Skip main navigation

Hurry, only 10 days left to get one year of Unlimited learning for £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

Human-centric security design: U3 concept

This step focuses on the human-centric aspect of online security - User, Usage and Usability (U3): User, Usage, Usability
People workshopping in boardroom
© RMIT 2023

The U3 (user, usage, and usability) concept is an academic, research-based approach to security design.

Human-centric cyber security is an intangible concept that is difficult to define because of the inherent connection between humans, technology, and security systems. It also focuses on studies that specifically illustrate the shift in paradigm from functional and usage-centred cyber security to user-centred cyber security by considering the human/psychological aspects of users.

Grobler, Gaire and Nepal (2021) propose redefining human-centric cyber security based on their research of studies that illustrate the shift to user-centred cyber security. They propose the concept of 3 U’s (user, usage, and usability) as three essential components for cyber security consideration. These components are not exhaustive representations of human-centric cyber security but are regarded as particularly important since they represent the multi-dimensionality of the cyber security context.

User icon Users: User components consider humans interacting with the cyber systems for legitimate purposes. Examples: Demography & Culture, Situational Awareness, Psychology & Behaviour, Cognitive Factors
Usage icon Usage: Usage components are mainly concerned with the functional aspects of technological and non-technological measures that are put in place to protect users against known security threats. Examples: Functional Measures, Technical Measures, Legislation, Regulation & Policies
Usability icon Usability: Usability components consider how well the actual user can use the system. Examples: Experience factors, Interaction factors

The U3-based conceptual model takes the application-centric principles discussed earlier to a whole new level by getting security designers to consider a user-centric approach to strengthen security by design further and to make it more realistic and meaningful.

Grobler, Gaire and Nepal (2021) consider this approach to be a paradigm shift from the traditional view of human-centric cyber security, helping to overcome the barriers between user, usage, and usability to better meet security needs. The diagram below further illustrates how the concept can be applied to achieve this objective.

Traditional view of human-centric cyber security – one-size-fits-all systems

Paradigm shift in human-centric cyber security – customisable and tailored systems

Infographic showing designers and developers working with both users and cyber security experts to develop a cyber security system

(Source: Grobler, Gaire and Nepal, 2021)

The following outcomes can be achieved through the application of the U3 concept:

  • The real-time nature of cyber threats requires that humans not become bottlenecks. Therefore, security departments need to communicate more with users to fully adopt a user-centred security design approach.
  • Cyber security awareness should not be targeted at general end-users (in the traditional sense, referring to the system end-user or general end-user) alone. Instead, it should be regarded as a multi-way communication among general end-users, security experts and system developers.
  • The cyber system (through the system designer) needs to be aware of user factors to accommodate user needs in delivering usable cyber security systems, i.e. the system developer needs to ask themselves: Have I considered all types of users who may interact with this system?
  • It is important to understand specific user traits that would help identify user-related vulnerabilities. Such multi-way communication is the only way to achieve system-centric or user-centric and proper human-centric cyber security design.


Read the following article for detailed information on U3 human-centric cyber security:

© RMIT 2023
This article is from the free online

Security by Design

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now