Eliciting and Visualising Trust Expectations using Persona Trust Characteristics and Goal Models Shamal Faily 1 , Ivan Fléchais 2 1 Bournemouth University, 2 University of Oxford
Eliciting and Visualising Trust Expectations using Persona Trust Characteristics and Goal Models
Jul 09, 2015
Developers and users rely on trust to simplify complexity when building and using software. Unfortunately, the invisibility of trust and the richness of a system's context of use means that factors influencing trust are difficult to see, and assessing its implications before a system is built is complex and time-consuming. This paper presents an approach for eliciting and visualising differences between trust expectations using persona cases, goal models, and complementary tool support. We evaluate our approach by using it to identify misplaced trust expectations in a software infrastructure by its users and application developers.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Eliciting and Visualising Trust Expectations using Persona
Trust Characteristics and Goal Models
Shamal Faily1, Ivan Fléchais2
1Bournemouth University, 2University of Oxford
Motivation
• Developers and consumers of software systems rely on trust to simply design and usage complexity
• The symptoms of mismatched trust expectations don’t always suggest root causes
• Assessing the trust implications of a system is time-consuming, but what form might useful tool-support take?
https://www.flickr.com/photos/joi/2941559903
Related Work: Trust• Riegelsberger’s
framework for trust in technology-mediated interactions
• Based on sequential interactions between trusters and trustees
• Intrinsic and Contextual trust-warranting properties
J. Riegelsberger, M. A. Sasse, and J. D. McCarthy. The mechanics of trust: A framework for research and design. International Journal of Human Computer Studies, 62(3):381–422, 2005.
untrustworthy actors. On-line trust models, by contrast, focus on underlyingattributes that contribute to perceived trustworthiness. They are thus likely to bemore long-lived and independent from specific application domains.
Our approach in establishing this framework had been to go back one step furtherand ask for the factors that lead trustees to act in a trustworthy manner. This opensup a wider research and design space, as it helps not only to address how trustworthyactors can signal their trustworthiness, but how to design a system so that itencourages trustworthy behavior. This approach also allowed showing how knownsignifiers of trustworthiness relate to contextual and intrinsic properties.
3.1.3. Researching trust rather than relianceBy categorizing incentives for trustworthy action into contextual and intrinsic
properties, we pinpointed a terminological ambiguity that has not been discussedwidely in HCI research: the distinction between reliance and trust. It is often claimedin the security literature (e.g. Schunter et al., 1999), but also in HCI research (e.g.Sapient, 1999), that security, control, and enforcement structures, as well asinstitutional embedding increase trust. Based on our analysis above, we argue thatsuch assurance mechanism can increase observable trusting action by increasing onecomponent of trust—reliance (Lahno, 2002). However, reliance is largely indepen-dent from the intrinsic properties of the trustee, and cooperation based on it is likelyto cease when contextual properties are not in place. The philosopher Onora O’Neill(2002) even argues that we might be losing chances to build trust by increasinglyrelying on assurance mechanisms. Drawing on empirical studies, Sitkin and Roth(1993) drew similar conclusions for legalistic approaches (i.e. those based on
ARTICLE IN PRESS
TRUSTOR TRUSTEE
Motivation
Ability
ContextSignalIncentive
Temporal
Institutional
Social
Internalized Norms
Bene-volence
Fig. 7. The complete framework.
J. Riegelsberger et al. / Int. J. Human-Computer Studies 62 (2005) 381–422 407
Related Work: i* / GRL• Agent-oriented approaches for modelling
and analysing stakeholder interests
• Captures conditions for satisfying goals, and satisficing softgoals
• GRL is part of the tool-supported User Requirements Notation standard
• Previous attempts to model trust using this notation hindered by practical problems creating and using models
846 AMYOT ET AL.
Figure 2. Goal-oriented requirement language model example.
Figure 3 describes the part of the abstract URN metamodel specific to GRL,which formalizes the concepts introduced in Section 2.2. The diagram shows therelationship of GRLLinkableElements (i.e., actors and intentional elements) withElementLinks (i.e., decomposition, dependency, and contribution links). On theright hand side of the diagram, the concepts required for the evaluation of GRLmodels (StrategiesGroup, EvaluationStrategy, and Evaluation) are defined.
