Paper prototyping is a means of creating a paper version of a digital interface and inviting a participant group to engage with the paper prototype simulating the use of the digital interface. This has placed emphasis on taking paper prototypes to user groups to explore how they perceive risk through successive spheres: organisational, physical, digital and social. The importance of the spheres is to steer participants toward awareness of four significantly different views of the same issue, for example the differences between the views that security is about compliance to protocol (organisational), locking the office door (physical), changing passwords frequently (digital) or trusting a colleague with sensitive information (social).
A mapping kit was developed for these sessions. This was composed of:
- A map of a geographical location (in most cases a room).
- Icons for physical assets and people.
- Icons representing boundaries.
- Colouring pens.
In each session the same process was followed, and the steps were as follows:
- Introduce the TREsPASS project and the role of visualisation within the project.
- Present participants with a scenario and a mapping kit and explain how to use the mapping kit.
- Ask participants to identify the assets, the connections between the assets and the possible attack paths.
- Place a likelihood on the success of each attack (represented by an attack path).
- Rank the risks based on the likelihoods.
The results were recorded through photography, note-taking and the collection of the completed paper prototyping.
Insights from the evaluation sessions
The key insights from the evaluation sessions are as follows:
- Narratives are needed to make the map understandable.
- Risks need to be visually categorised in order to make the map usable.
- Those using the map focused on the left-hand side of the map and not on the right.
The insight about narrative has led us to consider how we can include narrative in the Attack Navigator Map. One possible avenue of innovation is to incorporate analogue three- dimensional modelling (such as LEGO) into the more mathematically abstracted Attack Navigator Map, as mentioned in the previous section. This will be further explored in Year 4 of the TRESPASS project.