COM00189M
MEng Degrees in Computer Science
MSc in Advanced Computer Science
MSc in Artificial Intelligence
MSc in Cyber Security
MSc in Human-Centred Interactive Technologies
Open Assessment
Department Computer Science
Module Technology in Context (TECC-M) Title Individual Coursework Assessment
Issued: Monday 17th February 2025
Submission due: 12 noon, Monday 19th May 2025
Feedback and Marks due: Monday 23rd June 2025
Word limit Page limits for each element of each question are given in the text of the questions below. The total limit for the assessment is 15.5 pages of A4, excluding reference list. Please
note that. For Question 1, the page limits given are generous, to allow for diagrams, screenshots etc.
Allocation of Marks Please see the detailed description for each question below.
Instructions
This is an anonymous assessment. Do not include your name, student number or any other identifying information in the submitted material (including metadata).
Answer all questions. The assessment consists of three questions, each of which has multiple subparts. After each question, you will find a mark breakdown. At the end of the paper, you will find detailed marking criteria for each question. You should read these elements carefully while answering each question.
All submissions must be presented in Arial font, font size 12, single-spaced.
All pages must be numbered.
You must include a reference list at the end of the assessment.
All students must submit their answers through the appropriate VLE submission point in the Assessment area of the VLE site by 12:00 noon on Monday, 19th May 2025. An assessment submitted after this deadline will be marked initially as if it had been handed in on time, but the Board of Examiners will normally apply a lateness penalty.
Your attention is drawn to the section about Academic Misconduct in your Departmental Handbook.
Any queries you may have on this assessment must be posted on the Discussion Board on the Virtual Learning Environment (VLE) page for TECC in the appropriate discussion area. No questions will be answered after Friday 9th May 2025.
Question 1 [50 marks]
Question 1.1 [6 marks]
(i) Identify an interactive system that you use regularly which is known (from your experience or that of other people) to have usability problems that provoke errors. The system should be sufficiently complex that it supports multiple functionalities by which users can achieve their goals. It can be either a software- based system or the interface to a domestic appliance (such as, for example, a cooker or microwave).
(ii) Provide a short description of the system and its basic functionality, including any photographs, screenshots or illustrations necessary for the examiners to understand the functionality and context of use, as well as key tasks that a user would wish to carry out with the system.
NOTE: There is no requirement for your chosen system to be a safety-critical or safety- related system. What is important is that it is a system that you use regularly and are familiar with.
NOTE: Please ensure that you understand the whole of Question 1 before you choose your interactive system.
Your answer to Question 1.1 should not exceed 3 A4 pages, including illustrations but excluding references.
Question 1.2 [10 marks]
(i) Write a list of FOUR significant human factors concerns in the design of the
interactive elements of the system you describe in Question 1.1 (ii).
(ii) For EACH of the concerns you list, explain how the design would cause a human user to make errors in attempting to use the system. You should indicate the type of the problem, and the types of the errors provoked, using the human error classification introduced during the module, and should briefly indicate the consequences of the errors.
You should refer to the literature in your answer.
Your answer to Question 1.2 should not exceed 1 A4 pages, excluding references.
Question 1.3 [10 marks]
(i) Give a brief account of the required characteristics (i.e. any physical constraints on the user required by the system, cognitive requirements, any training) for a target user of this system and identify a high-level task which a user would use the system you describe in Question 1.1 (ii) to achieve.
(ii) Decompose this task into a series of actions, using a Hierarchical Task Model. You should present your model graphically, using the notation introduced during the module. Your model should show at least three levels of decomposition from the user goal you identify in Question 1.3 (i). The objective of the Hierarchical Task Model is to identify individual actions which the user undertakes (individual button pushes etc), and these should form. the lowest level of your analysis.
Your answer to Question 1.3 (i) should not exceed ½ of an A4 page.
Your answer to Question 1.3 (ii) should not exceed 3 A4 pages. Note that landscape pages are a good idea. One A3 page counts as 2 A4 pages.
Question 1.4 [18 marks]
(i) Undertake a HEART analysis of the interactive system for the task that you
identified in Question 1.3 (ii). Your answer should include the following:
a. Any assumptions you make about the characteristics of the user;
b. Any assumptions you make about the context in which the task is being undertaken;
c. Your initial task classification, and why you consider this to be appropriate;
d. What performance-shaping factors you choose to include in your analysis, and why you consider them to be appropriate;
e. Your rationale for the relative weightings of the performance shaping factors you included;
f. Your calculation of the probability of failure for the target user for the task identified in Question 1.3 (ii).
(ii) Do you think the figure for the probability of failure produced in your HEART
analysis is reasonable, given the usual expectations for human error occurrence in tasks of this kind? Are there issues with the HEART technique which might account for some problems with the final figure? Explain your answer.
Your answer to Question 1.4 should not exceed 1.5 A4 pages.
