Paper prototyping: Cloud case study

Paper prototyping is a means of creating a paper version of a digital interface and inviting a participant group to engage with the paper prototype simulating the use of the digital interface. This has placed emphasis on taking paper prototypes to user groups to explore how they perceive risk through successive spheres: organisational, physical, digital and social. The importance of the spheres is to steer participants toward awareness of four significantly different views of the same issue, for example the differences between the views that security is about compliance to protocol (organisational), locking the office door (physical), changing passwords frequently (digital) or trusting a colleague with sensitive information (social).

A session run at CSP 2105, Brussels.
One of the several groups taking part in paper prototyping at CSP 2105, Brussels.

A mapping kit was developed for these sessions. This was composed of:

  • A map of a geographical location (in most cases a room).
  • Icons for physical assets and people.
  • Icons representing boundaries.
  • Colouring pens.
  • Tape.

In each session the same process was followed, and the steps were as follows:

  1. Introduce the TREsPASS project and the role of visualisation within the project.
  2. Present participants with a scenario and a mapping kit and explain how to use the mapping kit.
  3. Ask participants to identify the assets, the connections between the assets and the possible attack paths.
  4. Place a likelihood on the success of each attack (represented by an attack path).
  5. Rank the risks based on the likelihoods.

The results were recorded through photography, note-taking and the collection of the completed paper prototyping.

Template that was used for paper prototyping.
Above: The template that was used for paper prototyping.


The completed template, a sample result from the paper prototyping session.
The completed template, a sample result from the paper prototyping session.

Insights from the evaluation sessions

The key insights from the evaluation sessions are as follows:

  • Narratives are needed to make the map understandable.
  • Risks need to be visually categorised in order to make the map usable.
  • Those using the map focused on the left-hand side of the map and not on the right.

The insight about narrative has led us to consider how we can include narrative in the Attack Navigator Map. One possible avenue of innovation is to incorporate analogue three- dimensional modelling (such as LEGO) into the more mathematically abstracted Attack Navigator Map, as mentioned in the previous section. This will be further explored in Year 4 of the TRESPASS project.

A paper prototyping session at Edith Cowan University.
From a paper prototyping session at Edith Cowan University, Australia.
The toolkit developed for evaluation sessions.