Running Head: USABLE SECURITY THE IMPLEMENTATION

Usable Security the Implementation

Name

Institution

Abstract

This project was about usability security and its implementation. It involved the designing and development of a suitable human computer interface to provide a log on module for the Kuwait armed forces computer system. The development focused on relieving the user from the load of creating, remembering and maintaining their passwords for the login process. Based on the fact that the Kuwait information and communication technology literacy levels are still in their infancy stage, the conventional authentication system was proved unfriendly to the user. This system was developed with this in mind. This proposed system relies on the user logging in to the system after identifying five pictures they uploaded earlier from among a grid of twenty five pictures. By selecting the five correct pictures which they uploaded, the system was able to successfully authenticate the user. Using these pictures greatly reduced the mental load on a user who was required to remember strong passwords that ended up being compromised (Badre 2002). The use of pictures or graphical images for authentication or access control is a practice called biometrics that is gaining popularity in establishing system security today. Due to the need to deliver a solution in the shortest time possible the agile methodology was employed here. This project was considered a rapid applications development (RAD) project (Martin 1991). The phases of the project were time bound to ensure the rapidity of development. Prototyping as a rapid application development technique was heavily relied upon to accomplish this (Amowitz, Arent & Berger 2006). Studies reveal that Kuwait seemed to have scarcity of technology savvy people willing to make use of the technological advancements in information technology area. Textual based password systems proved to be unfriendly to use because of the system’s demands on the user; commonly referred to as mental load. (Smith 2006)
This resulted to such systems becoming unpopular requiring the introduction of more user friendly systems similar to the one proposed in this project.
The response to the picture based password system was overwhelming as compared to the textual password systems. This system proved popular because of the fact that a user’s learning curve is reduced as long as they can recognize the initial images that they input into the system. Authentication here was based on the user identifying the five images they had uploaded among a grid of twenty five images.
Acknowledgement.

TABLE OF CONTENTS
5.0 Introduction 4 5.1 Project Background 7 5.2 Project Aim 9 5.3 Project Objectives 9 5.4 Chapter Outline 9
6.0 Literature Review 11 6.1 Picture password 14 6.2 Biometrics: Tampa based company 17 6.3 Human Computer Interaction 17 6.4 Authentication 18 6.5 Usability 20
7.0 Project Management 22 7.1 Project Management Methodology 23 7.1.1 Extreme Programming (XP) 31 7.1.2 Scrum Development 33 7.1.3 Joint Application Design (JAD) 35 7.1.4 Agile Software Development 36 7.1.5 Lean Software Development (LSD) 37 7.2 Software Development Methodology 39
8.0 Specifications 42
9.0 Analysis and Design 43 9.1 Findings 45 9.3 Database Development Methodology. 47
10. Implementation 49
11. Evidence 50 11.1 Picture based password log on system for the Kuwait Military 50
12. Discussion 53
13. Evaluation 54
14. Conclusion 55 14.1 Recommendation 57
15. References 58

5.0 Introduction

System security has become a major consideration today especially so for the developers of software applications. It is while the system is properly secured that that data within the system can also be secured. Due to the fact that computer systems are finding application in many sectors the Kuwait military has not been left behind in their endevours to employ computer systems in their processes. However the adoption of these computer systems has brought with it a new concern within the armed forces fraternity. It is not difficult to point out how much dependency systems have placed on user names and passwords to allow successful logins. More and more systems are building such authentication mechanisms into their user interface modules to subject the would be users of the systems to submit usernames and corresponding passwords for initial log in and subsequent log in processes later(Password policy 2010). However the conventional log in process is proving to be a cumbersome process especially where it entails more than one level of authentication. The requirement for the user to create a strong password, a code consisting of alpha numeric and textual data has caused the user to undergo what is termed the mental load (Smith 2006). This requires that the user of these systems accurately remembers their password while at the same time keep it secret and secure. The systems will not budge when a wrong username and password is submitted an incident that will happen time and again especially so for users who have to access various systems using the username password log in system. This frustrations result into users adopting ways of remembering these passwords such as jotting the passwords in diaries and note books. This results in compromising the very security to be derived by use of the passwords which are now written on the back of mouse pads or other seemingly concealed places in order to reduce the mental load which ends up being targeted by hackers or unauthorized users (Smith 2006).
Therefore usable security is becoming a vital requirement in system development today noting that systems are not only user friendly but that the log in process for such systems is user friendly as well. The evolution in log in systems is tending towards the use of graphical or non textual data as input as compared to the traditional text passwords. Typical examples are like the use of biometric systems. Biometrics consists of methods used to uniquely recognize human beings based on their behaviour or physical traits (Hong & Jain 1998).Biometrics is commonly employed in computer science as a means of identity access management and access control (Pejas & Piegat 2004). Biometrics will involve the physiological class focusing on the shape of the body. Areas of special attention would include the face, finger, palm, odor/scent and iris. The behavioral class focuses on such issues as gait, typing rhythm and voice. Biometrics is only effective when a number of parameters are applied. The typical parameters applied will include: o Circumvention which defines the ease of using a substitute. o Uniqueness defining how well the biometrics distinguishes between individuals o Collectability which defines the ease of acquisition from measurement o Permanence which defines the measure of how well a biometric resists variances over time and aging o Acceptability defining the degree of approval to a certain technology.
The verification mode of biometrics defines a one to one comparison involving the captured biometric and a template under storage. This comparison is supposed to prove that the individual is who they claim to be (Pejas & Piegat 2004). The identification mode on the other hand involves a one to many comparisons of the captured biometric against a database of biometric. The identification becomes successful if the comparison of the database template and the sampled biometric are within a previously set threshold.
The diagram 1 below illustrates the basic components found within a biometric system
Diagram 1: Biometric system diagram

Source: http://en.wikipedia.org/wiki/File:Biometric_system_diagram.png The sensor captures the input data for pre – processing, the data is then submitted into the biometric system for feature extraction (Jain & Ross 2004). This forms the matching template for that specific input. The resulting template for that particular input is enrolled into the template database if this process involves a new input, however if the template already exists in the database, the input is submitted to the matcher for testing (comparison with the stored template). A match indicates success (Wayman, Jain, Maltoni & Maio 2005). Biometric systems can be looked at as the most optimal authentication solution because there is no memory effort on the user and it is almost impossible to copy biometrics.
However they also have a share of their drawbacks relating to the high costs of implementation both for the hardware and software. An awkward situation arising where for example a user forgetting the finger(s) they submitted to the sensor for can be rejected by the system. Biometrics still posses the challenge when it comes to voice recognition where external factors like sickness may affect the tone and pitch of the voice causing the biometric system to reject the user credentials. Therefore due to all the above mentioned and the fact that textual based passwords stayed in use all these years because it relied on the users choice of selecting a complex mixture of alpha numeric characters this project will endeavor in exploring the possibilities of relying on recognition rather than recall by allowing the user the freedom of their selection

5.1 Project Background

The proposed system to be implemented in this writing is typically a picture based log on system which is a non textual based password log on system.
The Kuwait Military who are the clients of this system are carrying out the modernization of their systems and have required that their users have a more secure log on system. Numerous concerns have arisen concerning the use of the current system and the levels of security they provide with the client pointing to the fact that the pressure of creating and securely remembering the textual or alphanumeric passwords is defeating the purpose of securing the system. While the users are going to length to remember these passwords they are flouting the password policy resulting in security compromises. The client therefore requires the implementation of usable security after the rating of the current system leaves a lot to be desired. Based on the fact that the client also considers using network computing the threat on their data has become pronounced needing a secure yet friendly log on system to counter these threats. They have approached a developer and charged the developer with the responsibility of coming up with a web based log on system that will enable the users to log on using pictures they earlier uploaded. The Kuwait military are the sole sponsors of this project and want the project completed in the shortest time possible. Considering that they are adopting such a system for the first time, they have limited technical know how as concerns the system’s requirements. They have sourced for a developer based on an independent research carried out by their administration. The Kuwait Military have given a go ahead to the developer to commence work and develop the system that is web based and implement the interface by integrating it with the database. Based on the fact that time is critical and the users’ requirements are narrow, the developer proposes to use the rapid application development approach which is one of the agile methodologies. The rapid application development (RAD) methodology or approach was developed in order to respond to the need to deliver systems very fast (Rapid Application Development 2009). This approach is however unsuitable for the development of safety critical systems. The RAD approach makes use of a task list and a work breakdown structure that is speed oriented. In this approach a number of management techniques are available and are optimized for speed. The main considerations to adopting the RAD approach relates to the circumstances under which the project is to be carried on, the project scope and size (RAD 2009). Basing on the fact that the main objective for this project is known which is the need to have a secure log on system based on recognition rather than recall for authentication RAD can be qualified and employed within this project. Due to the fact that the technical architecture and dependant technologies are clear and the requirements such as the database size, throughput and response time are well within the capabilities of the technology used, RAD is considered a suitable approach for the development and implementation of this system. While forming the project team at minimum two users of the proposed system will be will be incorporated in the joint application development (JAD) workshops (Mochal 2001). These users will be carefully chosen based on their technical knowledge of the processes within the project. This is necessary in order to avoid any misunderstandings. The users on the JAD workshop also are empowered to make decisions on behalf of the client. The JAD workshops can be convened at any time during the project progress from inception through to delivery (Mochal 2001). It is envisaged that on successful implementation of the proposed log on system the user will be able to easily log on to the system. Further still the system will be more secure due to the fact that the input data is being compared to data that is stored within the system to ascertain a match. A successful match implies approved authentication and a log in to the system is granted.

5.2 Project Aim

The main aim of this project is the implementation of a secure log on system for the Kuwait military based on recognition rather than recall as its authentication process.

