University of Oxford Logo University of OxfordSoftware Engineering - Home
On Facebook
Follow us on twitter
Linked in
Linked in
Google plus
Google plus
Stumble Upon
Stumble Upon

People and Security

People are frequently called the "weakest link in the security chain". Many examples of security incidents involve legitimate users, administrators and developers being unable to comply with, or otherwise duped into breaking the security policy. This course will explore security from a socio-technical and human-computer interaction perspective. The aim is to better understand people and their contexts, in order to develop systems which are more secure in practice.


This course normally runs twice a year.

Course dates

30th September 2024Oxford University Department of Computer Science - Held in the Department13 places remaining.
24th March 2025Oxford University Department of Computer Science - Held in the Department12 places remaining.


The successful participant will:

  • be able to specify usability criteria that a security mechanism has to meet to be workable for end-user groups and work contexts;
  • be able to specify accompanying measures (policies, training, monitoring and ensuring compliance) that an organisation needs to implement to ensure long-term security in practice;
  • understand the impact of security measures on different kinds of users and contexts;
  • understand the role of risk perception, incentives, and regulation in security-related decision-making;
  • be able to develop appropriate strategies against attacks on information systems which exploit human error.


Usability and HCI
HCI principles; Systems, people, tasks and context; usability evaluation
Authentication and Identity
Types of authentication and trade-offs; Identity and attribute-based credentials
Security in context
Personas; Equity and justice; Developers as users
Economics and Politics of Security
Decision-making, risks and costs; Compliance budget; Regulation
Attacks and Nudges
Phishing; Scams; Dark patterns; Warnings; Advice


Participants should have a basic understanding of computer security to the level provided by the Security Principles course.