely disconnected and isolated due to the constraints of the pandemic. Consequently, in this paper the practice of using the Jigsaw active learning design in the delivery of a computing ethics course is reported. The experience, reaction of learners and discussion of the benefits and problems of the learning design are discussed before concluding thoughts are offered.

2021

1. Engaging and Active Security Education 2022 (EASE 2022) Workshop

   Joseph Maguire, and  Mac Dermott

   In Computing Education Practice 2022 (CEP 2022), Dec 2021

   Abs

   Security is an increasingly important topic within higher education, but it is often challenging to identify effective learning and teaching practices that actively involve all students. The Engaging and Active Security Education (EASE) workshop at the UK ACM SIGCSE Computing Education Practice conference aims to support cyber security educators in exchanging practice as well as devising new practices. The objectives of the EASE workshop are: to expand the community of cyber security educators to provide an avenue for cyber security educators to exchange learning and teaching practice to afford opportunities for cyber security educators to collaborate and form novel learning and teaching practices. The EASE workshop is seeking practices from the wider community that can be presented at the workshop and can be subsequently accessed on the workshop website.

2. Opportunities to Fail: Using Peer-review to Support Assessment Literacy in Cyber Security

   Joseph Maguire, and Rosanne English

   Nov 2021

   Abs

   The importance of cyber security to the global economy has only grown in recent years. Effective cyber security technical policy is an important defence against numerous threats. Consequently, it is important that computing science and software engineering graduates are able to produce effective cyber security policy. However, written assessments, such as cyber security policy, for some students may be challenging due to lack of familiarity with such assessments. The lack of familiarity or poor assessment literacy not only has the potential to produce poor results, but can led to disappointment and frustration. In this poster, the practice of integrating peer-review as part of a cyber security policy assessment task to support assessment literacy is presented. The aim is to elicit feedback from conference participants not only on the practice itself, but on addressing the challenge of assessment literacy in the context of cyber security policy.

3. Engaging and Active Security Education (EASE) Workshop

   Joseph Maguire, and Rosanne English

   In Computing Education Practice (CEP 2021), Jan 2021

   Abs

   Security is an increasingly important topic within higher education, but it is often challenging to identify effective learning and teaching practices that actively involve all students. The Engaging and Active Security Education (EASE) workshop at the UK ACM SIGCSE Computing Education Practice conference aims to support cyber security educators in exchanging practice as well as devising new practices. The objectives of the EASE workshop are: to expand the community of cyber security educators to provide an avenue for cyber security educators to exchange learning and teaching practice to afford opportunities for cyber security educators to collaborate and form novel learning and teaching practices. The EASE workshop is seeking practices from the wider community that can be presented at the workshop and can be subsequently accessed on the workshop website.

4. Improving Computer Science Student Graduate Skills Through Assessment

   Rosanne English, Joseph Maguire, and Alan Hayes

   Jan 2021

   Abs

   In preparing computer science students for industry, degree content often focuses on technical skills such as programming. Whilst essential for a successful career in industry, employers note that students are often limited in transferable skills. Computing science students can also struggle to identify the value in these skills during their studies.The overall aim of this work is to develop a framework for computing science educators which will allow them to incorporate such skills more explicitly through assessment. This poster presents highlights from an initial review of graduate attributes from Russell Group Universities to identify common themes for further exploration.

5. Supporting Computing Educators to Create a Cycle of Teaching and Computing Education Research

   Neil C.C. Brown, Quintin Cutts, Maria Kallia, and 3 more authors

   Jan 2021

   Abs

   Despite a rich history of computing education in the United Kingdom and Ireland, computing educators often rely on the same procedures and teaching practices rather than embrace innovations. Similarly, while a growing collection of literature exists on educational theory and practice in computing education, much of this focuses on the same concepts and concerns. An aspiration is that both these problems can be simultaneously addressed by computing educators adopting a cycle of embracing existing literature when devising teaching practice and then feeding their experience and findings back to the community in a rigorous fashion. Consequently, this panel supports computing educators by acting as advisers on a one-on-one basis to support audience members in discovering or devising their own cycle of teaching practice and computing education research.

2020

1. Keeping Software Engineering Students in Touch With Not Only What They Are to Learn, But With Why

   Syed Waqar Nabi, Joseph Maguire, Steve Draper, and 1 more author

   Oct 2020

   Abs

   We needed to design a module covering both discrete maths and algorithms for a Work Based Learning (WBL) Software Engineering degree programme, where students spend half their time at their employers’ workplace. This entails deciding the order of topics, and explaining that to students. Sequence in the course is only one kind of relationship between topics in the module; relevance to work is another. Such explaining is a neglected educational issue. This paper addresses how to convey these relationships to learners. Because of the WBL context, it is inevitable that questions about how pieces of academic learning relate to the work context (which these students are already experiencing) arise immediately and vividly for them. This is important because it affects learner motivation, sometimes greatly, and also whether they are likely to learn in a surface or a deep mode. A given learner’s grasp of these relationships is both individual and changes over time. Because of this, the general pedagogical approach discussed here is ?little and often?: raising it a number of times, with an emphasis not on one exhaustive and rigid view but on how different students often see it differently, and encouraging each to gradually develop their own view. The concept map diagram in this paper illustrates only one example of how the web of connections might be represented and conveyed during the course.

2. Supporting the Computing Science Education Research Community with Rolling Reviews

   Joseph Maguire, and Quintin Cutts

   Sep 2020

   Abs

   The recent experience of delivering the United Kingdom and Ireland Computing Education Research (UKICER) conference has provided insight into the strength and vibrancy of the computing education research community within the region. UKICER, alongside the Computing Education Practice (CEP) conference has the potential to significantly serve academic staff in the United Kingdom and Ireland. The potential for both venues could be greater if the review process were refined to ensure the community continues to engage even more academics with the community while maintaining the quality of both venues. Consequently, the present proposal is to pilot the use of rolling reviews for the upcoming CEP 2021, UKICER 2021 and CEP 2022.

3. Reviewing Computing Education Papers

   Marian Petre, Kate Sanders, Robert McCartney, and 9 more authors

   Jun 2020

   Abs

   Peer review is a mainstay of academic publication ? indeed, it is the peer-review process that provides much of the publications? credibility. This working group is examining the ways peer review is used in various computing education venues and will use this examination to articulate community standards for peer review in this discipline. We examine peer review from three viewpoints, those of community, process, and expectations: The community of reviewers How are reviewers recruited and selected? How are they trained? What feedback do they get? What roles are there in the review process? What titles correspond to these roles? Process: from review to decision How are reviewers matched to papers? How are the reviews used in making accept/reject decisions? What are the possible decisions? Are there multi- ple rounds of reviewing? What information is shared among reviewers, program chairs, and authors? Expectations What is a reviewer expected to do when review- ing a paper? What are the reviews intended to accomplish, and who is the intended audience? What are the ethical rules associated with reviewing? How is a reviewer supposed to deal with issues of broken anonymity (if applicable)? This examination is based on multiple data sources: published standards and descriptions from computing education conferences and journals; interviews with people who have served in various edito- rial and reviewing roles; papers and stated review principles from other disciplines. The working group report will present the compiled standards and guidance for mentoring reviewers.