5.3 Project Objectives

a) To implement a user friendly log on systems devoid of the mental load that is inherent in password oriented log on systems. b) To secure sensitive and critical data by the implementation of this system c) To reduce the mental load on the user that is typical of textual based password security systems. d) To implement a system that is fairly permanent, unique, adaptable and cost effective

5.4 Chapter Outline

This whole paper argues about security and usability pinpointing how textual based password systems impose a mental load on the user. Research indicates that the notion that strong security depends on strong passwords is resulting into a kind of password dilemma (Password policy 2010). Systems are trying to implement the strong password process while disregarding the mental load this has on the users. A study by the author of this project indicated that while these forcing function procedures are encountered every other day by many system users they have not necessarily solved the problem that motivated their implementation. What this implies is that ways must be found to implement usable security other than the forcing function procedures. This paper addresses this issue with detailed description of a proposition that is typically non textual based password.
Smith asserts “that we can't always increase the average attack space simply by making passwords more complicated. If we overwhelm people's memories, we make certain attack risks worse, not better” (Smith, 2006, p.191)

6.0 Literature Review

Since the advent of passwords in the 1960s a good password has evolved based on the attacks against them. Initially there were not man y rules concerning passwords, the only requirement being that they had to be kept secret. Unfortunately as attacks to systems became more evident and bold this resulted in rules relating to good passwords.
Each rule had its justification and made sense when seen in the context with each one (Smith 2006). It seemed to brew no trouble for each and every rule that was effected. However the problem arose because of their combined effect. Password policies the world over will stress uniqueness where each password chosen must be new and different. Research indicates that single password users have a higher attack risk to their systems. This is so because the password can be intercepted by an intruder. Practically this would mean that for a log on to five different systems one will need to memorize five different ‘strong’ passwords for six systems , they will need to memorize six strong passwords (Password policy 2010). This is another technicality arising which is still an indicator of how unfriendly password systems are to the user. The department of defense (DOD) password management guideline of 1985 which points out at how individuals select and handle passwords has one of the recommendations that passwords must be replaceable. This replacement needs to be carried out periodically. The rules and procedures to maintain password security have left users in dilemma Smith (2006). The conventional password systems consist of a number of features to make trial and error attacks difficult. However it has now been proven that these features make these systems hard to use. Infact the eight golden rules by Ben Shneiderman on user interface design suffer violations where password interactions violate six of the eight. The table 1 below indicates this fact contributing to the argument that the use of passwords in log on systems has greatly eroded usability.
Table 1: Passwords are not user friendly
|RULES FOR THE USER INTERFACE DESIGN |TRUE FOR PASSWORD |
|Strive for consistency |Yes |
|Provide informative feedback |No |
|Users can frequently use shortcuts |No |
|Reduction of short term memory load |No |
|Allow for reversal of any action |No |
|Dialog yields closure |Yes |
|Prevent errors and provide error handling |No |
|Put the user in charge |No |

Source: Smith, R.E. (2006).The Strong Password Dilemma. http://www.smat.us/sanity/

While using these systems there are no shortcuts, the system runs no matches for the first few characters in order to execute an auto fill. These systems only report failure or success and cannot differentiate a mistype in the username and password (Smith 2006). Most unfortunately many of these systems will keep track of incorrect guesses thereby executing some irreversible action such as locking the user accounts. Worse still users have no chance of verifying their passwords even as they type them. The impromptu nature in which some of these systems ask for a user to change their password posses a great challenge to the user. The windows NT prior to a log on may request for a password change. At this juncture the user must be able to immediately think of a new strong password during this ambush. Even at the point of submission the user in this case has no way of verifying that password because these systems prohibit informative feedback (Password policy 2010). For the purpose of this research it will be worthwhile noting that whatever process has transpired during the conditional password change process narrated above poses a great challenge in terms of the mental load. Based on the fact that the human’s short term memory remembers an average of between five and nine particulate things the user in question here will retain the new password shortly before memorization (Smith 2006). A likely challenge arising in this scenario would be if the user is interrupted during or before the memorization, for example a phone call comes in, the user will loss the new password from memory which is a very typical happening among users of systems today. While demanding password changes from users at short or no notice systems makes the user in question to sacrifice their concentration while trying to memorize the new password. This leaves the user with a number of options the most obvious of which is to write the new password down on a piece of paper. This not only violates the password policy but also compromises the very security which the new password intended to maintain. Research has shown that it is hard for people to reliably memorize a sequence of arbitrary characters which would probably constitute their passwords. For the memorization process to succeed the user must learn and this will require constant practice to retain. Strong passwords are impracticable in requiring specialized training for their correct use (Smith 2006). It has also been established that user are quick to mentally model their own good passwords regardless of the instructions that accompany this process (Password policy 2010). According to the user memorability is favoured over security. Despite the password policies in place to try and ensure strong and secure are created by users, many of them flouting the password policies in order to reduce the mental load that results from enforcing these policies. It can be seen that better instructions and password schemes are not necessarily resulting in more secure systems (Password policy 2010). Normal textual based passwords and their use continues to cause dissatisfaction among system users many of whom are due to the forcing function within these systems unfortunately have little choice left. However from continued study by the author of this project and experience many systems have failed and continue to fail due to the fact that they neglect human factors. System developers are adopting ways of tweaking especially so the human computer interfaces with an aim of achieving user satisfaction. Successful system design and development practice seems to rely heavily on the presentation of a human computer interface that elicits positive user rating (Security and usability 2002). While the author of this project made a study of the design principles by people like Shneidermann famous for the eight golden rules of the user interface, IBM and Mayhew it can be noted that all password based systems continue to violate these principles.
According to IBM on design solution, the most compelling designs are those that are natural to use and tuned to user needs and experiences which is still a blind spot for password based systems. System design weights human computer interface design heavily.

6.1 Picture password

When personal systems such as personal digital assistants (PDAs) came to be an integral part of the organization’s information processing stratum, adequate user authentication became a real problem for the PDAs which were personal yet had to handshake with the organizations’ systems. PIN or password is considered the first line of defence against such threats. However to motivate users to enable PIN or password mechanisms and adhere to the update procedures has become a struggle (Wayne, Gavrila, Korolev, Ayers & Swanstrom 2003). Using picture password amplifies the fact that image recall is an easy and natural way of authentication removing serious barriers to organizational policy (Wayne et al 2003). Currently many handheld devices come with a four digit PIN for authentication. However PINs are susceptible to systematic trial and error attacks (Wayne et al 2003). While the strength of a password depends on a combination of a string of characters, this leads to combinations that can be difficult to remember. The problem becomes compounded when organizational policy and procedure compels users to generate strong passwords periodically. The picture password technique will authenticate a user selection of images displayed. It has been proven that visual content appeals to a large class of users (Wayne et al 2003). Therefore an image based authentication technique that is standard in design is potentially able to enable users to employ it and even in the periodic update of the authentication. Any authentication gaining user acceptance must be convenient to use. The picture password authentication has two distinct parts, initial password enrolment and password verification (Sobrado & Birget 2002). At the point of enrolment a user selects a theme of images used to derive the password. At log on the user must enter the enrolled image sequence for verification and successful authentication (Sobrado & Birget 2002). These systems have proved to be beneficial especially to visually inclined users. Instead of memorizing character strings, a sequence of thumbnail images are selected and retained. The image sequence can be personalized and if forgotten can be reconstructed from inherent visual clues. The foundational mechanism handling random character code assignment to image sequence composition, enrolment and verification is hidden from the user. The picture password uses squares of 40 x 40 pixels around a 5 x 6 matrix of elements for clarity. The picture password technique encourages user flexibility while they choose a theme that suits their personality and taste (Mandler & Ritchey 1997). However a number of issues arise with the use of the picture password technique.
Image selection was proving a problem. The size of the image matrix limited the alphabet size to only thirty elements which resulted into weak passwords assuming a one to one mapping. An attempt to address this issue involved combining the thumbnail sources up to ninety elements in total. However user navigational drawbacks and the effects of a denser set of images resulting in less tolerance for selections and higher error rates were resulting (Wayne et al 2003). One of the ways employed to address this situation while maintaining simplicity was to allow a combination of two thumbnails for an alphabet; this expanded the alphabet size from 30 to 930. This was adequate enough to cater for many different image sequences thereby opening the field of picture password. The issue of change of password due to organizational policy was now able to be catered for because of this combination. A user was able to still use the same image sequence after expiry. The system would de-couple the sequences to allow completely new password values. Internally and oblivious to the user the system would restructure the authentication process to target a mapping which is as a result of a different password value for the same sequence of images
Example of picture based authentication systems include: - Visual Key from sfr GmbH in Cologne Germany which makes use of cells for a predefined image to represent the password (Wayne et al 2003). The visual key software generates a matrix dividing an image into cells. A user should select a sequence of cells displayed to access the device. - Déjà vu a project of the University of California Berkeley uses a set of images for user authentication (Dhamija & Perrig 2008). For enrolment the user selects from among randomly generated images to create an authentication base. The training phase is where the user improves their recognition within the authentication base (Sobrado & Birget 2002). A trusted server will store these authentication bases for the users providing a challenge set for every user authentication (Sobrado & Birget 2002). Real users pass face a commercial user authentication system works on similar principle making use of individual faces instead of abstract images.

6.2 Biometrics: Tampa based company

Realtime North America a Tampa based company is already using biometrics to help the business and government agencies to tighten computer security. The system is called biolock. This system costs $ 100,000 (Tampa Company using biometrics 2010).The benefit of this system is that the administrator can assign by terminal access rights to information. The biometric system will consist of special recognition software (Real User Corporation 2001). A special mouse and keyboard scans the user’s fingerprint to gain a match

6.3 Human Computer Interaction

This is the study of the interaction process between the users and the computers. This process will normally take place at the user interface. Human computer interaction (HCI) concerns itself with design implementation and evaluation of systems that are interactive for human use. Human computer interaction is concerned with user satisfaction (IBM Design2010). Then basic goal of human computer interaction is the improvement of interaction between computers and users by making the former more usable (Shneiderman 1998). Therefore human computer interaction has concern with: - Ability to develop a descriptive and predictive model including the theories of interaction - Applying techniques to evaluate and compare interfaces - Applying methodologies and processes to designing interfaces - Developing new interaction techniques and interfaces
User interface design draws from a number of principles: - An early focus on users and tasks whereby there is an establishment of how many users are needed, who the users are and their tasks e.t.c. - Iterative design which follows the steps design, test, analyze results and repeat.
The observed measurement which involves live testing as early as possible. The human computer interaction design methodologies have evolved from a model showing the interaction between users, designers and technical systems (Sears & Jacko 2007). Modern models of HCI design focus on constant feedback between users and developers. Known methodologies here will include usage centred design and user centred design (Sasse, Brostoff & Weirich 2001). Display design includes human made artifacts used to support perceptions, relevant system variables to encourage information engineering. Display design draws from the thirteen principles of display design which are broadly categorized into perceptual, mental model, principle based on attention and memory principles (Sears & Jacko 2007).