In Recommendation Z.151, the static semantics of GRL is defined with thehelp of natural language descriptions and constraints on the abstract metamodel.The dynamic aspects of GRL are defined by requirements and guidelines forpropagation mechanisms for GRL model evaluation. The GRL model evaluationallows for the comparison of alternatives and facilitates trade-offs among conflictinggoals of various stakeholders. The standard does not enforce a specific propagationmechanism asGRL can be used in different ways by different modelers, for example,qualitative evaluations or quantitative ones.
2.5. Tool Support with jUCMNav
The best tool supporting URN modeling, analysis, and transformations is theopen-source Eclipse plug-in jUCMNav.15 It supports analysis features for evaluatingGRL models (see Figure 4) and executing UCMmodels. A URNmodel can contain
International Journal of Intelligent Systems DOI 10.1002/int
Amyot, D., Ghanavati, S., Horkoff, J., Mussbacher, G., Peyton, L., and Yu, E. Evaluating goal models within the goal-oriented requirement language. International Journal of Intelligent Systems 25, 8 (2010), 841–877.
Related Work: Persona Cases• Personas whose characteristics are both
grounded in, and traceable to their originating source of empirical data
• Personas are narrative descriptions of archetypical users that embody their goals and needs
• Grounded theory used as a basis for persona construction (the ‘case’ for personas)
• Persona case elements align with GRL
SCADA isolation makes hacking unlikely
Probably
Stand-alone SCADA
Hacking indifference
II-5: Not worried about people trying to hack
SCADA
IM-4: Systems are stand-alone
because they are not connected to a
network
Information SecurityIndifference
Q1
Island Mentality
Q2
Grounded Theory Model
Propositions
.... Rick isn't particularly concerned about ......Narrative
Argued Characteristics
is a cause of
Thematic Concept
PersonaCharacteristic
Warrant
Grounds
ModalQualifier
Quotation
Q3
Engineer onlyInfection
IM-3: Systems are infected only if
engineers connect infected laptops
S. Faily and I. Fl echais. Persona cases: a technique for grounding personas. In Proceedings of the 29th international conference on Human factors in computing systems, pages 2267–2270. ACM, 2011.
Approach
• A three-step approach for exploring how warranted the trust expectations of stakeholders might be
• Elicit Persona Trust Characteristics
• Derive GRL model from persona cases
• Generate and analyse GRL model
Tool-support• CAIRIS
• An open-source Security Requirements Management tool
• Supports creation and management of persona cases
• Extended to facilitate addition of GRL intention and contribution data, and export of GRL models
S. Faily and J. Lyle. Guidelines for integrating personas into software engineering tools. In Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systems, EICS ’13, pages 69–74. ACM, 2013.
Tool-support
• jUCMNav
• An Eclipse-based editor for the User Requirements Notation
• GRL models assessed using strategies to indicate satisfaction of model elements based on the initial satisfaction of one or more elements
G. Mussbacher, S. Ghanavati, and D. Amyot. Modeling and Analysis of URN Goals and Scenarios with jUCMNav. In Proceedings of the 2009 17th IEEE International Requirements Engineering Conference, RE, RE ’09, pages 383–384, Washington, DC, USA, 2009. IEEE Computer Society.
Elicit Trust Characteristics
• Use Riegelsberger’s framework to support a grounded theory analysis of trust factors affecting a particular user population
• Derive intrinsic and contextual persona characteristics from each grounded theory model relationship http://qual-rip.blogspot.co.uk/2012/06/resources-for-doing-grounded-theory.html
Derive GRL model from Persona Cases
• Identify goals, softgoals, or tasks implied by each characteristic
• For each contributing element, identify whether it is a ‘means’ or ‘end’ given the contribution relationship
Second, we want to understand how existing tool support can exploit theserelationships such that goal models can be automatically generated based onpre-existing analysis. As a baseline for this research, we use the Goal-orientedRequirements Language (GRL) as the goal-modelling language for aligning con-cepts, and the jUCMNav [10] Eclipse plugin because of its support for importingXML based GRL files. The CAIRIS tool [11] was used for managing persona caseand use case elements, and generating GRL files.
3 Contributions
!"#$"%&'")*+!
-!%$.'!%/&%0%+"!
1% !*+'$.'!%$/&%0%+"!