4. Mapping the Landscape of Peer Review in Computing Education Research

   Marian Petre, Kate Sanders, Robert McCartney, and 9 more authors

   Jun 2020

   Abs

   Peer review is a mainstay of academic publication ? indeed, it is the peer-review process that provides much of the publications? credibility. As the number of computing education conferences and the number of submissions increase, the need for reviewers grows. This report does not attempt to set standards for reviewing; rather, as a first step toward meeting the need for well qualified reviewers, it presents an overview of the ways peer review is used in various venues, both inside computing education and, for comparison, in closely-related areas outside our field. It considers four key components of peer review in some depth: criteria, the review process, roles and responsibilities, and ethics and etiquette. To do so, it draws on relevant literature, guidance and forms associated with peer review, interviews with journal editors and conference chairs, and a limited survey of the computing education research community. In addition to providing an overview of practice, this report identifies a number of themes running through the discourse that have relevance for decision making about how best to conduct peer review for a given venue.

5. Building in Resilience Through Graduate Skills Computer Science Assessment

   Rosanne English, and Joseph Maguire

   In QAA Scotland Learning From Disruption: Exploring What Counts in Higher Education, Jun 2020

   Abs

   Students enrolled in computing science programmes are often more focused on gaining skills such as programming than other valuable skills such as team work, adaptability and self- regulation. An ability to react, collaborate and adapt in changing environments and to evolving timelines are valuable skills required for any professional software engineering role. However, communicating the value of such skills as well as providing opportunities for students to refine skills is challenging. In this paper we argue that developing graduate skills can help students develop the necessary resilience for facing such circumstances and propose some approaches for designing such assessment in computer science.

6. Experiences of Assessment in Data and Security Courses using Personal Response Systems

   Rosanne English, and Joseph Maguire

   Feb 2020

   Abs

   This paper details an experience report of two interventions which explored the use of a audience response system in summative assessment in two different ways within a con- version Masters degree programme. One course explored stu- dents understanding of topics and self-assessment of ability through small multiple-choice quizzes. The other course was based around cyber security and used the audience response system to ensure engagement with the pre-class reading material. Both interventions were designed in an attempt to encourage students to engage more effectively with the material. This paper aims to identify and contrast the ways in which the audience response system was used in assess- ment in higher education computing science with a view to suggesting key considerations for implementing such an intervention.

2019

1. Securing the Human: a Review of Literature on Broadening Diversity in Cybersecurity Education

   Xenia Mountrouidou, David Vosen, Chadi Kari, and 6 more authors

   Dec 2019

   The team acknowledges support provided by the US National Science Foundation under Award No. DUE-1700254.

   Abs

   Recent global demand for cybersecurity professionals is promising, with the U.S. job growth rate at 28%, three times the national average. In a global survey, 2,300 security managers reported that 59% of their security positions were unfilled, although 82% anticipated cyberattacks to their systems. At the same time, the cybersecurity field is broadening, not only in technical concepts but also in human factors, business processes, and international law. The field has not become culturally diversified, however. Professionals hired in 2018 included only 24.9% women, 12.3% African Americans, and 6.8% Latinos. These realities create an opportunity for higher education: diversify the profession while increasing the numbers of skilled computer scientists. New and integrated methods of attracting student populations in the field of cybersecurity are needed. This working group report analyzes the outcomes and approaches used in higher education to diversify the cybersecurity field through a review of the literature, identification of gaps, and recommendations for cybersecurity education researchers and practitioners.

2. Towards a Taxonomy of Video for HCI Education

   Stephen Snow,  Joseph Maguire, Chris Evans, and 5 more authors

   In Trends and good practices in research and teaching. A Spanish-English collaboration, Dec 2019
3. Back to the future: shaping software engineering education with lessons from the past

   Joseph Maguire, and Quintin Cutts

   ACM Inroads, Dec 2019

   Abs

   No abstract available.

4. What Do We Do When We Teach Software Engineering?

   Joseph Maguire, Steve Draper, and Quintin Cutts

   Sep 2019

   Abs

   Many UK higher education institutions offer software engineering programmes, but the purpose and relevance of these programmes within computing science departments is not always obvious. The reality is that while advanced economies require many more skilled software engineers, universities are not delivering them. This is at least true in the context of the United Kingdom, where there are high numbers of software engineering vacancies and unemployed software engineering graduates. A possible explanation could be that curriculum content of software engineering programmes in universities needs to be reconsidered to meet the needs of industry. However, reconsidering curriculum content alone is unlikely to be transformative as there is little to be gained from changing to an emerging methodology, language or framework. Instead, an alternative direction could be to reconsider curriculum delivery and the identity of software engineering within computing science itself. In this paper, we contextualise the challenge by considering the history of software engineering education and some of its key developments. We then consider some of the alternative delivery approaches, before arguing cooperative programmes provide a opportunity for institutions to reconsider software engineering education.

5. Mentoring Mentors in Cooperative Software Engineering Education Programmes

   Joseph Maguire, Nathalie Sheridan, Steve Draper, and 1 more author

   Jul 2019

   Abs

   Cooperative programmes are principally partnerships between academia and industry to deliver education partly on campus and partly in the workplace. Mentors in the workplace are crucial in such cooperative programmes as they scaffold appropriate development activities for students. A workplace mentor in this situation is important not only for the development of detailed technical knowledge, but also in the development of software engineering skills that are almost never in fact taught in higher education, e.g. navigating large, neglected code bases. Consequently, workplace mentors are a key component of any high-quality education programme delivered in partnership with industry. However, higher education institutions and enterprises not only need to appreciate the importance of mentors in such schemes, but also ensure such staff are supported to use their experience to increase their skill as a mentor. Mentors need the space and support to reflect on their own practice, develop skills and attain new knowledge. In this sense, the challenge is not dissimilar to that faced by computing science school teachers that need to continually consider their own practice as well as have the time to consider emerging programming languages and frameworks. Many of the structures and existing research on how to support computing science school teachers could be adapted to support these workplace mentors, e.g. support groups. In this poster, we present initial research and models for mentoring mentors in cooperative software engineering programmes. The aim is to share initial work, receive feedback and to connect with potential collaborators.

6. Devising Work-based Learning Curricula With Apprentice Research Software Engineers

   Joseph Maguire, Quintin Cutts, Jack Parkinson, and 2 more authors

   Jul 2019

   Abs

   Work-based learning (WBL) is a delivery model that attempts to address the isolation of theory and practice by integrating them into a single programme. The concern is that through lack of experience and understanding, both universities and industry may devise ‘Frankenstein’ curricula, harming individuals rather than helping them. This poster introduces a small project to support curricula development by proposing universities act as both the learning provider and workplace for apprentice Research Software Engineers (RSEs).

7. Securing the Human

   Mohammad Azhar, Sajal Bhatia, Greg Gagne, and 6 more authors

   In Proceedings of the 2019 ACM Conference on Innovation and Technology in Computer Science Education, Jul 2019
8. Technology Beyond the VLE

   Joseph Maguire, Mary McVey, Emily Nordmann, and 1 more author

   In 12th Annual University of Glasgow Learning and Teaching Conference, Apr 2019

   Abs

   No abstract available.

9. Data Protection and Privacy Regulations as an Inter-Active-Constructive Practice

   Joseph Maguire, Rosanne English, and Stephen Draper

   Jan 2019

   Abs

   The aspiration of many governments around the world is to ensure all university graduates are well-versed in computing science and its related topics. This results in many graduates participating in postgraduate conversion courses. Many computing science schools favour delivering aspects of some topics, such as cyber security, simultaneously to students majoring in computing science and those converting to it. The challenge becomes integrating and understanding such a disparate student cohort. In this paper, we propose as a solution a learning design that has active, constructive and interactive elements. Student experience is reported and discussed, before considering the many benefits of the design.