6.4 Authentication

The act of establishing or confirming something of someone as authentic which is the claim made by or about the subject are true. Authentication techniques fall into two categories. The first process is to compare the object attributes to whatever is known about original objects at hand (Ahmed & Jensen 2009). The second type relies on documentation and other external affirmations. Product authentication is a process used to identify counterfeit products which are normally offered to consumers as authentic. Holograms are used on products as product authentication. For information content authentication the factors of concern here will include: - Public key infrastructure of electronic signature used cryptographically. This is used to prove that the message has been signed by a private key holder (Ahmed & Jensen 2009). - Secret that is shared in a message content. - Physical artifacts like watermarks, seals, signatures or fingerprint.
While using closed circuit television cameras it is now necessary to conduct video authentication to establish credibility when the closed circuit television care used. Authentication of someone is based on something you are, something you have and something you know. Every authentication factor involves a number of elements. These are used to verify or authenticate a person’s identity before access is granted. Positive identification must draw from at least two or all the three factors that follow here below: - Inherence factors which is what the user is or does. This also involves other biometric identifiers. - Knowledge factors which involves what the user knows for example passphrase, password or PIN. - Ownership factors which is related to what the user has for example an ID card, security token, software token or wrist band. Whenever elements represent two of these factors as required this is termed a two factor authentication. A typical example would be a bankcard (what a user has) and PIN (what a user knows). The two factor authentication is used in business networks (Smith 2001). Access to high security facilities may require a mantrap, screening of height, weight, facial and finger print checks and PIN. Historically fingerprints have been used being rated as the most authoritative authentication method. Authorization is mistakenly thought of as authentication. Authorization refers to standard security protocols and regulations. On the other hand authentication involves verifying a claim by a subject. Authorization will involve verifying an authenticated subject that they have permission to perform tasks or access resources. Authentication is used in conjunction with authorization to establish access control (Smith 2001). Therefore a system that is to be used by those authorized should attempt to detect and lock the unauthorized. Some common ways employed for access control involving authentication are: - Logging onto a computer system - Cash withdrawal using an Automated Teller Machine (ATM) - Confirmation emails to verify email addresses ownership - Captcha a way of asserting a human user and not a computer program.
The process of authentication especially in the area of access control has resulted in systems that are not user friendly. Security of a system as an attribute is sometimes greatly compromising usability. The need to find a system that will be usable and secure is the main aim of this project. It can be realized that authentication process especially so as part of a system access results in systems that overload the users mind especially if we consider the factors of a successful authentication which is either what the user knows or has. Users are therefore forced to overload their mental capacities trying to memorize new passwords (Ahmed & Jensen 2009). In so doing we can realize how critical usable security solutions are in demand. This demand is steadily rising. It can be mentioned that the developer of this project has seen many other projects that failed due to neglect to human factors such as usability.

6.5 Usability

When working at design usability involves the study of the ease by which users employ a tool or man made objects so as to achieve a defined goal (Mayhew 1999). Usability will have methods or metrics to measure usability. The principles upon which an object’s perceived elegance and efficiency can be measured can also define usability. Usability and user satisfaction differ by the fact that the former will also involve usefulness. Usability in design has a basis on how to make the design more efficient to use, easier to learn and more satisfying to use (Nielsen1999). Efficiency to use means that it will take less time for the user to accomplish a particular task. Ease of learning refers to the scenario where a user can learn by observing the object. Business information systems developers are competing on usability, investing in user oriented instead of technology oriented methods. For the user centred design the product is designed with its intended users in mind at all times (Kuniavsky 2003). In some process users become members in the design team. User friendliness refers to accessibility. Usability is very important in website development. Users’ behaviour on the web have a low tolerance for difficult designs or slow sites (Kuniavsky 2003).
A user has to grasp the functioning of the site almost immediately the page loads. This necessitates that the HCI be elegant and usable. Usability is part of usefulness and is composed of: a) Learniability which describes how easily it is for the user to accomplish basic tasks on their first time encounter. b) Efficiency which is ho quickly a user can perform some task c) Number of errors and how severe they are d) Satisfaction which is how pleasant it is to use the design e) Memorability which is how well a user establishes proficiency on their next visit (Dix, Finlay, Abowd & Beale 2003).
A new approach emerging usability engineering (UE) researches on the design process to ensure a product with good usability (Kuniavsky 2003). Usability cannot be directly measured, however it is quantified y indirect means or attributes such as the number of reported problems with the ease of use of a system (Preece, Rogers, Sharp, Benyon, Holland & Carey 1994).Intuitive interfaces which synonymously refers to learnability is described as a desirable trait in usable interfaces. The key principle to maximize the usability is the employment of iterative design. User testing is one of the basic ways this is achieved through getting some representative users on the team, close observation of what users are doing and asking user to perform representative tasks with the design (IBM Design 2010).
Iterative design is the best way to increase the quality of user experience. Testing should be an on going process and should not be carried out after full implementation. The only way to high quality user experience is to start user testing early in the design process and keep testing at each step (Wickens 2004). Rapid prototyping is a method used to validate and refine usability of a system. Remote usability testing is a specially modified on line survey where user testing studies are quantified (Cranor & Garfinkel 2005)

7.0 Project Management

Many projects whether big or small have their success determined by how effective the project management process was executed. Today we have guidelines and proposals available to be used as a yardstick in determining the best practices in project management (TK Strategies Project Management 2010). One of such guidelines is in the Project Management Body of Knowledge (PMBOK) guide third edition which consists of what is considered the best practices in project management. A disciplined approach to project management was employed during this project to ensure that the deliverables were on time, of quality and at optimal costs. The nature of the Kuwait Military log on system project is such that the user requirements in which case the implementation of a picture recognition log on system is accomplished in the shortest time possible. The main reason for employing a speed based development methodology is that the processes within the military and related data must remain secure at all times. It is therefore a requirement by the user that the system is up and running in three months from initiation.

7.1 Project Management Methodology

Among the methodologies considered for the development and implementation of this project are those that fall under the agile methodologies category. One of the main reasons for their successful candidature was the fact that they would deliver the proposed system in minimal time.
Therefore based on the client’s requirement the developer settled for the rapid application development (RAD) approach /methodology. This being a web based application prototyping as a technique in RAD was considered very suitable to elicit user requirements. A model or prototype of the proposed system was presented to the user to draw out their initial requirements. The iterative nature of development supported within RAD was also going to ensure that the prototype is refined till a suitable prototype results which would then be implemented as the new system. The rapid application development represents a merger of a number of structured techniques (Sommerville 2001). The inclination in this approach is a data driven information engineering process which relies heavily upon prototyping. Prototyping as a technique which involves the developer of the system coming up with a model of the proposed system at the onset in order to draw out user reaction and gather user requirements.
Generally the prototyping as a technique would consist of a number of general steps.

The diagram 7.1a below here illustrates these steps and their respective outputs.
Diagram 7.1a: Prototyping process