Question 1.5 [6 marks]
Imagine that you have been asked to perform. a human factors analysis of a new system, where a doctor (skilled in medical knowledge, and in general IT, but not familiar with the workings of AI) uses an AI-based recommender system to ascertain the most likely medical diagnosis from a series of symptoms. The interface the doctor uses is voice-based: the doctor describes the symptoms to the system, and the system responds with an on-screen, prioritised list of likely conditions.
You are not sure that HEART is suitable for analysis of this type of system, and decide to investigate other techniques for human factors analysis.
(i) Give a brief description of TWO other techniques for human factors analysis
that you have identified in the literature. Explain the key features of the techniques and give brief examples to illustrate your discussion.
(ii) Which of these techniques do you think is most appropriate for analysis of the AI-based recommender system described above? You should justify your answer with respect to the kind of human factors issues the technique is likely to uncover, and why these are particularly significant for the safety of the system in the context described above.
You should refer to the literature relating to safety analysis techniques for human factors to support and justify your answer and should also provide references for any additionalinformation you provide about the nature of the system introduced in this scenario.
Your answer to Question 1.5 should not exceed 1 A4 page.
|
Allocation of Marks for Question 1:
Question 1.1 (i) and (ii): Up to 6 marks will be awarded for the selection and description of an appropriate interactive system, which is sufficiently scoped to allow for appropriate analysis.
Up to 1 mark will be awarded for the use of illustrations (screenshots, photographs, schematics etc) to support the description.
Up to 1 mark will be awarded for the identification and explanation of appropriate user tasks relating to the system. These explanations should be very general (detail of a task comes in later!)
Question 1.2 (i) and (ii): Up to 10 marks (2.5 for each concern) will be awarded for four correctly-identified human factors concerns relevant to the interactive system, and for a description of how the design of the system provokes errors in the user groups. Human errors described should be appropriately classified using the terminology introduced during the module.
Question 1.3 (i): Up to 2 marks will be awarded for a clear description of several relevant user characteristics, closely linked to the interactive system.
Up to 1 mark will be awarded for a clear description of an appropriately scoped user task.
Question 1.3 (ii): Up to 7 marks will be awarded for a clearly presented Hierarchical Task Model, which decomposes the user task to an appropriate level for analysis to be carried out. Marks are awarded for the accurate use of the HTM notation, and for phraseology of the subtasks, actions and plans.
Question 1.4 (i): Up to 4 marks will be awarded for a well-presented HEART analysis.
|
|
Up to 8 marks wiII be awarded for the justification of the methodoIogy adopted - assumptions made, initiaI task cIassification and performance-shaping factors.
Question 1.4 (ii) Up to 6 marks wiII be awarded for a cIear, weII-reasoned discussion of the finaI human error probabiIity, with reference to Iiterature and assumptions reIating to probabiIities for simiIar tasks. Marks wiII be awarded for a consideration of whether the way in which the method has been appIied has Ied to any issues with the finaI caIcuIated figure, and of the suitabiIity of the HEART technique for the target system.
Question 1.5 (i) Up to 4 marks (2 marks for each technique) wiII be awarded for a weII- researched and cIearIy presented description of two human factors safety anaIysis techniques, supported by cIear reference to reIevant Iiterature.
Question 1.5 (ii) Up to 2 marks wiII be awarded for a weII-reasoned discussion, which makes reference to the human factors issues which are IikeIy to be encountered in the question scenario.
|
Question 2 [24 marks]
Background
This question is based on the ransomware attack on Synnovis Limited in June 2024.
Synnovis is a pathoIogy Iaboratory which provides bIood tests to severaI Iarge NationaI HeaIth Service (NHS) and private hospitaIs in South-East London. These incIude some of the Iargest hospitaIs in London, with many thousands of patients, data being stored by Synnovis and transmitted when required to hospitaIs. It is essentiaI that hospitaIs have timeIy access to the bIood test information, for diagnosis of conditions, to inform. treatment decisions and to ensure that stocks of bIood of the correct type are avaiIabIe for patients undergoing surgery.
Throughout this question, imagine that you are the Chief Executive Officer (CEO) at Synnovis.
You have been contacted at home, Iate at night, by IT technicians at work in the company, and toId that Synnovis has been the subject of a ransomware attack. The computer system has been encrypted, and the hackers require a ransom to be paid. If you pay, they wiII suppIy you with a decryption key so that you can regain controI of the system and the data. If the ransom is not paid, the hackers have made cIear that patients, data wiII be pubIished on the Dark Web in four hours, time.
Question 2.1 [6 marks]
You have two basic choices, in response to the ransomware attack: either you pay the ransom, or you don,t.
For EACH of these choices, expIain the impact on Synnovis, on the hospitaIs and on individuaI patients.
Your answer shouId consider safety, privacy, operationaI and sociaI factors.
Your answer to Question 2.1 shouId not exceed ½ of an A4 page, excIuding any references.
Question 2.2 [10 marks]
Make a choice - either you pay the ransom, or you do not.