2018

1. Assessing the Unseen: Roles of Confidentiality and Trust in Software Engineering Work-based Learning Programmes [Poster]

   Joseph Maguire, Steve Draper, and Quintin Cutts

   In ACM Conference on International Computing Education Research, Aug 2018

   Abs

   A typical academic degree focused on software engineering has little practical relationship with the industry it is named for, other than the occasional placement or internship. Unlike other professions such as medicine, dentistry and veterinary sciences, candidates do not need to participate in significant professional practice to earn their degree. Indeed, if we consider a traditional academic software engineering student they probably have far more experience constructing shiny new ?green-field? systems, than maintaining the old ?brown-field? systems found in industry, and generating most professional work. Consequently, there is growing enthusiasm for work-based learning programmes that provide an opportunity for candidates to cement abstract academic theory in concrete personal experience. Work-based learning software engineering students earn their degree by combining theory with actual practice in a professional environment. Nevertheless, the intangible outcomes for much of software engineering has led to an industry obsessed with confidentiality, driven by concerns of employees smuggling source code to competitors or regulators. This obsession potentially presents a barrier to work-based learning schemes as employers prevent outsiders, even close higher education partners, from observing the systems and the source code that learners are working on. Learners may have the opportunity for concrete personal experience, but educators are barred from observing any such experience. However, confidentiality agreements may not necessarily present barriers to assessment, but instead provide an opportunity to assess comprehension and transferable skills by requiring abstract descriptions and reports. This is the converse to the problem in some programming courses, where students submit code without demonstrating that they understand it and can discuss it in terms of the concepts taught. In this talk and accompanying poster we explore some models for software engineering work-based learning programmes that have the potential to maintain confidentiality while assessing learners? comprehension and ability. We invite discussion and criticism from conference attendees of the presented models, and are interested in potential partners for future collaboration.

2. Assessing the Unseen: Roles of Confidentiality and Trust in Software Engineering Work-based Learning Programmes [Presentation]

   Joseph Maguire, Steve Draper, and Quintin Cutts

   In ACM Conference on International Computing Education Research, Aug 2018

   Abs

   A typical academic degree focused on software engineering has little practical relationship with the industry it is named for, other than the occasional placement or internship. Unlike other professions such as medicine, dentistry and veterinary sciences, candidates do not need to participate in significant professional practice to earn their degree. Indeed, if we consider a traditional academic software engineering student they probably have far more experience constructing shiny new ’green-field’ systems, than maintaining the old ’brown-field’ systems found in industry, and generating most professional work. Consequently, there is growing enthusiasm for work-based learning programmes that provide an opportunity for candidates to cement abstract academic theory in concrete personal experience. Work-based learning software engineering students earn their degree by combining theory with actual practice in a professional environment. Nevertheless, the intangible outcomes for much of software engineering has led to an industry obsessed with confidentiality, driven by concerns of employees smuggling source code to competitors or regulators. This obsession potentially presents a barrier to work-based learning schemes as employers prevent outsiders, even close higher education partners, from observing the systems and the source code that learners are working on. Learners may have the opportunity for concrete personal experience, but educators are barred from observing any such experience. However, confidentiality agreements may not necessarily present barriers to assessment, but instead provide an opportunity to assess comprehension and transferable skills by requiring abstract descriptions and reports. This is the converse to the problem in some programming courses, where students submit code without demonstrating that they understand it and can discuss it in terms of the concepts taught. In this talk and accompanying poster we explore some models for software engineering work-based learning programmes that have the potential to maintain confidentiality while assessing learners’ comprehension and ability. We invite discussion and criticism from conference attendees of the presented models, and are interested in potential partners for future collaboration.

3. Scaffolding Video Assignments in Cyber Security

   Joseph Maguire, Stephen Draper, and Rosanne English

   In Workshop on Using Video in Computer Science Education, Aug 2018

   Abs

   This talk reflects on two cases of introducing assignments into two different computing courses related to cyber security that required students to create and submit videos. On reflection, analysis of the use of such assignments suggests that student success could be further improved by considering appropriate scaffolding not just within the courses themselves, but across degree programmes. The analysis led us to draw some practical recommendations that could be used to improve future learning designs.

4. Consuming versus Authoring: Reflections on Video Assignments for Usable Security

   Joseph Maguire, Stephen Draper, and Rosanne English

   In Workshop on HCI and the Educational Technology Revolution, co-located with the International Working Conference on Advanced Visual Interfaces, May 2018

   Abs

   This paper reports on two cases of introducing assignments into two different computing courses related to Usable Security that required students to create and submit videos. Analysis of these cases of (perhaps hasty) teaching innovation is used to offer a classification of the types or styles of videos submitted by these students. On reflection, the innovators may have been influenced by the delusion that digital natives come pre-trained in new digital media. Educational precedents however tell us that being a fluent reader does not by itself make you a fluent writer, and imply that being a big consumer of videos does not mean you have any experience of authoring them. This analysis led us to draw on current practices for supporting students’ academic writing to offer four practical recommendations for educators wishing to improve on these learning designs reported.

5. Beyond Capture: Perspectives, Privacy and Pedagogy

   Joseph Maguire

   In Lecture Capture Symposium, May 2018

   Abs

   The automatic capture of lectures has the potential to greatly benefit students beyond the original session with minimal cost to lecturers. However, student instincts are often wrong regarding what supports their own learning. Lecturers need to consider the problems as well as the possibilities of automatically capturing content. The talk will address three key considerations beyond capture. The first is anecdotal perspectives of students and staff in the automatic capturing of lectures. The second is the importance of privacy of students and staff when capturing lectures. The third is pedagogy, in terms of how to support students in consuming lecture recordings and how staff can potential repurpose sessions to improve learning. The expectation is that after the session, staff will be able to make the most of lecture capture.

6. Assessing the Unseen: Roles of Confidentiality and Trust in Software Engineering Work-based Learning Programmes [Poster]

   Joseph Maguire, Steve Draper, and Quintin Cutts

   In ACM Conference on International Computing Education Research, Aug 2018

   Abs

   A typical academic degree focused on software engineering has little practical relationship with the industry it is named for, other than the occasional placement or internship. Unlike other professions such as medicine, dentistry and veterinary sciences, candidates do not need to participate in significant professional practice to earn their degree. Indeed, if we consider a traditional academic software engineering student they probably have far more experience constructing shiny new ?green-field? systems, than maintaining the old ?brown-field? systems found in industry, and generating most professional work. Consequently, there is growing enthusiasm for work-based learning programmes that provide an opportunity for candidates to cement abstract academic theory in concrete personal experience. Work-based learning software engineering students earn their degree by combining theory with actual practice in a professional environment. Nevertheless, the intangible outcomes for much of software engineering has led to an industry obsessed with confidentiality, driven by concerns of employees smuggling source code to competitors or regulators. This obsession potentially presents a barrier to work-based learning schemes as employers prevent outsiders, even close higher education partners, from observing the systems and the source code that learners are working on. Learners may have the opportunity for concrete personal experience, but educators are barred from observing any such experience. However, confidentiality agreements may not necessarily present barriers to assessment, but instead provide an opportunity to assess comprehension and transferable skills by requiring abstract descriptions and reports. This is the converse to the problem in some programming courses, where students submit code without demonstrating that they understand it and can discuss it in terms of the concepts taught. In this talk and accompanying poster we explore some models for software engineering work-based learning programmes that have the potential to maintain confidentiality while assessing learners? comprehension and ability. We invite discussion and criticism from conference attendees of the presented models, and are interested in potential partners for future collaboration.