The establishment of the prototype objectives is a very crucial stage in the whole process. It is actually the prototyping plan that leads to an executable model (Sommerville 2001). The prototype objective for this project was to design a log on user interface that uses recognition as authentication. The evaluation report indicated that the model was friendly to use as compared to the conventional normal textual based password systems. The prototype in this project was used as a tool to determine the requirement analysis. Some of the benefits that accompanied this approach included the following: a) A working , albeit limited system (prototype) is available quickly for demonstration to management b) Incomplete or inconsistent requirements can be identified a the prototype is developed during the iterations c) Any missing user services can be detected. d) Any misunderstandings between the users and the developers can be identified as the system functionality is demonstrable e) Difficult to use or confusing user services may be identified and refined
. The success of every project depends on the management process of that particular project. Projects draw a lot of resources and therefore require a disciplined management approach. It has been known that projects fail because of lack of a disciplined approach to the process. Project management is the practice of managing the time, quality, resources and cost of a project to ensure success (Visitacion 2003). Research shows that projects fail due to poor planning and unclear or fuzzy requirements. This results in a chain reaction resulting in poor productivity. All projects attract some amount of pressure and uncertainty as a result of factors external to the project such as economic uncertainty or pressure from the stakeholders of the project to derive optimal value. Reduced budgets or leaner staff may not adequately address the problems in these projects. The secret therefore lies with a strong project management process which is key to better application development. Even in accelerated cycles such as RAD planning and management of best practices should be exercised. In accelerated cycles successful planning is likely to focus on drawing boundaries to create a prioritized set of deliverables to be released during the iterations. Project management as a process is normally under challenge especially in regards to finding and documenting a repeatable process which can later serve as the blueprint to be references by other departments of the organization (Visitacion 2003). The project management process here draws from the best practices. The Project Management Body of Knowledge (PBMOK) a project management standards guideline highlights thirty seven key processes to consider in project management. This project made use of the best practices to ensure a successful delivery of the proposed system. The following practices were considered to ensure that he project was a success:
SCOPE: A feasibility study by the author / developer was carried out to gauge market potential, risks/benefits and technological impact before the project commenced. Based on the fact that normal textual password log on systems remain unfriendly and unpopular with the client (Kuwait military) ; and that security continues to be compromised , the market potential for picture based log on systems employing recognition rather than recall as the authentication principle was proving to be viable.
The benefit of this proposed system in terms of the usability and technological impact was positive. This project’s working was borrowing from biometrics. The project also attracted executive understanding due to the fact that observations pointed out log on systems that were rejected and therefore failed because during development human factors were neglected.
PLANNING: Comprehensive planning is critical to any project’s success even for the short development cycles like the one that was used for this project. Modelling is used to demonstrate deliverables in this case while keeping the team focused on specific issues (Visitacion 2003). The Joint Application Development (JAD) workshops were frequently held to brief and collect feedback from the stakeholders in the project. This helped everyone to understand how the project is progressing through the iterations. At the onset of this project a realism was maintained even in the planning for this project in order to determine the short term must haves and long terms. Timeboxing was one of those techniques that were used to keep delivery dates. During this project collective review sessions and prototyping were used to assess the requirements keeping the project team focused while managing end user expectations. Milestones were at two weeks since the project was running on a compressed life cycle. A deliverable from every iteration was reviewed after every two weeks. This was a necessary measure to provide opportunity for quick recovery should the project stray.
During the joint application development workshops all the relevant project status information was shared by use of emails and other project management tools.
EXECUTION / CONTROL: Typically the JAD workshops constituted of a small team of six people. The smaller the team the more the advantages in terms of effectiveness in communication and collaboration. Project progress status was kept open and user requirement management tools such as Telelogic Doors were suggested to track changes in the project scope while keeping critical additional information centrally stored (Visitacion 2003). As an effective control for this project process audits were employed where biweekly sessions were convened to check the status and progress of the project. The issue of concern during audits was actual progress versus work and cost estimates, overall quality and requirements measurements within the project scope. Due to the fact that this project was implemented in iterations a practice of change control was established to keep track of every increment within successive iterations. The scope of change for this project was established and managed through out the project. The user was closely informed of the changes in requirement at each of the iterations which was also demonstrated to them using the prototype. Documentation accompanying this process was generated. At every iteration it was deemed necessary that the user and developer collaborate to test for usability. This was necessary to ensure that the project was meeting deliverables and hence production ready. The project dedicated a lot of the total time approximately thirty percent to user acceptance testing in order to check or minimize post production problems.
Prior to the closure of any project a concise implementation procedure needs to be developed. A step by step implementation plan covering installation requirements and an accompanying documentation for this project was developed. Mechanisms for a post mortem were clearly laid down and agreed upon between the developer and user. It was also agreed that project success assessment would be carried out at several intervals after implementation to measure how well the project meets the expectations. Today’s system development process is focusing on speed as an essence of the whole process due to the volatile nature of user requirements (Jalote, P., Palit, A., Kurien, P & Peethamber, T. 2000). This is especially true for iterative development approach which requires that functionality is delivered in segments. These segments or parts are well thought out at project initiation and will suitably correspond to a milestone or deliverable within the project progress. These deliverables must be able to fit within a time box which is a defined duration of time. Time boxing is also considered as an effective way to manage risks during project progress. (Jalote et al 2000). Each iteration of the development process can be done in a time box which is normally of fixed duration. For this project the duration was set at two weeks. For large projects an elaborate concept called pipelining to time boxing is adopted to ensure that the project is delivered on time. In this approach a number of time boxes are executed concurrently thereby slashing the delivery time for the product. Consider a time box of three stages as an example. When the requirements team has finished the requirements for time box 1, the requirements are handed over to the build team. At the same time the requirements team commences work on time box 2 which after completion is handed over to the build team, next the team proceeds to time box 3 a processes known as pipelining.

The diagram below illustrates pipelining concept in time boxing.
Diagram 7.1b: Executing the timeboxing by pipelining

|REQUIREMENTS |BUILD |DEPLOY |

|REQUIREMENTS |BUILD |DEPLOY |

|REQUIREMENTS |BUILD |DEPLOY |

Source: Jalote et al. Timeboxing: A process model for Iterative Software Development (p6) http://www.cse.iitk.ac.in/users/jalote/papers/Timeboxing.pdf The concept of using time boxes for iterative processes continues to elicit debate among developers. However in all these debate time boxing as an approach has been proven suitable for medium sized projects which have a stable architecture and have a lot of feature requirements that are not fully known and keep evolving and changing with time (Jalote et al 2000).
The time boxing approach also requires that a number of practical issues be addressed. In order to determine the number of stages within a time box the nature of a project must be considered. A general project management model involves the application and integration of the project management process which includes initiating, planning, executing, monitoring and control and project termination or closure. Rapid application development model of management is based on the concept that in particular situations a solution that is 80% usable can be produced in 20% of the total time (Sommerville 2001). RAD ensures fast efficient and accurate system development. While employing this methodology there is generally and improved user and developer cooperation, commitment and communication. This will also result in improved documentation. Computer Aided Software Engineering (CASE) technology, prototyping, application and report generators expediting the design process. RAD focuses on four main components namely methodology, people, tools and management. With RAD such powerful tools as application generators, form/screen generators, fourth generation languages (4GLs), relational or object oriented database tools and CASE tools can be used (Sommerville 2001). It is also vital to have a committed and focused management.
At the onset RAD focuses on requirements planning which is a typical step within any project. The main deliverable of this step is the project definition which is a definition of the project. During this step the project management procedure is produced. In this document issues such as scope, quality, risk and communication are addressed. Considerably less time is required to plan due to the fact that the project carries forth in manageable portions.
The analysis phase follows next whereby the requirements which are at a higher level are captured. The focus at this particular time here is the main features and functions of the proposed system. It is imperative to note that the requirements at this stage need not be approved by the user. The reason for this is that the RAD approach allows changes to user requirements as the project progresses (Mochal 2001). This will normally be delivered in the iterations. However good practice here dictates that as much user requirements as can be gathered are captured at this stage. The requirements gathered at analysis leads to a high level prototype. The first time may consist of a series of screen shots modelling the process. At this point databases calls or programmed logic may not be necessary, what is presented is just a shell. During this time also decisions on issues such as technology and tools to use are considered. This must be determined because the prototype at this initial stage may lead directly to a solution. At the initial prototyping phase the developer should maximize the amount of content reused which will reduce or keep new construction at minimum (Mochal 2001). For evolutionary the initial prototype will be used to gather more detail from the user based on their requirements. A school of thought here is that a user on seeing the prototype will conceptualize and reassess the initial requirements. On receiving the modified requirements from the user, the developer makes the updates to the prototype in order that it reflects the modified requirements. Iterative methodologies such as RAD require that the process mentioned afore is repeated at least twice. Prior to these iterations the developer and user must agree on how many iterations would do (Mochal 2001). Conclusively the programming, testing and design of the solution is derived from the prototype as the start point. On the other hand if this is a throwaway prototype it will be discarded but the captured requirements will be used to develop a new system from scratch.
RAD’s final step is implementation which will proceed conventionally.
Rapid application development as an approach consist of a family of various methodologies.
7.1.1 Extreme Programming (XP) This is a software development methodology intended to improve quality and responsiveness to the changing user requirements. Extreme programming (XP) supports frequent releases in short development cycles what is typically known as timeboxes (Beck 1999). This approach is meant to improve productivity and establish checkpoints at which new user requirements can be added. Extensive code review and unit testing of all code; programming in pairs are some of the elements typical to XP. Extreme programming approach advocates the deliberate delay of certain system features until that time that they are actually needed. There is also a high expectation of changes in the user requirement even as the project progresses on implying that the problem can be understood better. Extreme programming (XP) encourages frequent communication between the user and developer (Beck 1999).
The diagram 7.1c illustrates extreme programming
Diagram 7.1c. Extreme Programming (XP)

Source: http://en.wikipedia.org/wiki/File:Xp-loop_with_time_frames.svg
Extreme programming (XP) describes four basic activities.
CODING: XP adherents lay a great emphasis on code during system development. The coding of a developer’s thoughts is not uncommon in XP as such.
TESTING: The surest way of ensuring that a function works is to test it. The XP perception is that more testing will eliminate more flaws. Testathon which is a term used to describe collaborative testing approach is a common phenomenon in XP. Test are typically unit and acceptance. The former is carried out to determine that a given feature works as intended. The latter verifies that requirements as understood by the developer actually satisfy the user requirements.
LISTENING: Developers in XP must develop a keen ear for user and business logic needs.
DESIGNING: Designing in XP ascribes to the coding principles of coupling and cohesion. The bias here is to a highly cohesive unit that is loosely coupled.
On the other hand Extreme programming (XP) has five underlying values which include the following:
COMMUNICATION: XP techniques are viewed as methods for rapidly building and dispersing knowledge among the team of developers. The main aim here is to give the development team a shared view.
SIMPLICITY: Extreme programming advocates that the project begin with the simplest solution with extra functionality being added through iterations later.
FEEDBACK: With extreme programming approach three feedback views are vital (Larman &

Basili 2003). Feed back from the system which is arrived at through unit testing. The feed back from the team when users come with new requirements. Feed back from the user which is captured during functional or acceptance test.
COURAGE: Courage will enable the XP developers to comfortably re-factor their code if necessary or knowing when to throw away code that is obsolete no matter the effort used to develop it.
RESPECT: An XP requirement is that a programmer should never commit changes that break compilation delaying other peers. The basis of XP’s principles are feedback, embracing change and simplicity.

