FiVu: Using Design Fiction to Identify Future Vulnerabilities in Bio-IOT
1 November 2021 - 28 February 2022
Project team
Dr Charles Weir
Principal Investigator
Research Fellow and Lecturer, Lancaster University
Dr José-Rodrigo Córdoba-Pachón
Co-Investigator
Senior Lecturer in Technology and Information Management, Royal Holloway University of London
Professor Lynne Coventry
Co-Investigator
Director of Human and Digital Design, Northumbria University
Dr Soteris Demetriou
Co-Investigator
Lecturer, Imperial College London
Dr Cecilia Loureiro-Koechlin
Principal Researcher
Research Associate in Computing and Communications
Summary
Tell me a story about security, please!
It is very difficult to think what information security and privacy problems a new product might encounter, especially in the fast-moving health automation field of BIO-IOT. This project explores using creative fiction – stories, fantasy and speculation – to help software developers and product owners to identify such threats and vulnerabilities.
Following an initial literature survey on creative fiction, we plan to start by surveying experts and fans of fiction for example text; we’ll then build it into a format for a workshop, and trial that workshop with a team of health software application builders. As outcomes, we shall share fiction examples/scenarios, process followed and conclusions from the workshops.
Outputs
‘Threat Fiction Bank’ - Repository for 'threat fictions': short fictional pieces to inspire developers and others carrying out cybersecurity threat assessment.
Poster: FiVu: Using Design Fiction to Identify Future Vulnerabilities in Bio-IoT
FiVu Interview on the SPRITE+ website
Impact
The following were the conclusions from the FiVu project:
The approach of using science fiction in a design fiction practical workshop was successful in producing fictional narratives.
The process of using fictional narratives to explore cybersecurity issues with novel technologies was innovative, and it helped developers to consider relevant security issues in a Health IoT project.
The workshop needs to be extended, with participants using risk assessment to help ‘focus in’ on the commercially important threats.
The approach taken to generate the fictional narratives needs simplification, possibly by removing the consultation of security experts.
Future work
We plan two further steps to take the concept forward:
Thematic analysis of the workshop transcript to provide insight into the effectiveness of the fictional narratives
Incorporating a risk assessment step to the workshops and trialling it with one or more commercial software teams.
Funding may be available from one of our member organisations to support the first, and we hope to do the second in a follow-up project.