7. Assessing the Unseen: Roles of Confidentiality and Trust in Software Engineering Work-based Learning Programmes [Presentation]

   Joseph Maguire, Steve Draper, and Quintin Cutts

   In ACM Conference on International Computing Education Research, Aug 2018

   Abs

   A typical academic degree focused on software engineering has little practical relationship with the industry it is named for, other than the occasional placement or internship. Unlike other professions such as medicine, dentistry and veterinary sciences, candidates do not need to participate in significant professional practice to earn their degree. Indeed, if we consider a traditional academic software engineering student they probably have far more experience constructing shiny new ’green-field’ systems, than maintaining the old ’brown-field’ systems found in industry, and generating most professional work. Consequently, there is growing enthusiasm for work-based learning programmes that provide an opportunity for candidates to cement abstract academic theory in concrete personal experience. Work-based learning software engineering students earn their degree by combining theory with actual practice in a professional environment. Nevertheless, the intangible outcomes for much of software engineering has led to an industry obsessed with confidentiality, driven by concerns of employees smuggling source code to competitors or regulators. This obsession potentially presents a barrier to work-based learning schemes as employers prevent outsiders, even close higher education partners, from observing the systems and the source code that learners are working on. Learners may have the opportunity for concrete personal experience, but educators are barred from observing any such experience. However, confidentiality agreements may not necessarily present barriers to assessment, but instead provide an opportunity to assess comprehension and transferable skills by requiring abstract descriptions and reports. This is the converse to the problem in some programming courses, where students submit code without demonstrating that they understand it and can discuss it in terms of the concepts taught. In this talk and accompanying poster we explore some models for software engineering work-based learning programmes that have the potential to maintain confidentiality while assessing learners’ comprehension and ability. We invite discussion and criticism from conference attendees of the presented models, and are interested in potential partners for future collaboration.

2017

1. Lessons Learned from Evaluating Eight Password Nudges in the Wild

   Karen Renaud, Verena Zimmermann, Joseph Maguire, and 1 more author

   Oct 2017

   Abs

   Background. The tension between security and convenience, when creating passwords, is well established. It is a tension that often leads users to create poor passwords. For security designers, three mitigation strategies exist: issuing passwords, mandating minimum strength levels or encouraging better passwords. The first strategy prompts recording, the second reuse, but the third merits further investigation. It seemed promising to explore whether users could be subtly nudged towards stronger passwords. Aim. The aim of the study was to investigate the influence of visual nudges on self-chosen password length and/or strength. Method. A university application, enabling students to check course dates and review grades, was used to support two consecutive empirical studies over the course of two academic years. In total, 497 and 776 participants, respectively, were randomly assigned either to a control or an experimental group. Whereas the control group received no intervention, the experimental groups were presented with different visual nudges on the registration page of the web application whenever passwords were created. The experimental groups? password strengths and lengths were then compared that of the control group. Results. No impact of the visual nudges could be detected, neither in terms of password strength nor length. The ordinal score metric used to calculate password strength led to a decrease in variance and test power, so that the inability to detect an effect size does not definitively indicate that such an effect does not exist. Conclusion. We cannot conclude that the nudges had no effect on password strength. It might well be that an actual effect was not detected due to the experimental design choices. Another possible explanation for our result is that password choice is influenced by the user?s task, cognitive budget, goals and pre-existing routines. A simple visual nudge might not have the power to overcome these forces. Our lessons learned therefore recommend the use of a richer password strength quantification measure, and the acknowledgement of the user?s context, in future studies.

2. Lessons Learned From Integrating Industry and Exposing Enterprises to Computing Science Students

   Joseph Maguire, and Rosanne English

   In SEED: Skills in Entrepreneurial Education - SICSA Worskhop, Sep 2017

   Abs

   Graduates face a myriad of options upon completing their degree, including starting their own venture. Integrating industry and exposing enterprises to students as part of their curriculum not only provides opportunities for students, but enterprises as well. For students, they can apply their knowledge to real-world briefs in an attempt to win the business of a much larger corporation. For enterprises, they can identify strong potential future employees or investment opportunities. However, while opportunities exist for both students and existing enterprises, real challenges remain for the facilitating higher education institution. The talk will cover experiences of integrating industry into postgraduate courses and the lessons learned from facilitating the interaction between students and industry.

3. Preserving Privacy and Reconceptualising Sharing in Active Learning Spaces

   Joseph Maguire

   In Higher Education Academy Annual Conference 2017, Jul 2017

   Abs

   Active Learning Spaces present opportunities and challenges for learning in higher education. The reconfigurable spaces with particular focus on technology, empower students in participative learning. The opportunity for students is to use their own, familiar and friendly devices to create and share content with peers. They do not need to learn a new tool and instead can focus on the task at hand. The challenge for educators is to recognise that such devices are not just generic pieces of plastic, but rather, highly personal devices. They are more than just a familiar tool. Smartphones share more similarities with a personal diary than a traditional desktop, they are pocket computers that contain countless conversations, notes and photographs. The concern is that students may share more than they would like with the rest of the class. Smartphone sharing in an active learning space is little more than pushing pixels from a single small screen to several larger ones. It is an all or nothing experience. The potential result is that a student?s shared creation could be interrupted with a message from mum, balance notification from their bank or an invite to play a game. The brief experience not only serves to embarrass the student, but dissuade others from sharing in class. Practically preserving the privacy of computing science students in active spaces has prompted my own thoughts on the challenges of sharing. These problems will be faced by students in varied domains as such spaces become prevalent. However, the solution should not been seen through a technical lens, but rather as an opportunity to reconsider the requirements of sharing and what it actually means in active learning spaces. The talk will consider solutions to preserving privacy as well as privacy challenges of in higher education before attempting to reconceptualising sharing for active learning. The aspiration is that reconsidering sharing might not only spare the blushes of students it could also produce stronger outcomes from active spaces.

4. Close Encounters of the Industry Kind

   Joseph Maguire

   In 2017 Annual Council of Professors and Heads of Computing Conference, Apr 2017

   Abs

   No abstract available.

5. Close Encounters of the Industry Kind

   Joseph Maguire

   In 2017 Annual Council of Professors and Heads of Computing Conference, Apr 2017

   Abs

   No abstract available.

6. Lessons Learned From Integrating Industry and Exposing Enterprises to Computing Science Students

   Joseph Maguire, and Rosanne English

   In SEED: Skills in Entrepreneurial Education - SICSA Worskhop, Sep 2017

   Abs

   Graduates face a myriad of options upon completing their degree, including starting their own venture. Integrating industry and exposing enterprises to students as part of their curriculum not only provides opportunities for students, but enterprises as well. For students, they can apply their knowledge to real-world briefs in an attempt to win the business of a much larger corporation. For enterprises, they can identify strong potential future employees or investment opportunities. However, while opportunities exist for both students and existing enterprises, real challenges remain for the facilitating higher education institution. The talk will cover experiences of integrating industry into postgraduate courses and the lessons learned from facilitating the interaction between students and industry.