7.1.2 Scrum Development

This represents an iterative framework used in agile software development and project management. Scrum typically consists of sets of practices and predefined roles (Larman & Basili 2003). The scrum master has the responsibility of maintaining the process. The team in this case is a cross functional group constituting a number of people involved in the analysis, design, implementation and testing. a sprint within the scrum process is a two to four week period determined by the team by which time deliverable is produced. The features referenced within a sprint are determined from the product backlog which is a prioritized set of high level user requirements. These requirements are normally determined during the sprint planning session. These requirements remain frozen for a particular sprint (Larman & Basili 2003). Scrum principle is the recognition that user minds can change about whatever they want and need. Scrum advocates for the maximization of the team’s ability to deliver quickly and response to emerging user requirements. The product owner in the scrum team represents the user’s voice thereby projecting the business perspective. The rule here is that the product owner cannot be a scrum master. Every day of the sprint a project status meeting called a daily scrum takes place. During these meetings the scrum master facilitates resolutions of any impediments raised. A daily scrum lasts for fifteen minutes. Other types of meetings during this methodology include scrum of scrum, sprint planning meeting, sprint review meeting, sprint renew meeting and sprint retrospective.
Scrum consists of the following artifacts: • A product backlog which is a high level document for the entire project. This is normally the property of the product owner. • Sprint backlog which is a document containing information to guide the team o the implementation of the sprint that is upcoming. This is normally the team’s property. • Burn down chart which is publicly displayed illustrating remaining work in the sprint log. This chart is updated daily and indicates the progress of the sprint.
Some of the practices common to scrum will include the following: • Working more hours is not necessarily producing more output • The happiness in a team makes a tough task look simple.

7.1.3 Joint Application Design (JAD)

This is a process employed in the prototyping life cycle in the dynamic systems development method (DSDM) to collect user requirements.
Joint application design (JAD) consists of approaches to enhance user participation and expediting design (Davidson 1999). JAD advocates for workshops whereby knowledge workers and IT specialist meet to review user requirements for the system. The key participants in JAD are the executive sponsor who may be the system owner. A facilitator also belongs to this team and they are also called session leaders who generate the agenda. A facilitator is normally a passive member. The team also has the scribe or documentation expert who will normally record or publish the meeting proceeding at every session. This one is also a passive member of the team. JAD also constitutes observers who are members of the development team assigned to the project.
Joint application design typically consists of the following key steps: 1) Identifying project objectives and limitations 2) Identifying the critical success factors of the project 3) Defining project deliverables 4) Point out the schedule of the workshop activities 5) Recruit the participants 6) Prepare the workshop materials 7) Plan the workshop activities and exercises 8) Formally equip the workshop participants.
One advantage of JAD is that it leads to a more accurate statement of the system requirements and a better understanding of the common goals with a stronger commitment to project success (Wood & Silver 1995).
A typical drawback of this approach however is the likelihood of promoting inter-personal conflict which may affect project delivery.

7.1.4 Agile Software Development

This refers to a group of software development methodologies base on iterative development. Agile methods advocate a leadership philosophy encouraging team work, a disciplined project management approach promoting inspections and adaptations, a set of the development’s best practices which allow for rapid delivery of quality software and a business approach aligning the process to user needs and organizational goals (Cohen, Lindvall & Costa 1995).
The agile manifesto principles consists of the following values: - Response to change over following a plan - Individuals and interactions over tools and processes - User collaboration over contract negotiation - Working software over comprehensive documentation
The agile software development approach lays emphasis on the following points: - The face to face conversation is valued highly - Simplicity is encouraged - Self organizing teams are supported. - There is a regular adaptation to changing circumstances - A working software is the user’s measure of progress - Customer satisfaction through rapid delivery of useful software continuously - Working software is delivered frequently in weeks rather than months. The agile methods break down tasks into small increments. These increments have minimal planning and do not involve the long term planning. The plan covers requirements analysis, design phase, coding unit and acceptance testing whereby the working model is delivered to the stakeholders (Cohen, Lindvall & Costa 1995). . Team composition in agile projects is usually cross functional in nature and the approach emphasizes face to face communication. Every agile team will have a user representative appointed by the stakeholders. A typical agile team has between five and nine people working in a single office. Iteration reviews focus on return on investment and alignment to user needs and company goals as well. In agile software development approach, time periods are measured in weeks. The overall implication of agile software development is that completely developed and tested features which maybe a subset of the system are produced every few weeks (Cohen, Lindvall & Costa 1995). . The product is improved through periodic releases.

7.1.5 Lean Software Development (LSD)

This is the equivalent of lean IT and lean manufacturing in principles or practices for the software development process. Lean principles propose the following points: - Elimination of waste such as unnecessary functionality or code, unclear requirements, bureaucracy, delays and slow internal communication (Poppendieck & Poppendieck 2003). - Encouragement of learning where the best way to improve a software development environment is to strengthen and encourage learning processes - Speeded delivery which ascribes to the fact that the sooner the product, the sooner the response from the user which becomes the input for the next iteration. - Empowering the team using workout technique where developers speak to managers explaining what actions to take and suggestions for improvement. This is a kind of reversed role playing. The developers will need access to the user and it is expected that the team leader provide the support (Poppendieck & Poppendieck 2003). - Building integrity within based on the fact that a user’s overall experience of the system is the perceived integrity. Conceptual integrity is considered as well which in this case involves a view of how separate components work well together especially in the area of efficiency, maintainability, reliability and responsiveness. This will entail understanding and addressing the whole problem domain. - Deciding as late as possible ensuring that as much as possible decisions are delayed until they can be made based on facts and not on uncertain predictions or assumptions.

7.2 Software Development Methodology

The evolutionary prototyping approach was used for this project where by the initial prototype designed to elicit user requirements was refined during consecutive iterations until a final system was delivered.
This diagram 7.2a here below illustrates the evolutionary prototyping approach

Diagram 7.2a: Evolutionary prototyping

Source: I. Sommerville 2001. Software Engineering 6th Ed. London: Pearson Education (pg 409)

Typically rapid application development will start at the preliminary data and business model development while using the structured techniques. The user requirements are then verified using the prototype. This is done to refine the process and data models. This stage of development is iterated a number of times resulting in a combination of the business requirements with the corresponding design statements. These statements will be used to construct the new system eventually. This project being a typical web based application will heavily rely on the RAD approach. RAD was a response to non agile methodologies of the 1970s and 80s. These were the structured systems analysis and design methodology (SSADM) and other water fall methodologies. The main shortcomings of these non agile methodologies is the fact that it takes so long to build a system. This delay results in unusable systems which were delivered against requirements which had greatly changed. These non agile methodologies also assumed that a step wise requirement analysis phase was adequately able to identify the critical requirements of the system. However this has been proved to be highly unlikely even for those project that are making use of professional and experienced manpower.
Prototypes as a technique in RAD are suitable for eliciting user requirements especially so for web applications much as the one in this project In recent years agile and web engineering methods have gathered widespread acceptance. Agile methods commence coding earliest while they have shorter requirements engineering as well as less documentation (Ambler 2002). For instance considering Extreme Programming (XP) paradigm, the implementation of the code will progress in small increments and iterations (Beck 1999). Small releases are delivered to the user after each development cycle. Extreme programming will often fail to collect user data starting coding based on assumptions of the user needs. Development in small increments works well as long as the focus is not on the human computer interaction aspect. The changes to the software architecture has no impact on what a user interacts with or sees. Software engineering and human computer interface design are trying to come up with a shorter market times whereas quality of the software to be delivered need not suffer. However the continued shortening of the life cycles poses a greater challenge to methods and tools applied as well and the project management process as well. This has resulted in the adoption of agile usability engineering (AUE) a light weight approach to system development. Constantine and Lockwood (1999) as practitioners became pioneers of the agile usability engineering (AUE) approach to human computer interface design. These pioneers believed that relying heavily on user needs and feedback resulted in the narrowing of the design space. The resulting risk in this case was that designers developed what the users wished for as opposed to what the users really needed. This portrays iterative rapid prototyping as a trial and error approach that may never result in an optimal solution. This was especially the case where there are many stakeholders with too many opinions and influence on the design process.
Constantine and Lockwood proposed a usage centred approach rather than a user centred approach. For the usage centred approach the basis is laid on abstract models to define the user content and tasks. Users continue their involvement in the overall project life time as resources of information and validation.
The table 7.2a here below shows the comparison between user and usage centred design
Table 7.2a: User centred versus usage centred design.
|User Centred Design |Usage Centred Design |
|Focus is on the user |Focuses on usage: |
|Users’ experiences and satisfaction |Improved tools to support task accomplishment |
|Driven by user input |Driven by models and modelling |
|Substantial user involvement: |Selective user involvement: |
|Users’ studies |Explorative modelling |
|User participation in design |Model variation |
|Users’ feedback |Usability inspection |
|Users’ testing | |
|Designing by iterative prototyping |Designing by modelling |
|Highly varied informal or unspecified process |Systematic fully specified process |
|Design by trial and error evolution |Design by engineering |

Source: Thomas Memmel. Agile Usability Engineering www.interaction-design.org/.../agile_usability_engineering.html
Adapted from: Constantine Larry L. and Lockwood, Lucy A. D. (2002): Usage-Centered Engineering for Web Applications. IEEE Software Magazine, 19 (1) pp. 42-50

8.0 Specifications

Being the network systems administrator the author of this project encountered first hand how the normal textual based password system caused a great challenge for the users within the military organization. It was a general observation that these conventional log on system was not providing the necessary security. While carrying out a more detailed analysis of the cause of this problem the developer of the proposed system discovered that the users here were not an exception, that in fact all users who encountered normal textual based system encountered some form of difficult that actually limited the usability of the system. The very fact that users seemed to make weak passwords such as 0000 or 1234 was a general trend across for all users of such systems. Presumably their confidence was not based on the strength of the password but the ease with which they could remember these seemingly weak passwords.
The author of this project realized that most certainly that these systems posed a mental load challenge to the user and that one corrective measure would be to use passwords that were easy for the user to recall yet strong enough to secure the system.
The author of this project then carried out a general research as an analysis an realized that picture based password systems had a higher percentage usability as compared to normal textual based password systems. It was generally discovered during this analysis that most people had a high appeal for visual content and therefore it would be much easy for the author who also was the developer of the proposed system to derive a solution along this line of thought. The proposed system would allow the user on initial log to submit a set of five pictures to the system. The system administrator would upload these pictures against their username in the system. On eventual log on processes the system would present a challenge set a grid of about thirty pictures among which a user had to successfully choose their set of five to ensure successful authentication and log on.
It was realized that the proposed system elicited a larger positive user response (80%) while at the same time providing a secure password. Time and cost constraints hampered a detailed research. The proposed system can still be adaptively maintained to improve its usability while not compromising the security. It can be concluded that overall this project was a success.