FOR THE CHOICE YOU HAVE MADE:
Write a short essay discussing your decision, from an ethicaI point of view.
You must make cIear which choice you have made, and shouId state why you consider it to be ethicaIIy defensibIe. Your answer shouId refer to at Ieast one of the professionaI ethics frameworks introduced during the moduIe, and shouId expIain which ethicaI principIes in the framework(s) are vioIated by your chosen course of action, and which are upheId. You shouId justify why you have prioritised the ethicaI principIes that you have in your decision.
Your answer to Question 2.2 shouId not exceed 1.5 A4 pages, excIuding any references.
Question 2.3 [8 marks]
(i) Write a short press reIease, in which you expIain the ransomware attack to the generaI pubIic (incIuding patients), the impIications for them and any actions that they shouId take in response to the situation.
Your answer to Question 2.3(i) shouId not exceed 1 A4 page, excIuding any references.
(ii) Write an emaiI to the other members of the Executive Board of Synnovis, in
which you expIain what has occurred, the decisions and actions you have taken and their impact. You shouId expIain why you feeI that what you have done is in the best interests of the company.
Your answer to Question 2.3(ii) shouId not exceed ½ of an A4 page, excIuding any references.
|
Allocation of Marks for Question 2
Question 2.1: Up to 3 marks are available for a discussion of the safety, privacy, operational and social implications of EACH of the choices – to pay the ransom, and not to pay the
ransom. (Total of 6 marks for the question)
Question 2.2: 1 mark is available for a clear statement of the decision made by the CEO. Up to 9 marks are available for a nuanced discussion of the ethical duties of the CEO (and, by
implication, Synnovis as a company), which justifies why their decision can be considered
ethical. The answer should refer to at least one of the professional ethics frameworks
introduced during the module, and should explain how the ethical principles are interpreted in the context of the scenario and why they can be considered to be upheld. The discussion should also make clear the decision-making process: i.e. the relative weightings of particular ethical principles from the frameworks, and why they have been prioritised. The discussion should be supported by well-scoped examples from the scenario.
Question 2.3 (i) Up to 3 marks are available for an appropriately-phrased press release
which explains the ransomware attack and how this affects the general public. Of the 3
marks, 1 are reserved for the style. and tone of the press release – i.e. choice of words, level of detail, suitability for the audience.
Question 2.3 (ii) Up to 3 marks are available for an appropriately-phrased email, which
explains the ransomware attack and its impact, and provides a justification of the decisions and actions taken by the COE. Of the 3 marks, 1 are reserved for the style. and tone of the press release – i.e. choice of words, level of detail, suitability for the audience.
|
Question 3 [26 marks]
The Freedonian People’s Health Service (FPHS) was impacted by the ransomware attack on Synnovis, and has commissioned you, as an independent cybersecurity advisor, to carry out an initial risk assessment study of FPHS’s own systems in order to identify other security risks which may be present.
Freedonia, as a small independent nation, about the size of Liechtenstein, has a national network of GPs and 4 main hospitals, sharing patient data via a central national database. All Freedonian medical providers have equipment and software provided by the FPHS and running over a private closed network. External providers, some in other countries, are permitted to connect to the FPHS system in order to provide care for Freedonian citizens who are resident in other countries via a web interface provided via a globally accessible portal. External providers are required to register in advance for access, but only require a HTTPS capable browser to interact with the system.
Using the process outlined in ISO/IEC 27005:2022, or similar, you have been tasked with identifying the top 5 risks to the FPHS IT system and proposing appropriate treatments, with a recommendation for preferred treatment in each case. You need to include a statement of any assumptions that you have made, and give an indication of how you have evaluated relative risk in order to establish your list. FPHS management have stated that you must include references to relevant literature about threats and vulnerabilities. You do not need to consider other external providers (e.g. lab services such as Synnovis), but should consider only the main FPHS patient data system.
You are to produce a short report (a single page of text), summarising your process and findings, but should also include up to 2 pages of lists and/or tables showing intermediate results from the stages of analysis process, and a further 1 page of bibliographic entries (list of references cited in your report).
Your answer to Question 3 should not exceed 2 A4 pages, excluding references.
|
Allocation of Marks for Question 3
Up to 25 marks in total are available for the security risk assessment report. The marks are broken down as follows:
|
|
- Up to 6 marks are available for a clear identification of FPHS security assets, which indicates the assumptions made and justifies the selection and prioritisation of the assets.
- Up to 5 marks are available for a discussion of the risk identification process, with clear relevance to the scenario in the question, and with reference to relevant literature.
- Up to 5 marks are available for a clear account of the risk analysis methodology,
including a justification of the method chosen and a discussion of the limitations of other available methodologies in the context of the scenario.
- Up to 5 marks are available for a clear account of the risk analysis results, including the consequences and likelihood of identified incident scenarios, with reference to relevant literature.
- Up to 5 marks are available for well-considered suggestions for treatment options for the risks that do not meet the risk acceptance criteria, including alternative options.
|