7. Lessons Learned from Evaluating Eight Password Nudges in the Wild

   Karen Renaud, Verena Zimmermann, Joseph Maguire, and 1 more author

   Oct 2017

   Abs

   Background. The tension between security and convenience, when creating passwords, is well established. It is a tension that often leads users to create poor passwords. For security designers, three mitigation strategies exist: issuing passwords, mandating minimum strength levels or encouraging better passwords. The first strategy prompts recording, the second reuse, but the third merits further investigation. It seemed promising to explore whether users could be subtly nudged towards stronger passwords. Aim. The aim of the study was to investigate the influence of visual nudges on self-chosen password length and/or strength. Method. A university application, enabling students to check course dates and review grades, was used to support two consecutive empirical studies over the course of two academic years. In total, 497 and 776 participants, respectively, were randomly assigned either to a control or an experimental group. Whereas the control group received no intervention, the experimental groups were presented with different visual nudges on the registration page of the web application whenever passwords were created. The experimental groups? password strengths and lengths were then compared that of the control group. Results. No impact of the visual nudges could be detected, neither in terms of password strength nor length. The ordinal score metric used to calculate password strength led to a decrease in variance and test power, so that the inability to detect an effect size does not definitively indicate that such an effect does not exist. Conclusion. We cannot conclude that the nudges had no effect on password strength. It might well be that an actual effect was not detected due to the experimental design choices. Another possible explanation for our result is that password choice is influenced by the user?s task, cognitive budget, goals and pre-existing routines. A simple visual nudge might not have the power to overcome these forces. Our lessons learned therefore recommend the use of a richer password strength quantification measure, and the acknowledgement of the user?s context, in future studies.

8. Preserving Privacy and Reconceptualising Sharing in Active Learning Spaces

   Joseph Maguire

   In Higher Education Academy Annual Conference 2017, Jul 2017

   Abs

   Active Learning Spaces present opportunities and challenges for learning in higher education. The reconfigurable spaces with particular focus on technology, empower students in participative learning. The opportunity for students is to use their own, familiar and friendly devices to create and share content with peers. They do not need to learn a new tool and instead can focus on the task at hand. The challenge for educators is to recognise that such devices are not just generic pieces of plastic, but rather, highly personal devices. They are more than just a familiar tool. Smartphones share more similarities with a personal diary than a traditional desktop, they are pocket computers that contain countless conversations, notes and photographs. The concern is that students may share more than they would like with the rest of the class. Smartphone sharing in an active learning space is little more than pushing pixels from a single small screen to several larger ones. It is an all or nothing experience. The potential result is that a student?s shared creation could be interrupted with a message from mum, balance notification from their bank or an invite to play a game. The brief experience not only serves to embarrass the student, but dissuade others from sharing in class. Practically preserving the privacy of computing science students in active spaces has prompted my own thoughts on the challenges of sharing. These problems will be faced by students in varied domains as such spaces become prevalent. However, the solution should not been seen through a technical lens, but rather as an opportunity to reconsider the requirements of sharing and what it actually means in active learning spaces. The talk will consider solutions to preserving privacy as well as privacy challenges of in higher education before attempting to reconceptualising sharing for active learning. The aspiration is that reconsidering sharing might not only spare the blushes of students it could also produce stronger outcomes from active spaces.

9. Privacy of Personal Things in Active Learning Spaces Need Individually Evolved Requirements

   Joseph Maguire, and Steve Draper

   Jul 2017

   Abs

   Technology-enhanced active learning (TEAL) spaces could represent a significant benefit to learning and teaching at universities. TEAL spaces support students in projecting presentations (e.g. from smart-phones) and sharing notes (e.g. from smart-watches) with peers. Importantly, this sharing is partly amongst their co-present small group but sometimes to the whole class. However, plugging personal things into smart spaces whose first requirement is to accept as many devices as possible is not without consequence. A projected notification of a political conversation, for example, has the potential to harm the individual both within the space and beyond, opening them to unwanted judgment, criticism and assessment. The traditional argument from the usable security community is that of intervention prior to any use whatever: users need to be trained, taught and/or nudged to avoid such problems. We conducted an informal focus group with students in a pilot TEAL space, exploring issues around the privacy and security of using personal devices in such spaces. The reality is that it is hard to perceive the privacy and security challenges prior to using the space. We argue that such prior interventions are not only a significant barrier to student adoption of smart spaces, but ineffective in ensuring the safety of individuals in the long-term. We argue that in designing smart spaces, both on-campus and off, designers need to adopt an approach of individually evolved privacy requirements to ensure an on-going safe, creative space for students. Two important features are: (a) as a small group develops bonds, its privacy level needs to be reduced over time and (b) the best privacy level depends on the whether the screen is currently shared with the small group or the large class.

2016

1. ZETA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology

   Andreas Gutmann, Karen Renaud, Joseph Maguire, and 4 more authors

   Jul 2016

   Abs

   Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

2015

1. State of Alternative Authentication Research in Scotland

   Joseph Maguire

   In Centre for Advanced Security Research at Technische Universität Darmstadt Seminar, Feb 2015

   Abs

   Research into graphical authentication has yet to be meaningfully transferred into industry. This is the case globally, but is concerning in Scotland as considerable research into the area has been published and presented by academics in SICSA universities (e.g. University of Glasgow, Glasgow Caledonian University, Napier University). The lack of knowledge transfer is particularly perplexing given the interest of industry in improving digital security. There are several explanations for the lack of progress, but a prominent issue is the inconsistency in reporting scientific data pertaining to graphical authentication. There is no framework for the reporting of field investigations into graphical authentication solutions. This situation not only hinders knowledge transfer into industry but the progress of research into alternative authentication solutions. Industry and researchers require metrics and strong qualitative data to utilise and progress research in the area. Consequently, the Scottish Informatics and Computer Science Alliance (SICSA) has provided financial support for a research exchange for me to visit and work with Prof. Melanie Volkamer. The primary aim of the proposed exchange is to develop a field evaluation framework for graphical authentication solutions to ensure consistent reporting of scientific data. The Center for Advanced Security Research at Technische Universität Darmstadt has an established track record of transferring knowledge into industry. Notably, Prof. Melanie Volkamer from the Technische Universität Darmstadt, along with Dr Karen Renaud and myself at the University of Glasgow have collaborated and made progress in transferring knowledge of graphical authentication research into industry.

2. Alternative Authentication in the Wild

   Joseph Maguire, and Karen Renaud

   Jul 2015

   Abs

   Alphanumeric authentication routinely fails to regulate access to resources with the required stringency, primarily due to usability issues. Initial deployment did not reveal the problems of passwords, deep and profound flaws only emerged once passwords were deployed in the wild. The need for a replacement is widely acknowledged yet despite over a decade of research into knowledge-based alternatives, few, if any, have been adopted by industry. Alternatives are unconvincing for three primary reasons. The first is that alternatives are rarely investigated beyond the initial proposal, with only the results from a constrained lab test provided to convince adopters of their viability. The second is that alternatives are seldom tested realistically where the authenticator mediates access to something of value. The third is that the testing rarely varies the device or context beyond that initially targeted. In the modern world different devices are used across a variety of contexts. What works well in one context may easily fail in another. Consequently, the contribution of this paper is an "in the wild" evaluation of an alternative authentication mechanism that had demonstrated promise in its lab evaluation. In the field test the mechanism was deployed to actual users to regulate access to an application in a context beyond that initially proposed. The performance of the mechanism is reported and discussed. We conclude by reflecting on the value of field evaluations of alternative authentication mechanisms.