9.0 Analysis and Design

Kuwait located in the rich oil Middle East is fast transforming into a modern state in many aspects. The globalization momentum that is touching on every nation has not by passed Kuwait with the need for integration in the economic sector. Growing international partnership continues to spur Kuwait’s growth and modernization. Levels of education here continue to improve with primary and secondary education being state sponsored and compulsory
No wonder Kuwait is ranked 29th on the Human Development Index (HDI) by UNESCO which is highest among other Arab countries. Post secondary and tertiary education has steadily been rising through secondary enrolment far surpasses this number. The government of Kuwait is therefore encouraging citizens to opt for vocational training programs to fulfill the demand for skilled workforce. With this in mind the trends and growth in information and communication technology is still variably low. This is due to the fact that a small population opt for vocational and tertiary training where upon such skills and training can be found. While looking at the nation at large and the military in particular the author of this project realized that the low education and low technology levels continued to hinder the usage of information technology to streamline processes within the military. Serving at the network security administration position at Kuwait military organization the author observed that the security of the organization was being compromised when users used easy passwords such as 1234 or 0000 to log on to the system. The main reason was that the traditional password system was cumbersome procedure and this coupled with low levels of technology and education greatly eroded usability of the system. The analysis by the author of this project conclusively identified that Kuwait military needed a security system that would make users to choose more secure passwords. This was based on the findings through interviews and observations by the author of this project. A more friendly system was needed to reduce the user’s mental load which was greatly challenged by the use of the normal textual based password log on system. Because of the fact that a large number of people appeal and react to visual content more positively the author of this project envisaged that a picture password log on system would be usable and secure for the military organization. Being a web based application the author of this project drew out a low fidelity prototype of the proposed system. With this drawing the author began to elicit user requirements. In order to acquire a wider consensus concerning the picture based password log on system the author generated a brief questionnaire (see appendix) and posted copies by email to thirty different respondents in various departments of the organization. A sample of the response can be found in the appendix section of this document. The questionnaire results showed that 80% (24) of the 30 participants agreed that the use of the normal textual based password log on systems to on line and database sites was a cumbersome process because they needed to remember all the different passwords for the different sites. The low fidelity paper based prototype also attracted responses of desirable features that were incorporated in the skeletal model that was produced at the design phase.

9.1 Findings

Similar key inputs: When this system is compared against a password system that only employs the alphabets and digits this picture based system offered dissimilar key inputs as the password system. This is not a big impediment for recall based systems such as the one being developed in this project. However the exclusion of such key inputs will contribute to the system’s future success.
Prohibition of key input appearing more than once: For text based systems one can use one key input more than once. This is not possible for this system, the user selects from different pictures. However the success rate for the use of this system remained high. It may therefore not be necessary to allow for repetition of the key inputs in order to form a key in the picture based system so as to achieve high success.
In terms of favoured key inputs: Both appealing and meaningful key inputs are key to usability success. In recall based systems users will choose passwords most often with personal meaning or those they understand. It is highly likely that for this picture based systems users will choose a picture that is most appealing and most meaningful to them.
In terms of time consumed: Both picture based and password based systems take relatively the same time for key creation process. However based on the functionality of this system where a picture was loaded after another to complete the whole picture sequence, this was time consuming but the system could be adapted to improve the process.

In terms of ease of use: The questionnaire reveals that 24 of the 30 participants find picture based systems easy to use. The 20% who think otherwise had a number of factors that were also consider in this study: i) They were used to the password and PIN systems (the short testing period was not sufficient enough to change their mind) ii) The fear for shoulder surfer attacks
In terms of partial and precise recall:
Since picture based systems depend on recognition and recall (two senses here) this may be reason behind the high success of the picture based systems as compared to the recall systems.
9.2 Observation
On selecting the picture password most of the participants relate the pictures to real world objects. It can be concluded that picture based systems depend on recall and recognition. When the system presents the challenge set from which the user can pick their pictures image recognition is applied. However the user must recall their pictures while they perform the authentication. The use of rapid application development (RAD) approach to develop this system entailed that t the initial onset a low fidelity paper based model be used to capture the user requirements. The initial feedback resulted in a restructuring of the prototype to correctly positions the buttons and understand the event procedures such as click. The paper based prototype was transformed into an on line model that had no background functionality as such. Further user testing was carried out to gather whatever features the user wanted added.
More features were added to the skeletal model and it was once again subjected to user testing. However due to the time limits the resulting prototype was transformed through evolutionary prototyping into the web based application. The database was created and the database constraints set. The website was then linked to the database for the final test run. Real test data was used in this case to get the real world working of the picture password based log on system.

9.3 Database Development Methodology.

The steps in a database development approach include requirement elicitation, logical, conceptual and physical modelling. The requirement elicitation step will involve identifying key technical requirements. This is usually by formal and informal interaction between the developer and users. One key aspect of this step is the determination of the scope of the universe of discourse (UOD) to be covered by the proposed database system. Conceptual modelling consists of building models of the real world in terms of data requirements (Nijssen & Haplin 1989). In view modelling we develop an application data model relating to a business area. In view integration we take several of these distinct views in order to produce an integrated data model. A Logical model represents the real world in terms of the data model principles. Physical modelling will involve the construction of a model of the real world in terms of data structures and access mechanisms mapped on a chosen DBMS. Physical modelling involves two distinct sub processes. These processes are physical database design and database implementation (Davies 2001). Database implementation process will involve acquiring output from the physical design and implementing it as in the plan of a chosen DBMS Object oriented database systems will require existence of persistent objects. In object oriented programming languages objects exist only for the span of program execution. In object oriented database systems objects have a life in secondary storage over and above the execution of programs. An OO database is made up of objects and object classes linked through a number of abstraction mechanisms. An object is a package of data and procedure. Data are contained in attributes of an object. Procedures are defined by an object’s methods. Methods are activated by messages passed between objects (Davies 2001). An OO data model must provide support for object identity which is the ability to distinguish between two objects with the same characteristics. All objects must demonstrate encapsulation which is the process of packaging together of data and process within a defined interface and controlled access across that interface. An object class defines a group of similar objects. It is used to define attributes, methods and relationships common to a group of objects. Object is therefore instances of some class. Object classes define the intension of an OO database the central topic of database design (Davies 2001). Objects define the extension of an OO database which is core to database implementation. An object data model supports two mechanisms allowing the database builder to construct hierarchies of lattices of object classes. Two such abstraction are generalization and aggregation. Implicit in the construction of object classes is the support for abstraction mechanism of generalization allowing for the declaration of certain objects classes as sub classes of other (Davies 2001). Aggregation is the process in which a higher level of object is used to group together a number of lower level objects.
Inheritance is either structural or behavioral. In structural inheritance a sub class inherits the attributes of the super class. In behavioral inheritance a sub class inherits the methods of the super class.

10.0 Implementation

The implementation of this project relied mostly on the open source software. The process started by drawing the UML diagrams of the system (See appendix). This involved analyzing the interactions that were observed while testing the low fidelity prototype, which resulted in a use case diagram for the system. The author of this project then proceeded to create the class diagram. However due to the fact that no financial funding is available for this project, the developer used a free program called XAMPP. Where X refers to cross platform which implies it can be used on almost any operating system. A stands for Apache an open source internet information service. M stands for MySQL an object oriented database model that is open source, P for PHP and P Perl which are open source programming languages. This program was chosen because it is less bulky and can install the Apache and MySQL server on a normal laptop. It became imperative that a website coded using the programming language PHP with Apache server as the internet information service was needed. This program enabled the developer of this project who is also the author to code and test the proposed PHP based system on a Mac platform. Furthermore, a database to store all the information about the users and their pictures was implemented. The author used Enhanced Entity
Relational Modeling to understand the requirements of this database and how to define the relationships between the various entities within the system. This was followed by the coding and testing of the system. This process was carried on iteratively with every new user functionality being added as a piece of code. The process continued until time limits were reached. Then finally, after several attempts and hours of trouble shooting of the code used, the author of this project developed the interface where a user first registers as a new user after which they can uploads five pictures as the password for the account.

11. Evidence

The discipline of project management was applied during the development of this project. It was necessary to manage the main project inputs cost, quality, resources and time optimally in order to ensure the overall project success. An effective project plan was mooted and strictly adhered to. A work breakdown structure was used to ensure that tasks were accomplished effective and timely contributing to the overall success of this project.
The work breakdown structure for this project is summarized below:

11.1 Picture based password log on system for the Kuwait Military

Work breakdown structure / Task specification
Planning
1. Comprising of interviews and analysis to develop an understanding of the current system and user needs. This will take an estimated 3 weeks. 1. Interviews and questionnaires for up to thirty participants who are potential users of the system prepared and dispatched. This will take one week. 1. Responses from the interviews and questionnaires received and scrutinized to determine the requirements of the user of the proposed system
Site Design 2. This contains the mock ups – the low fidelity paper based prototype. The site design work will construct a visual model or prototype upon which the log on website will be build. This will take 4 weeks 1. This consists the translation of the low fidelity paper based prototype into a skeletal system. This process will take 1 week. 1. Graphical design techniques are used to add style and feel to the skeletal in 2.1. based on user response during the first iteration testing. 2. Enhancement of graphical design after further user input as concerns such issues as click procedures and button positions on the log on web page form. This will take 1 week Site map creation 3. Design meant to display in a hierarchical diagram which is the overall structure of the web based application defining the major sections of the picture based password log on system. This process will take 2 weeks. Template and page development 4. This involves the design of the log on pages and templates for the picture based password log on system. This involves coding in PHP to generate the templates and testing the pages after applying the templates to these particular pages. This process will take 6 weeks 1. Designing the relationship with external elements such as the database and other systems like the internet information services and the operating system. This will take 2 weeks to complete. 1. Coding in PHP to connect to these external elements, to the database using MySQL and activating Apache as the internet information service module. Integrating this with the Mac operating system on the test hardware platform (laptop). This process will take 4 weeks

Database integration 5. This will involve integrating the log on web pages with the MySQL database as back end and the process will take 2 weeks. 1. Execution of test cases after the implementation of the database integration procedure as iteration testing 2. This process will take 2 weeks. Implementation 6. This involves the work of changing over to the use of a picture based password log on system after the uploading of the necessary files subsequent iteration testing 3 is carried out. This process will take 2 weeks. Requirement Completion Report 7. This report to be prepared indicating that user requirements have been adequately addressed and the picture based password log on system is ready for handing over to the user (Kuwait military) organization.

