Equitable cybersecurity: Towards generating requirements through the lens of security literacy

Users of modern-day systems must understand how these systems operate and their roles in protecting these systems. This requires a degree of security literacy, but, as with all literacies, this varies across the general population. Improving literacy requires time for learning and gaining practical experience, and that does not happen overnight. Therefore, a two-pronged approach is necessary, whereby we ensure that everyone who uses these systems possesses an appropriate level of security literacy and design systems that are intuitive and usable by all users, regardless of their level of security literacy. This paper aims to demonstrate that traditional requirements-gathering approaches often overlook important requirements related to security literacy. The paper does so by considering a case study featuring the development of a novel biometric e-ID across six cases in five European countries. To address this objective, firstly, the paper synthesized elements from academic and gray literature to conceptualize security literacy. The co-design approach was then used to draft scenarios based on the six cases (in the case study) and to identify security literacy-specific requirements. The paper presents a conceptual model of security literacy structured into pillars, core, and specialized knowledge areas and abilities, respectively. Using this model as an analytical lens, the paper presents six co-created scenarios and 11 security literacy-specific requirements that were not captured using standard requirement-gathering approaches. The paper demonstrates that traditional requirement-gathering approaches can overlook important, nuanced requirements, particularly those relevant to user groups with lower security literacy. The model presented in this paper helps identify requirements from a security literacy perspective, thereby enhancing user security engagement and interactions.