3. Regulating Access to Adult Content (with Privacy Preservation)

   Karen Renaud, and Joseph Maguire

   Jul 2015

   Abs

   In the physical world we have well-established mechanisms for keeping children out of adult-only areas. In the virtual world this is generally replaced by self declaration. Some service providers resort to using heavy-weight identification mechanisms, judging adulthood as a side effect thereof. Collection of identification data arguably constitutes an unwarranted privacy invasion in this context, if carried out merely to perform adulthood estimation. This paper presents a mechanism that exploits the adult’s more extensive exposure to public media, relying on the likelihood that they will be able to recall details if cued by a carefully chosen picture. We conducted an online study to gauge the viability of this scheme. With our prototype we were able to predict that the user was a child 99% of the time. Unfortunately the scheme also misclassified too many adults. We discuss our results and suggest directions for future research.

2014

1. Contemplating Skill-Based Authentication

   Karen Renaud, Joe Maguire, Johan Niekerk, and 1 more author

   Africa Research Journal, Jun 2014

   Abs

   Humans develop skills as they go through their lives: some are fairly common, such as reading, but others are developed to maximise employment opportunities. These skills develop over a long period of time and are much rarer. Here we consider whether we can exploit this reality in the security arena, specifically to achieve a stronger form of authentication. Authentication has traditionally been performed based on what users know, hold or are. The first is the most popular, in the form of the password. This is often referred to as ?knowledge-based? authentication. Yet, rigorously following guidelines for password creation produces forgettable gibberish and nonsense strings, not knowledge. Nonsense is hard to remember and users engage in a number of coping strategies to ameliorate this, and these tend to weaken the authenticator. It would be beneficial to find a way of reducing this memorial load, to identify a more usable mechanism. This is hard: usually reducing the memorial load also makes the secret easier to guess. The challenge is in finding a way to reduce memory load while holding the line as far as strength is concerned. Here we contemplate exploiting recognition of artefacts resulting from experts practicing their craft: ?skill-based? authentication. This should reduce the memorial load and effort, but also, crucially, make it harder for a random intruder to replicate. We report on how we trialled SNIPPET, a prototype of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets from successive challenge sets. We found that our participants were all able to identify their own code snippets and that other participants were unable to guess these, even when they observed the legitimate person authenticating beforehand. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing. We conclude by returning to the three NIST-identified forms of authentication and consider how SNIPPET can be positioned within the general authentication arena.

2. ACCESS: Describing and Contrasting Authentication Mechanisms

   Karen Renaud, Melanie Volkamer, and Joseph Maguire

   Jun 2014

   Abs

   The password the almost universal authentication solution yet is buckling under the strain. It demonstrates insufficiency and weakness due to poor choice, reuse and ease of transfer. Graphical passwords, biometrics, and hardware tokens have been suggested as alternatives. Industry has, unfortunately, not embraced these alternatives. One possible explanation is the complexity of the choice process. To support authentication decision-markers we suggest a framework called ACCESS (Authentication ChoiCE Support System) which captures requirements, consults a knowledge base of existing authentication mechanisms and their properties, and suggests those mechanisms that match the specified requirements.

3. ACCESS: Describing and Contrasting Authentication Mechanisms

   Karen Renaud, Melanie Volkamer, and Joseph Maguire

   Jun 2014

   Abs

   The password the almost universal authentication solution yet is buckling under the strain. It demonstrates insufficiency and weakness due to poor choice, reuse and ease of transfer. Graphical passwords, biometrics, and hardware tokens have been suggested as alternatives. Industry has, unfortunately, not embraced these alternatives. One possible explanation is the complexity of the choice process. To support authentication decision-markers we suggest a framework called ACCESS (Authentication ChoiCE Support System) which captures requirements, consults a knowledge base of existing authentication mechanisms and their properties, and suggests those mechanisms that match the specified requirements.

4. Contemplating Skill-Based Authentication

   Karen Renaud, Joe Maguire, Johan Niekerk, and 1 more author

   Africa Research Journal, Jun 2014

   Abs

   Humans develop skills as they go through their lives: some are fairly common, such as reading, but others are developed to maximise employment opportunities. These skills develop over a long period of time and are much rarer. Here we consider whether we can exploit this reality in the security arena, specifically to achieve a stronger form of authentication. Authentication has traditionally been performed based on what users know, hold or are. The first is the most popular, in the form of the password. This is often referred to as ?knowledge-based? authentication. Yet, rigorously following guidelines for password creation produces forgettable gibberish and nonsense strings, not knowledge. Nonsense is hard to remember and users engage in a number of coping strategies to ameliorate this, and these tend to weaken the authenticator. It would be beneficial to find a way of reducing this memorial load, to identify a more usable mechanism. This is hard: usually reducing the memorial load also makes the secret easier to guess. The challenge is in finding a way to reduce memory load while holding the line as far as strength is concerned. Here we contemplate exploiting recognition of artefacts resulting from experts practicing their craft: ?skill-based? authentication. This should reduce the memorial load and effort, but also, crucially, make it harder for a random intruder to replicate. We report on how we trialled SNIPPET, a prototype of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets from successive challenge sets. We found that our participants were all able to identify their own code snippets and that other participants were unable to guess these, even when they observed the legitimate person authenticating beforehand. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing. We conclude by returning to the three NIST-identified forms of authentication and consider how SNIPPET can be positioned within the general authentication arena.

2013

1. Shrinking the Authentication Footprint

   K. Renaud, and J. Maguire

   May 2013

   Abs

   Developers create paths for users to tread. Some users will stay on the beaten track; others will diverge and take risky shortcuts. If user-preferred and developer-created paths diverge too much, it is time for the developer to consider a new path. A case in point is the humble password. They fill an important developer need: a cheap and easy mechanism to control access and enforce accountability. Unfortunately, users find the constant requests for authentication a nuisance. They respond by walking down risky paths that compromise the mechanism but allow them to satisfy goals more quickly. The answer, for some researchers, has been to come up with password alternatives. This focus is misguided, since the alternatives do nothing to reduce the authentication footprint. The reality is that developers overuse authentication. The problem is not the authentication step, but rather its position in the path. Authentication is sometimes used even when there is no real need for it. This creates confusion in the user?s mind about the consequences of authentication: sometimes it authorises significant side effects and other times it is difficult to identify its raison d?etre. Here we suggest some developer patterns which minimise authentication requests, emphasising necessity rather than gratuitousness. We believe this will help to ease the current situation by moving towards genuine risk mitigation rather than harming authentication by excessive use thereof.