12. Discussion

Verification and Validation For iterative processes such as that which was used for this project verification and validation becomes an ongoing process throughout the whole project. Verification is to assure that the software components of the system are meeting the specified requirements. These requirements will consist of functional specifications, architecture, design models, test cases and standards (Wallin 2002). Validation demonstrates that a component fulfills its intended use within the intended environment.
The diagram 12a below shows the general verification and validation model that formed the basis for validation and verification within this project.
Diagram 12a: Verification and validation model

Source: http://www.buzzle.com/editorials/4-5-2005-68117.asp
For verification inspections and tests are used as techniques while validation can also be through tests (Wallin 2002) The tests can be manual or tool based and will broadly focus on white box and black box testing. The former looks at the code while the latter tests for functionality. Validation and verification remain major activities in software development and while the verification effort is largely reduced a lot of valuable project time is gained and this can be achieved when the developed components project the right functionality and quality with supportive documentation (Wallin 2002). The overall measure of the success of this implementation was based on the factors reliability, completeness, maintainability and timeliness. The implemented system was found to satisfy about 80% for each of these metrics strengthening the conclusion that the proposed system was effective in addressing the initial user requirements.

13. Evaluation

Considering that this project was addressing a real life challenge within the Kuwait military as an organization and that the developer of the system was advantageously placed as the network administrator to elicit and understand the user requirements, this implementation was considered a success at its first stage implementation. However more effort towards user training was necessary to ensure that the picture based password log on system that was developed would attract more approval and confidence among the users. Therefore the efforts to popularize the system will continue after implementation to ensure that a large user bracket was considered. The user response during this process will continue to be monitored and more enhancements can be incorporated in later releases of the system. These enhancements together with those gathered at analysis and could not be immediately addressed for the sake of fulfilling the project requirement within a tightly stipulated time limit can still be incorporated as future adaptive maintenance especially so the issue concerning shoulder surfing threats to the system (Lashkari, Zakaria, Saleh & Farmand 2009). However the overall view is that the implementation of the proposed system was 80% successful. The system was able to interface with other external systems such as the database effectively.
XAMPP an open source development package platform was considered appropriate for this project because of the high initial capital investments that would be incurred if closed licensed software was employed. Testing was basically manual based though tool based approaches would also have been employed if it was not for the financial constraints encountered during the development of the project.

14. Conclusion

Summary

Following the test results from the various iterations, the low fidelity paper based prototype evolved through the various phases to finally become a functional web based application that was tested with live data to study the success rate.
Due to the fact that this was a new concept the user was initially reserved in its users however after a reasonable trial period user confidence was established and the system was chosen over the normal textual password system as the questionnaire results indicate (see appendix)
There appeared to be some impediments that limited the usability of the system especially so the fact that a page needed to be loaded each time for each of the five pictures from which the user wished to collect from. This greatly slowed down the key creation process. An issue of shoulder surfer attacks was also raised at this point. The responses and reactions during this process were noted and documented and would be used for future adaptive maintenance process of the system. Apparently shoulder surfer attacks remain a real challenge for security systems.
Conclusion
Normal textual based password systems have affected usability a great deal. Users understand how much weight system security attracts but they also are in dilemma on how best to maintain and manage their passwords. Most naturally users want personalized password systems which they can easily adapt to and operate. However this is not always the case and hence usability and security are aspects on the opposite sides of the same coin. However efforts continue to be madder by system developers to try and make these systems usable by combining the recall and recognition process. This was the approach that was employed for this project. The developer of this system having been in a position as a system administrator to administer user rights on the organization’s (military) system noted with concern how the normal textual based password system was an impediment especially at log on procedures.
Due to the fact that users desired minimal mental load they would choose very weak passwords which compromise the system’s security. Whenever the organization’s password policy was enforced the user with a stronger password was compelled to write it down for ease of recall. However this made the system more and more vulnerable to attacks because then the written password would be accessed by unauthorized system users. The main issues that were at play in this scenario were at play in this were usability and security and how both can be implemented. At face value the author of this project noticed there being a need for usable security implementation. Graphical password or picture based passwords seemed a likely solution to the challenge faced by the users of normal textual based passwords. This proposition was aimed at ensuring that users adapted more secure passwords while reducing the mental load challenge. The level of success of the picture based password system is a clear indication of how system developers can improve usability especially for log on system by making use of picture based password systems where a user submits a sequence of known pictures as that password for authentication. The system developed here is still in its infancy and further research and development is needed to result in the most optimal picture based password log on system

14.1 Recommendation

The biggest drawback for picture passwords is the shoulder surfing problem (Sobrado & Birget 2002). One of the possible ways of solving the shoulder surfing problem is the adoption of the triangle scheme. For this project a picture and symbol X modification should be adopted to inhibit shoulder surfing threats.
Applying the triangle scheme a geometric configuration can be established. This scheme uses intersection of the invisible lines drawn out by the set of pass pictures chosen out of the total number in the set. The user will click near the intersection of the two of the invisible lines which is inside the convex quadrilateral resulting from the set of pass objects.
If N is the total number of pictures within a set and K is a subset of the chosen pictures then for N = 1000 and K = 10, the shoulder surfer may not have enough computer memory to execute a search attack on such a system.

15. References

Ahmed, N & Jensen, C. (2009). A mechanism for identity delegation at authentication level –

Identity and Privacy in the Internet Age. pg 148-162

Ambler, S.W. (2002).Agile Modelling. New York: Wiley & Sons

Amowitz, J., Arent, M. & Berger, N. (2006).Effective Prototyping for Software makers:

Interactive Technology. San Francisco: Morgan Kaufmann.

Badre, N.A. (2002). Shaping Web Usability: Interaction Design in Context. Boston: Addison

Wesley

Beck, K. (1999).Extreme programming explained: Embrace change. Reading, MA: Addison-

Wesley.

Constantine, L & Lockwood, L. (2002).Software for use: A practical Guide to the models and

Methods of usage centred design. New York: ACM Press.

Cranor, F.L. & Garfinkel, S. (2005).Security and Usability: Designing secure systems that

people can use 1st Ed. Cambridge: O’Reilly Media.

Davidson E.J. (1999).Joint Application Design (JAD) in practice. Journal of Systems &

Software, 45, 3, pg 215-223.

Davis B. P. (2001). Database Systems .3rd Ed.Hampshire: Palgrave Macmillan.

Dhamija, R & Perrig, A. (2008) D´ej`a Vu: A User Study Using Images for Authentication

SIMS / CS, University of California Berkeley. Retrieved 23rd June 2010

from http://people.ischool.berkeley.edu/~rachna/papers/usenix.pdf

Dix, A., Finlay, J., Abowd, D., & Beale, G. (2003).Human Computer Interaction 3rd Ed. Upper

Saddle River: Prentice Hall.

DOD Password Management Guideline (1985). National Computer Security Center CSC-STD-

002-85

Garfinkel, S. (2002).Web Security, Privacy and Commerce 2nd Ed.Cambridge: O’Reilly Media.

Hong, L & Jain, K (1998). Integrating faces and fingerprints for personal identification:

IEEE Trans. Pattern Analysis Machine Intelligence. Vol. 20, pp. 1295-1307.

IBM Design (2010). Retrieved on 23rd June 2010

from http://www-01.ibm.com/software/ucd/designconcepts/designbasics.html

Jain, K & Ross, A. (2004). Multibiometric Systems: Appeared in Communication of the

ACM, Special Issue on Multimodal Interfaces, Vol. 47, No.1, pp. 34-40

Jalote, P., Palit, A., Kurien, P & Peethamber, T. (2000).Timeboxing a process Model for Iterative

Software development. Retrieved on 23rd June 2010

from http://www.cse.iitk.ac.in/users/jalote/papers/Timeboxing.pdf

Johnston, J, Eloff, J.H. & Labuschagne, P. (2003).Security and Human Computer Interface:

Computer security Vol.22, 8, pg.675 -684.

Kuniavsky, M. (2003). Observing the User Experience: A Practitioner’s Guide to User

Research, San Francisco, CA: Morgan Kaufmann.

Larman, C & Basili V. (2003). IEEE Computer Society. Iterative development: A brief

History.36. (6). Pg 47-56

Mandler, J.M & Ritchey, G.H. (1997).Long Term Memory for Pictures: Journal of Experimental

Psychology: Human Learning and Memory. Vol.3, pg.386-396

Martin, J. (1991).Rapid Application Development. Palgrave: Macmillan Coll Div.

Mayhew, D.J. (1999). The Usability Engineering Life Cycle: A Practitioner’s Guide to user

interface design. Massachusetts: Morgan Kaufmann Publishers.

Memmel, T. (2010).Agile Usability Engineering. Retrieved on 25th June 2010

from http://www.interaction-design.org/.../agile_usability_engineering.html

Memmel, T, Riterer, H & Holzinger, A. (2010) Agile methods and visual specification in

Software development: A chance to ensure universal success. pg 454-462

Mochal, T. (2001) Examining the life cycle of a RAD project. Retrieved on 23rd June 2010

from http://articles.techrepublic.com.com/5100-10878_11-5035295.html

Nielsen, J. (1999).Designing Web Usability 1st Ed. Berkeley: Peachpit Press.

