This article was edited by SPRITE+ Events, Projects and Communications Assitant Katy Taylor and SPRITE+ Interim Project Manager Alan Munro, with the interview responses and edits from Dr Charles Weir.
Today the spotlight is on the project titled 'FiVu: Using Design Fiction to Identify Future Vulnerabilities in Bio-IoT' led by Dr Charles Weir (Lancaster University), with Dr José-Rodrigo Córdoba-Pachón (Royal Holloway, University of London), Professor Lynne Coventry (Northumbria University), Dr Soteris Demetriou (Imperial College London) and Dr Cecilia Loureiro-Koechlin (Lancaster University). Following our 2021 Sandpit, the team explored the use of creative fiction – stories, fantasy and speculation – to help software developers and product owners to identify such threats and vulnerabilities. We got the chance to catch-up with the project PI, Dr Charles Weir, to find out more about the journey of this project.
Please could you outline FiVu for the non-expert?
In order to create secure software, developers have to know what they are defending against. And to do that, you have to do what we are calling a threat assessment: What might somebody else want that that they could get by misusing or accidentally misusing your software? To do that you have to think around the problem: who could possibly do something wrong towards the product/software I have been working on, which is not a not a comfortable thing for a developer to do. And that is the problem that FiVu looks at.
At the SPRITE+ sandpit where this project began, somebody said ‘what about design fiction?’ And we responded with something like ‘you what?’ It was then explained that this is where people use fiction to explore what might happen, to work around a problem, and we thought ‘let us try that.’ And so, we picked a context which was around Bio IoT, or Health IoT (Internet of Things). All these things ranging from the Strava app in my pocket to an Internet connected heart monitor.
But it raised the question: how are we going to get those fictions? We are not writers, not creative generators. So, we thought: What about science fiction? We decided to start by finding some science fiction to see if that helps. And that is the FiVu project.
So, how do the narratives and tropes within the sci-fi genre add to the process of identifying and communicating these threats and vulnerabilities?
What is terribly hard is thinking about what might happen, without anything to hang it onto. A story is a good thing to hang a discussion onto. I should say design fiction is normally written by creative people with a view of the future or specific technical thing which they write around. What we have done here is a little different. We said, if you had something like this, what existing science fiction can we find around it?
Why your particular emphasis in Bio IoT and could you explain what this means for people outside of the specialism?
We had to choose a domain. It so happened that one of the Co-Is, Soteris, had colleagues working on a case study to do with health IoT. My day project I am working on is also in health IoT so that tied in. It would be interesting to see how it works in any other domain. I expect it would.
Should we develop a more creative side to think through the consequences of our actions?
If I make my software more secure, that does not necessarily benefit me as much as it benefits everybody else. But if everybody does, then that benefits me. So, there is a community “should” to it.
In terms of commercial “should”? I would say yes. The classic situation is that a team creates something wonderful, it goes out into the world, and they discover that there was a security or privacy issue they’d not thought of in the first place. So, you need a good idea of what your security landscape is to make sensible business decisions, because sometimes the important security things caught early do not cost much to fix.
It seems then like creative thinking from early on in a security context can save a lot of money?
Yes, pre-empting problems can save a lot of trouble. I remember one of the first teams I worked with (who were superb at security). We had gone through one of these threat assessment exercises, and they were worried to see how much of how many of their most critical threats were ones against which they had not traditionally defended. And they found some small changes with large impact they could do pre-emptively. And that became my mission – to find easy ways for teams to see these problems they may face and stop them.
Are you familiar on Brian Eno’s work on oblique strategies? It is a set of cards that comes up randomly and pushes you in different directions.
This is the kind of thing we are talking about but with my experience the oblique strategies are a little too nebulous. A very random thing does not necessarily help developers. You need something exactly between oblique and direct strategies.
I was reading about the New Horizons probe that went to Pluto, and their technique of design thinking of all the possible things that could go wrong, then the improbable, and then the ludicrous and try and design these eventualities into the system.
That is what we are aiming towards. As we concluded from analysing the results, the participants did well on the brainstorming. We ended up with a long list of things that could go wrong. The next step would be to clarify which ones we are actually interesting, and to explore those in more detail. There is more work to be done in terms of devising a system that would work, just as there is more to be done in the way of creating these ‘fictions’ and making it so that anybody could do it.