2. How Do You Solve A Problem Like Authentication?

   Joseph Maguire, and Karen Renaud

   In Human Factors in the Safety and Security of Critical Systems, Mar 2013

   Abs

   The security aspect that the computer user encounters most often is the password prompt - a demand that they verify their identity by providing a shared secret. Authentication, for the deployer, regulates access and enforces accountability. Authentication, for the user, obstructs, intrudes and delays gratification. Whereas users could probably put up with this if it happens relatively infrequently, this tends not to be the case. An authentication prompt is presented a number of times during the day. Sometimes it has serious consequences, such as when it is required to authorise the purchase of a digital item, and the permits consequent credit card charge. Other times it merely identifies the user to allow the system to customise the interface. The range of consequences and the multiplicity of systems mandating shared secrets collide with human limitations and the current password bloat and general end-user exasperation. Is it at all possible to improve authentication? As researchers, we have primarily addressed this problem in one of three ways: (1) by trying to find a password replacement, (2) by formulating rules and regulations to coerce users into choosing stronger passwords, or (3) fostering a security culture within the organisation, hoping that the social pressure will induce people to behave more securely. These endeavours have met with limited success. Alternatives have not been embraced by the developer community, rules and regulations are often ignored, subverted or deliberately flouted. Fostering a security culture has had more success, in relative terms, but still has not really addressed the ?authentication problem?. The one thing these approaches have in common is their focus on the human agent: the end user. Consider a related problem in the physical world: locks on doors. These have not changed in centuries and the doors themselves are probably weaker than they were a hundred years ago. Yet do locks really prevent intrusion? A determined intruder finds the average lock an minor deterrent, and the door itself is sometimes even made of glass, allowing the thief to subvert the lock entirely. Yet one never hears about a desperate search for a door or lock replacement. One doesn?t hear the refrain, ?How do you solve a problem like the door lock? This even though they, too, are lost, copied and shared. Why, when it comes to virtual locks, is there such a drive to come up with the perfect locking mechanism? The password and the average door lock function similarly: neither is perfect but both provide an acceptable measure of security. Here we will argue that it might be time to suspend our unrealistic expectations that we can find a perfect lock in the virtual world when we live quite happily with imperfect security in the physical world.

3. Are Graphical Authentication Mechanisms as Strong as Passwords?

   Karen Renaud, Peter Mayer, Melanie Volkamer, and 1 more author

   Mar 2013

   Abs

   The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users’ need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.

4. Are Graphical Authentication Mechanisms as Strong as Passwords?

   Karen Renaud, Peter Mayer, Melanie Volkamer, and 1 more author

   Mar 2013

   Abs

   The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users’ need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.

5. How Do You Solve A Problem Like Authentication?

   Joseph Maguire, and Karen Renaud

   In Human Factors in the Safety and Security of Critical Systems, Mar 2013

   Abs

   The security aspect that the computer user encounters most often is the password prompt - a demand that they verify their identity by providing a shared secret. Authentication, for the deployer, regulates access and enforces accountability. Authentication, for the user, obstructs, intrudes and delays gratification. Whereas users could probably put up with this if it happens relatively infrequently, this tends not to be the case. An authentication prompt is presented a number of times during the day. Sometimes it has serious consequences, such as when it is required to authorise the purchase of a digital item, and the permits consequent credit card charge. Other times it merely identifies the user to allow the system to customise the interface. The range of consequences and the multiplicity of systems mandating shared secrets collide with human limitations and the current password bloat and general end-user exasperation. Is it at all possible to improve authentication? As researchers, we have primarily addressed this problem in one of three ways: (1) by trying to find a password replacement, (2) by formulating rules and regulations to coerce users into choosing stronger passwords, or (3) fostering a security culture within the organisation, hoping that the social pressure will induce people to behave more securely. These endeavours have met with limited success. Alternatives have not been embraced by the developer community, rules and regulations are often ignored, subverted or deliberately flouted. Fostering a security culture has had more success, in relative terms, but still has not really addressed the ?authentication problem?. The one thing these approaches have in common is their focus on the human agent: the end user. Consider a related problem in the physical world: locks on doors. These have not changed in centuries and the doors themselves are probably weaker than they were a hundred years ago. Yet do locks really prevent intrusion? A determined intruder finds the average lock an minor deterrent, and the door itself is sometimes even made of glass, allowing the thief to subvert the lock entirely. Yet one never hears about a desperate search for a door or lock replacement. One doesn?t hear the refrain, ?How do you solve a problem like the door lock? This even though they, too, are lost, copied and shared. Why, when it comes to virtual locks, is there such a drive to come up with the perfect locking mechanism? The password and the average door lock function similarly: neither is perfect but both provide an acceptable measure of security. Here we will argue that it might be time to suspend our unrealistic expectations that we can find a perfect lock in the virtual world when we live quite happily with imperfect security in the physical world.

6. SNIPPET: Genuine Knowledge-Based Authentication

   Karen Renaud, Demetris Kennes, Johan Niekerk, and 1 more author

   Aug 2013

   Abs

   Authentication is traditionally performed based on what you know, what you hold or what you are. The first is the most popular, in the form of the password. This is often referred to as ?knowledge-based? authentication. Yet, given the guidelines for password restrictions commonly given to end-users we will argue that this is a misnomer. A strong password is actually a lengthy string of gibberish or nonsense. Common password strength guidelines advise users against choosing meaningful passwords.

7. Shrinking the Authentication Footprint

   K. Renaud, and J. Maguire

   May 2013

   Abs

   Developers create paths for users to tread. Some users will stay on the beaten track; others will diverge and take risky shortcuts. If user-preferred and developer-created paths diverge too much, it is time for the developer to consider a new path. A case in point is the humble password. They fill an important developer need: a cheap and easy mechanism to control access and enforce accountability. Unfortunately, users find the constant requests for authentication a nuisance. They respond by walking down risky paths that compromise the mechanism but allow them to satisfy goals more quickly. The answer, for some researchers, has been to come up with password alternatives. This focus is misguided, since the alternatives do nothing to reduce the authentication footprint. The reality is that developers overuse authentication. The problem is not the authentication step, but rather its position in the path. Authentication is sometimes used even when there is no real need for it. This creates confusion in the user?s mind about the consequences of authentication: sometimes it authorises significant side effects and other times it is difficult to identify its raison d?etre. Here we suggest some developer patterns which minimise authentication requests, emphasising necessity rather than gratuitousness. We believe this will help to ease the current situation by moving towards genuine risk mitigation rather than harming authentication by excessive use thereof.

2012

1. You Only Live Twice or The Years We Wasted Caring about Shoulder-Surfing

   K. Renaud, and Joseph Maguire

   May 2012
2. You Only Live Twice or The Years We Wasted Caring about Shoulder-Surfing

   K. Renaud, and Joseph Maguire

   May 2012

2011

1. An Alternative Avatar

   Joseph Maguire, and Karen Renaud

   In British HCI 2011 Health, Wealth and Happiness, Jul 2011

   Abs

   Fragments of information are generated and maintained, everyday. In the aggregate, these fragments are crucial to companies like Google and Facebook. Therefore, they create free services which drive the creation of fragments and discourage the destruction of them. However, there are potentially unforeseen costs, in terms of security and energy, in managing all these fragments. We propose an image-based avatar, which fluctuates depending on the information generated by an individual online.

2. An Alternative Avatar

   Joseph Maguire, and Karen Renaud

   In British HCI 2011 Health, Wealth and Happiness, Jul 2011

   Abs

   Fragments of information are generated and maintained, everyday. In the aggregate, these fragments are crucial to companies like Google and Facebook. Therefore, they create free services which drive the creation of fragments and discourage the destruction of them. However, there are potentially unforeseen costs, in terms of security and energy, in managing all these fragments. We propose an image-based avatar, which fluctuates depending on the information generated by an individual online.