Nijssen G.M & Haplin A.T. (1989) Conceptual Schema and Relational Database Design: A

fact oriented approach. Upper Saddle River: Prentice Hill

Password policy (2010). Retrieved on 23rd June 2010

from http://www.comptechdoc.org/independent/security/policies/password-

policy.html

Pejas J & Piegat A. (2004) Enhanced Methods in Computer Security, Biometrics and Artificial

Intelligence, New York: Springer

Poppendieck M & Poppendieck T. (2003).Lean Software Development: An Agile toolkit.Upper

Saddle River: Pearson Education

Preece, J., Rogers, Y., Sharp, H., Benyon, D., Holland, S. & Carey, T. (1994).Human Computer

Interaction & Design (ICS). Reading: Addison Wesley

Rapid Application Development. (2009). Retrieved on 25h June 2010

from http://www.hit.ac.il/staff/leonidm/information-systems/ch32.html

Real User Corporation (2001). The Science behind passface. Retrieved on 23rd June 2010

from http://www.realusers.com

Sasse, M., Brostoff, S & Weirich, D. (2001).Transforming the ‘weakest link’-a human computer

interactions approach to usable and effective security: BT Technical Journal Vol. 19,122-

131.

Sears A & Jacko, A.J. (Ed) (2007) A Handbook for Human Computer Interaction 2nd Ed.

Boca Raton: CRC Press

Security and usability. (2002). Retrieved 25th June 2010

from http://www.watsonhall.com/methodolog y/security-usability.pl

Shneiderman, B. (1998). Designing the User Interface: Strategies for Effective Human Computer

Interaction Reading, MA: Addison-Wesley

Lashkari, H.A.,Zakaria, O.,Saleh,R & Farmand, S.(2009)Shoulder surfing attack in password in

Graphical password authentication: JCSIS- International Journal of Computer Science

and Information Security Vol. 6,2,145 -154

Smith, R.E. (2006).The Strong Password Dilemma. Retrieved on 23rd June 2010

from http://www.smat.us/sanity/

Smith, R.E. (2001) Authentication: From passwords to public keys – Green light. Upper Saddle

River: Addison -Wesley

Sobrado L & Birget, J. (2002) Graphical Passwords: The Rutgers Scholar. Vol 4. Retrieved on

23rd June 2010

from http://rutgersscholar.rutgers.edu/volume04/sobrbirg/sobrbirg.htm

Software verification & validation Model - An Introduction.(2005). Retrieved on 25th June 2010

from www.buzzle.com/editorials/4-5-2005-68117.asp

Sommerville, I (2001). Software Engineering 6th Ed. London: Pearson Education

Tampa Company using biometrics to secure computer systems. (2010) Retrieved on 25th June

2010 from http://www.tbo.com/news/

TK Strategies Project Management (2010). Retrieved on 23rd June 2010

from http://tk-strategies.com/16-RAD-vs-GralPM.html

Vistacion, M (2003).Planning Assumptions: Project Management Best Practices: Key processes

and common sense. Pg 1-6

Wallin, C. (2002).Verification and Validation of Software Components and Computer Based

Software Systems: Industrial Information Technology Software Engineering Process

Research. ABB Corporate Research, pg 29-37

Wayne, J., Gavrila, S., Korolev, V., Ayers, R. & Swanstrom, R. (2003). Picture Password: A

Visual login technique for mobile devices. Pg.1-16

Wickens, C.D. (2004). An Introduction to Human Factors Engineering (2nd Ed),

Upper Saddle River, NJ: Prentice Hall.

Wood J. & Silver D. (1995).Joint Application Development 2nd Ed. San Francisco: John Wiley &

Sons

Zelkowitz, M.(2004). Advances in Computers: Volume 62: Advances in software

Engineering. London: Academic Press.

Appendix

A DIAGRAM ILLUSTRATING LEVEL ONE USE CASE FOR THE PICTURE BASED PASSWORD LOG ON SYSTEM

Case Text:

1. User logs on to the system 2. User is presented with a 30 picture grid to choose from and generate the key 3. User identifies their uploaded pictures to generate the key 4. Selected pictures are authenticated 5. User is granted access to the system

Extensions

1a. User uploads five pictures into the database to form part of the 30 picture grid

A CLASS DIAGRAM ILLUSTRATING THE PICTURE BASED PASSWORD LOG ON SYSTEM

A SEQUENCE DIAGRAM ILLUSTRATING THE SEQUENCE DIAGRAM FOR THE PICTURE BASED PASSWORD LOG ON SYSTEM

BLANK QUESTIONNAIRE Computer System Usability Questionnaire

Participant’s name: This questionnaire gives you an opportunity to tell us your reactions to the picture based password log on system you used. Your responses will help us understand what aspects of the system you are particularly concerned about and the aspects that satisfy you.
To as great a degree as possible, think about all the tasks that you have done with the system while you answer these questions.
Please read each statement and indicate how strongly you agree or disagree with the statement based on the scale.
If a statement does not apply to you, indicate under the comments.
You may also write comments to elaborate on your answers.
As you complete the questionnaire, please do not hesitate to ask any questions.
Thank you!

1. Overall, I am satisfied with how easy it is to use this system STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
2. It was simple to use this system STRONGLY AGREE [pic]1 [pic]2 [pic] 3 [pic] 4 STRONGLY DISAGREE COMMENTS:
3. I could effectively complete the tasks and scenarios using this system

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
4. I was able to complete the tasks and scenarios quickly using this system

STRONGLY AGREE [pic]1 [pic] 2 [pic] 3[pic] 4 STRONGLY DISAGREE COMMENTS:
5. I was able to efficiently complete the tasks and scenarios using this system.

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic] 4 STRONGLY DISAGREE COMMENTS:
6. I felt comfortable using this system

STRONGLY AGREE [pic] 1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
7. It was easy to learn to use this system.

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
8. I believe I could become productive quickly using this system.

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
9. The system gave error messages that clearly told me how to fix problems

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
10. Whenever I made a mistake using the system, I could recover easily and quickly

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
11. The interface of this system was pleasant. STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
12. I liked using the interface of this system STRONGLY AGREE [pic]1 [pic] 2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
13. This system has all the functions and capabilities I expect it to have. STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
14. Overall, I am satisfied with this system STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
15. I would recommend this system software to others. STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
16. Please list the three things you liked most about this system software.

1.
17. Please list the three things you liked least about this system software

1.

FILLED QUESTIONNAIRE

Computer System Usability Questionnaire

participant's name: Java Johnnie This questionnaire gives you an opportunity to tell us your reactions to the picture based password log on system you used. Your responses will help us understand what aspects of the system you are particularly concerned about and the aspects that satisfy you.
To as great a degree as possible, think about all the tasks that you have done with the system while you answer these questions.
Please read each statement and indicate how strongly you agree or disagree with the statement based on the scale.
If a statement does not apply to you, indicate under the comments.
You may also write comments to elaborate on your answers.
As you complete the questionnaire, please do not hesitate to ask any questions.
Thank you!

1. Overall, I am satisfied with how easy it is to use this system STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Yes am satisfied
2. It was simple to use this system STRONGLY AGREE [pic]1 [pic]2 [pic] 3 [pic] 4 STRONGLY DISAGREE COMMENTS: Yes it was simple though need more training
3. I could effectively complete the tasks and scenarios using this system

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Effectively able to complete tasks
4. I was able to complete the tasks and scenarios quickly using this system

STRONGLY AGREE [pic]1 [pic] 2 [pic] 3[pic] 4 STRONGLY DISAGREE COMMENTS: Took a bit of time because it was new to us
5. I was able to efficiently complete the tasks and scenarios using this system.

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic] 4 STRONGLY DISAGREE COMMENTS: Likely to be more efficient with continued use
6. I felt comfortable using this system

STRONGLY AGREE [pic] 1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Use of pictures instead of textual passwords was more friendly
7. It was easy to learn to use this system.

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Easy learning easy on the mind
8. I believe I could become productive quickly using this system.

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Only if we have user training well organized
9. The system gave error messages that clearly told me how to fix problems

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: I was not able to see any error messages
10. Whenever I made a mistake using the system, I could recover easily and quickly

STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Being keen it was not easy to make an error
11. The interface of this system was pleasant. STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS: Was pleasant and conducive to use
12. I liked using the interface of this system STRONGLY AGREE [pic]1 [pic] 2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
13. This system has all the functions and capabilities I expect it to have. STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
14. Overall, I am satisfied with this system STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
15. I would recommend this system software to others. STRONGLY AGREE [pic]1 [pic]2 [pic]3 [pic]4 STRONGLY DISAGREE COMMENTS:
16. Please list the three things you liked most about this system software.

1. simplicity 2. ease of use 3. easy to learn
17. Please list the three things you liked least about this system software

1. cannot use personalized pictures 2. likelihood of shoulder surfer attacks

A GENERAL DIAGRAM ILLUSTRATING THE MAIN TASKS AND ESTIMATED TASKS FOR THE PICTURE BASED PASSOWRD LOG ON SYSTEM

|JUNE 2010 |JULY 2010 |AUGUST 2010 |

Project Management

Validation testing

PLANNING

SITE DESIGN

SITE MAP CREATION

TEMPLATE & PAGE DEVELOPMENT

Iteration 1

Iteration 2

DATABASE INTEGRATION

Iteration 3

IMPLEMENTATION

REQUIREMENT COMPLETION REPORT

-----------------------
Prototyping
Plan

Evaluate prototype

Develop prototype

Define prototype functionality

Establish prototype objectives

Outline definition

Executable prototype

Evaluation report

Build prototype system

System adequate?

Use prototype system

Refine prototype system

Deliver
System

Develop abstract specification

SOFTWARE

TB1

TB2

TB3

[pic]

[pic]

[pic]