!"#$3*4%!
1% !*+'$.5' '6"% )!")6
! *#+4!$/&%0%+"
8' '+"$/&%0%+"
9:;%6")$%
-!%$.'!%$!"%=
>+"%+")*+'&$/&%0%+"
?'!@
A*B"C*'&
!*'&
>+"%+")*+'&"%&'")*+!5)=
.*+" ):#")*+"%&'")*+!5)=
D%6*0=*!)")*+"%&'")*+!5)=
Fig. 1. Conceptual relationships between persona case and use case elements with GRL
To date, we have made contributions to each of our research objectives.We identified several aligning relationships between persona case and use case
elements and GRL; these are summarised in figure 1. The elements in this modelalign with concepts from the IRIS (Integrating Requirements and InformationSecurity) meta-model: a conceptual model aligning elements from RequirementsEngineering, HCI, and Information Security [12].
Because the [long] names associated with persona characteristics and theirsupporting elements are displayed on a goal model, a short synopsis was asso-ciated with each; a similar synopsis was assigned to each associated use caseobjective and step. As figure 1 shows, each stipulated persona case and use caseelement was associated with a GRL intentional element. To date, our prelimi-nary research has considered only the sub-set of tasks, goals, and soft-goals ascandidate aligning elements.
To support the bounding of elements associated with i* Strategic Rationalemodels, persona characteristic synopses and supporting elements were automat-ically bounded by persona name. Synopses associated with use case steps were
CEUR Proceedings of the 5th International i* Workshop (iStar 2011)
116
S. Faily. Bridging User-Centered Design and Requirements Engineering with GRL and Persona Cases. In Proceedings of the 5th International i* Workshop, pages 114–119. CEUR Workshop Proceedings, 2011.
Generate and Analyse GRL model
• GRL model generated to visual social goals associated with personas and shared context
• Strategies applied to explore the implications of dissatisfying goals and softgoals
• Personas trust expectations identified using premortem scenarios
Case Study: webinos
• A federated open-source communications platform to support web apps running consistently and securely across different device platforms
• Approach used to identify trust problems installed and configuring a webinos app
• Design data (including personas) publicly available
webinos Consortium. webinos design data repository. https://github.com/webinos/webinos-design-data, March 2013
Elicit Trust Characteristics
• Trust characteristics augmented to pre-existing Helen and Jimmy personas
• Characteristic derived from a grounded theory analysis of workshop reports with representative Helen and Jimmy participants
consensual thinking (7) family rules (6)
system model (4) disallowed disinterest (2)
preferential context (4)
leading concepts (2)
problem surfacing (2)
introduced technique (5)
personal security (3)
people-driven (3) subject interpretation (4) access switching (4)
family interaction (5) untrusted subject (2)context confusion (3) ==
==
==
=>
=>=>
=>
=>
=>
=>
=>
=>
=>
X
X
context possibilities (5)
structured reuse (2) facilitating insecurity (3)
need to know (4)
emergent trust (2)process-driven (5)
practical concepts (3)
policy confidence (2)
contextualisation difficulty (6)
role possibilities (3)
stock topics (2) =>
=>=>
X
=>
=>
=>== =>
=>
Helen
Jimmy
Derive GRL model from Persona Cases
• Elicit goals or softgoals from each characteristic
• Elicit goals, softgoals, or tasks from each characteristic’s grounds and warrants
• State the nature of the contribution relationship between each characteristic’s grounds/warrants elements, and its associated goal or softgoal
Generate and Analyse GRL model
• Exported GRL model associated with a use case involving Jimmy and Helen
• Identified missing contribution links based on strategies and premortems
• While the model is large and complex, this would have been impractical to create manually!
Take home points
• The approach can be scaled for multiple personas and use cases, but GRL model comprehension won’t be any easier
• The approach encourages increased use and engagement with personas
• This approach could be used elicit and visualise persona characteristics for other aspects of socialness
Thank you for listening!
• Any questions?
https://github.com/failys/CAIRIS
The research was funded by the* EPSRC EUSTACE project (R24401/GA001) * EU FP 7 webinos project (FP7-ICT-2009-5 Objective 1.2)We are also grateful to DSTL for supporting this work.
Acknowledgements
Related Documents