2009

1. Student Generated Podcasts: Learning to Cascade Rather than Create

   Joseph Maguire, Susan Stuart, and Stephen Draper

   In 2nd Annual University of Glasgow Learning and Teaching Conference: Promoting Student Success through the Curriculum, Apr 2009

   Abs

   There is currently an explosion of exploratory uses of podcasts in education, but only a few where the students, rather than the staff, produce the podcasts. Where it has been done, it has mainly been for students where the technology itself was also relevant to their studies (e.g. computing science or media studies courses). Here however we report on one of these on a course for ?non-technical? students from the faculty of Arts. These students were required to produce a single video podcast for their third-year philosophy course. The requirements to present something useful to fellow students and to master a new and fashionable technology are well designed to augment self-confidence and self-efficacy, to engage students, to equip them with a skill that may enhance their employability, and to foster deeper learning. However a basic reason for student generated content of this kind is that authoring for other students (rather than for marking by a staff member) should give impetus to deeper thought about the content. This would not only cement existing knowledge but also supplement it with new perspectives and considerations. Sceptics might argue differently, claiming it to be a gimmick to boost course numbers. However, crafting a report, essay or regurgitating facts on exam day involve different learning experiences and skills to that of giving a persuasive presentation to a large audience.

2. Armchair authentication

   Karen Renaud, and Joseph Maguire

   Apr 2009

   Abs

   <p>Alphanumeric authentication, by means of a secret, is not only a powerful mechanism, in theory, but prevails over all its competitors in practice. However, it is clearly inadequate in a world where increasing numbers of systems and services require people to authenticate in a shared space, while being actively observed. This new reality places pressure on a password mechanism never intended for use in such a context. Asterisks may obfuscate alphanumeric characters on entry but popular systems, e.g. Apple iPhone and Nintendo Wii, regularly require users to use an on-screen keyboard for character input. This may not be a real concern within the context of secluded space but inadvertly reveals a secret within shared space. Such a secret has an economic cost in terms of replacement, recall and revenue, all of which affect the financial return of the offending systems and services.</p> <p>In this paper, we present and evaluate a graphical authentication mechanism, Tetrad, which appears to have the potential to address these specific concerns.</p>

3. Armchair authentication

   Karen Renaud, and Joseph Maguire

   Apr 2009

   Abs

   \ensuremath<p\ensuremath>Alphanumeric authentication, by means of a secret, is not only a powerful mechanism, in theory, but prevails over all its competitors in practice. However, it is clearly inadequate in a world where increasing numbers of systems and services require people to authenticate in a shared space, while being actively observed. This new reality places pressure on a password mechanism never intended for use in such a context. Asterisks may obfuscate alphanumeric characters on entry but popular systems, e.g. Apple iPhone and Nintendo Wii, regularly require users to use an on-screen keyboard for character input. This may not be a real concern within the context of secluded space but inadvertly reveals a secret within shared space. Such a secret has an economic cost in terms of replacement, recall and revenue, all of which affect the financial return of the offending systems and services.\ensuremath</p\ensuremath> \ensuremath<p\ensuremath>In this paper, we present and evaluate a graphical authentication mechanism, Tetrad, which appears to have the potential to address these specific concerns.\ensuremath</p\ensuremath>

2008

1. Student Generated Podcasts: Learning to Cascade Rather than Create

   Joseph Maguire, Susan Stuart, and Stephen Draper

   Oct 2008

   Abs

   There is currently an explosion of exploratory uses of podcasts in education, but only a few where the students, rather than the staff, produce the podcasts. Where it has been done, it has mainly been for students where the technology itself was also relevant to their studies (e.g. computing science or media studies courses). Here however we report on one of these on a course for ?non-technical? students from the faculty of Arts. These students were required to produce a single video podcast for their third-year philosophy course. The requirements to present something useful to fellow students and to master a new and fashionable technology are well designed to augment self-confidence and self-efficacy, to engage students, to equip them with a skill that may enhance their employability, and to foster deeper learning. However a basic reason for student generated content of this kind is that authoring for other students (rather than for marking by a staff member) should give impetus to deeper thought about the content. This would not only cement existing knowledge but also supplement it with new perspectives and considerations. Sceptics might argue differently, claiming it to be a gimmick to boost course numbers. However, crafting a report, essay or regurgitating facts on exam day involve different learning experiences and skills to that of giving a persuasive presentation to a large audience.

2. Student Generated Podcasts: Learning to Cascade Rather than Create

   Joseph Maguire, Susan Stuart, and Stephen Draper

   Oct 2008

   Abs

   There is currently an explosion of exploratory uses of podcasts in education, but only a few where the students, rather than the staff, produce the podcasts. Where it has been done, it has mainly been for students where the technology itself was also relevant to their studies (e.g. computing science or media studies courses). Here however we report on one of these on a course for ?non-technical? students from the faculty of Arts. These students were required to produce a single video podcast for their third-year philosophy course. The requirements to present something useful to fellow students and to master a new and fashionable technology are well designed to augment self-confidence and self-efficacy, to engage students, to equip them with a skill that may enhance their employability, and to foster deeper learning. However a basic reason for student generated content of this kind is that authoring for other students (rather than for marking by a staff member) should give impetus to deeper thought about the content. This would not only cement existing knowledge but also supplement it with new perspectives and considerations. Sceptics might argue differently, claiming it to be a gimmick to boost course numbers. However, crafting a report, essay or regurgitating facts on exam day involve different learning experiences and skills to that of giving a persuasive presentation to a large audience.

2007

1. Exploring podcasting as part of campus-based teaching

   Stephen W. Draper, and Joe Maguire

   Practice and Evidence of Scholarship of Teaching and Learning in Higher Education, Apr 2007

   Abs

   The possibility of using the technologies associated with podcasting and MP3 players to augment campus based HE teaching is explored. A study demonstrating its use in five courses, and eliciting favourable learner attitude responses, is briefly reported. A range of educational applications, including and going beyond those demonstrated in the study, are suggested. The different functions entailed are identified: recording, distribution, playback. The acceptability for each stakeholder group separately is discussed: learners, teachers, IT support. The technology’s characteristics are assessed with respect to essential factors for widespread adoption: cost, ease of use (i.e. personal effort and learning costs for users), and educational benefit. The underlying technologies are briefly described, partly to indicate what the fundamental advantages are based on (independently of currently available products) and partly to allow likely longevity to be assessed. Finally some underlying principles from the viewpoint of educational research are proposed and discussed.

2. Exploring podcasting as part of campus-based teaching

   Stephen W. Draper, and Joe Maguire

   Practice and Evidence of Scholarship of Teaching and Learning in Higher Education, Apr 2007

   Abs

   The possibility of using the technologies associated with podcasting and MP3 players to augment campus based HE teaching is explored. A study demonstrating its use in five courses, and eliciting favourable learner attitude responses, is briefly reported. A range of educational applications, including and going beyond those demonstrated in the study, are suggested. The different functions entailed are identified: recording, distribution, playback. The acceptability for each stakeholder group separately is discussed: learners, teachers, IT support. The technology’s characteristics are assessed with respect to essential factors for widespread adoption: cost, ease of use (i.e. personal effort and learning costs for users), and educational benefit. The underlying technologies are briefly described, partly to indicate what the fundamental advantages are based on (independently of currently available products) and partly to allow likely longevity to be assessed. Finally some underlying principles from the viewpoint of educational research are proposed and discussed.