Sometimes communities exist like oil and water, as if they were talking different languages. Do you feel there are sometimes cultural divides in terms of cyber security in this way?
The whole gamut of researchers is huge. You will have some people who are content to effectively do crossword puzzles that happens to benefit humanity. And another lot that are concerned with the moral and social issues. And the two work together. But they are very different problems.
Are you familiar with Susan Leigh Star’s work on Boundary Objects? (1) I am wondering if these design fictions could function as a boundary object between these different communities working on a particular system.
Yes. A lot of our work is looking at a particular boundary that is within an organisation, but in this case between the developers and product owners. They do not necessarily speak different languages but the product owners themselves are at a boundary somewhere between the customer and the technical specialist. One side is to do with social skills, business requirements and even people’s emotions. The other is almost strictly technical. The work that FiVu has been doing does sit at that level. It sits at the interface between the requirements gathering (taking stuff from a complex external world) and filtering it into a socially uncomplex implementation world.
Do you think the one-page fiction was the best way of communicating your work?
Comic strips (an illustrator created one to be included in the project) can give wider appeal and more immediate understanding, but even comic strips are not a natural medium for programmers, who deal almost entirely with text. As for the wider community, you would probably use audio-visual approach then, with actors – the full gamut. Even a short video would get a wide impact these days.
What has been the biggest challenge you have found in the FiVu research?
From the point of view of actually doing the project, the biggest challenge was a three-month timescale. It was a purely procedural issue. We required two lots of ethics approval in less than a month. Getting somebody recruited, organising meetings etc and getting outputs in in the short time that the project required was a big issue. So yes, the whole compressed nature of it made it difficult.
And your biggest successes?
Cecelia, who did the project work. The biggest success was taking the fiction from the science-fiction story and making it into a one pager. I expected that to be difficult and it was not – which surprised me. It may be that we have a uniquely talented writer in our midst, but it appears that taking a story and making it smaller is a much easier task than writing a story from scratch.
What are the main benefits you see from the project?
A lot of the problems you tend to have in discussing around a project is language. How do you talk about stuff? Even the world ‘threat’ is scarcely used outside of cyber specialists according to a recent survey. In order to have a discussion you need to start establishing some sort of language, and bringing a pre-packaged story can help you have a language to talk about a wider scope of ‘what could possibly happen?’
A great topic for further research would be to get an idea of the extent to which people take the language of the fiction statements and use that in the discussion.
What does your experience as an older ECR bring do you think?
I could not have done this without previous experience – being a PI. All of the skills of getting complex organisations to do things came entirely from my mid and early career experience in other areas. The domain-specific elements about research techniques have not taken much time to learn. I would say it is quite easy to catch up.
The university system however has very few ways of accepting that experience – you remain an ECR notionally and as much as your colleagues know you as senior, there is not the organic nature that exists in most organisations.
Do you think your experience has any lessons for post PhD or early post doc training?
I have been shameless in grabbing every example of training that I can find. I check regularly on all the possibilities. There are some remarkably good resources at my university around what you may call ‘non-academic’ skills that is needed by academics. Unfortunately there is very little emphasis on proper management in the sense of getting teams to work and the HR aspects of projects. I would urge younger ECRs to get that training any way they possibly can.
What is the most influential thing, whether it be a paper, book or other, that has set you off on this track that you think more people should know about?
In terms of influences, a lot of what I am doing comes not from academia, though there are academics who have incorporated it. It is the use of workshops, of all the techniques of getting people together to achieve things that one person cannot do alone. I have been working on that for 40 years. There was a conference that is now called SPA (Software Practice Advancement) that threw out the standard conventions of conferences, using ideas from the self-help movements in the eighties, to focus on how the group does better than the individual.
FiVu is about how you can help a group do better than you can help one individual.
(1) Star, Susan Leigh; Griesemer, James R. Institutional Ecology, 'Translations' and Boundary Objects: Amateurs and Professionals in Berkeley's Museum of Vertebrate Zoology, 1907-39 Social studies of science, 08/1989, Volume 19, Issue 3.