usable security it isn't secure if people can't use it mwux 2 jun2012

UX Review1 Usable Security

@darrenkall #secux #mwux12

Usable SecurityIt isn’t secure if people can’t use it.

Darren Kall – Midwest UX 2012

KALL Consultingcustomer and user experience design and strategy

20-min version: 2Jun2012

@darrenkall#secUX#mwux12



There are some UX people focusing on security UX

But not enough

Because we don’t see it as our problem

It is our problem

We can’t solve all the problem

We may be the only people who can help

Not enough Usable Security



Founded the Windows Security UX team

Founded the Windows Security Assurance team

GPM of the Windows Core Security team

GPM of the Microsoft Passport UX team

GPM of the Microsoft Passport front-end PM team

Founded the MSN-client security and privacy teams

Worked on designing the security for the AT&T phone system for the Whitehouse

InfoSec Credentials



Apology to ~900 Million people

I’m sorry.I’m sorry.I’m sorry.I’m sorry.

I’m sorry.

I’m sorry.I’m sorry.I’m sorry.I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.I’m

sorry.

I’m sorry.

I’m sorry.

I’m sorry.I’m

sorry. I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.I’m

sorry.I’m sorry.I’m sorry.I’m

sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.

I’m sorry.



Spoke at an InfoSec conference 2012encouraged them to adopt a UX approach

Speaking to you at Midwest UX 2012encourage you to focus on security

Weak on the encouragement side

Scare you

Bookend Talk



Mobile device malware increased 1,200% in 1Q 2012

Cybercrime in 2011 had more revenue than the international illicit drug trade

US Treasury reports 100’s of billions lost per year due to security breaches

2011 mobile app market = 8.5 B2016 project mobile app market = 46 B

2011 tablet and smartphone market = 190 B2015 saturation

Security incidents increase: Overall US 2011 = 77%, Federal (5 years) = 650%

GNP growth 2012 = 2.4% - 3%

Scary stuff first



Increased cloud usage

Increased mobile usage

“New” web tech: HTML 5, CSS3, etc.

More powerful access to data

Social, geolocation, connectedness …

Hactivism

Government to government attacks - cyberwar

Etc.

Why will it continue to get worse?



Short and sweet hacking career

Caught by US military IT security forensics team

No charges

Just wanted to know how a graduate student in New Hampshire got into a secure military network in Colorado

Never asked me why Never asked about problem solvingDid not take a UX approach

Hacker Credentials



Current meme

“The system would be secure if we just got rid of the people.”

Every IT person who ever worked on security



In a way – they are right

The problems with people

Limited decision making skill

Limited number crunching

Emotional responses

Limited Memory

Limited ability to visualize

Easily deceived

Limits to vigilance

“Imperfect” cognitive models

Cognitive biases

Too busy

Not tech savvy

Don’t understand

security

Fear negative outcomes

Don’t respond quickly enough

Lazy



Security issues are human issues

Human issues are UX design issues

Security issues are UX design issues



UX design has the techniques and skills to solve security issues

But there’s a catch

Systems are secure only if every aspect of the end-to-end system can be used

UX Wheelhouse



End-usersProduct and featuresTrending tech/industriesCritical path – core aspects

Traditional UX focus



Go beyond traditional UX

Adopt “Security Thinking”

To improve security



Security UX is not just end-users but every human in the end-to-end system

Go beyond end-users



Go beyond end-users

Product Managers Business Analysts System Designers Program Managers Project Managers Developers Testers Marketing Sales etc.

End-users Installers Administrators Hackers Trainers Maintenance Monitoring Forensics Deprecation



Security UX is not just the product and features but every interaction with the end-to-end system

Go beyond the product



Go beyond the product

Installation Uninstall Purchase Supply chain Relationship Trust Predictability Availability etc.

Product Documentation Customer Support System logic Cognitive Model Perception Services Updates Upgrades



Security UX is not just trending technology or industries but every component in the end-to-end system

Go beyond trending tech



Go beyond trending tech

NFC Voice Gestures “Old” Tech “Old” industries Existing tech etc.

Trending Tech Trending Industries Mobile Touch computing Social Social gestures Healthcare Big data Green



Security UX is not just the critical path and core aspects but every deep detail of the end-to-end system

Go beyond the critical path



Go beyond the critical path

Training Vigilance Awareness Alerting Adoption Usage Proper configuration Errors etc.

Critical path Data sharing Profile Passwords Management Purchasing Billing Customization Returns



When going beyond traditional UX could have helped security

Examples from 2011



Problem: issued fraudulent certs

UX root cause: people are easily deceived

Result: employees were socially engineered

UX solution: improve system, process, probes, teaching, etc. to allow employees to do confidence test of applicants

Comodo Cert Auth



Problem: hackers had access to issue their own certs

UX root cause: people can’t perceive patterns over broad data

Result: breach not in admin awareness for some unknown duration

UX solution: pattern recognition, visualization of data

DigiNotar



Problem: DigiNotar had no easy way to revoke certs

UX root cause: people susceptible to impact bias (a cognitive bias of estimation) so did not prepare a user scenario for cert revocation

Result: Even after identified no easy way to stop certs

UX solution: lifecycle interaction flow design, unbiased risk evaluation

DigiNotar



Problem: data breach 77 Million ID thefts

UX root cause: people susceptible to confirmation bias – see what they want

Result: did not perceive risk and made poor security choices, insufficient maintenance of patches

UX solution: processes that remove biased decision making from product usage

Sony



Problem: data breach 77 Million ID thefts

UX root cause: overconfidence in decision making, provoked the hacker community

Result: hackers accepted the invitation

UX solution: hacker persona profiling as part of IT decision making

Sony



Problem: ~150,000 corporate video systems set to auto-answer allowing spying

UX root cause: status quo bias and poor risk assessment skills

Result: system default configuration implications overlooked, not deployed within secure corporate networks

UX solution: interface alerts, configuration defaults, and awareness training for implementation staff

H.323 Protocol



You can make a huge difference in solving the human aspects of security issues.

Challenge



Thank You

We’re glad to help your product

become more usable

and more secure.

We’re hiring UX contractors and

freelancers.

Security UX Daily Paper.li • http://is.gd/kdcf0p

Darren Kall @darrenkall +1 (937) 648-4966• [email protected]• http://www.slideshare.net/DarrenKall

http://is.gd/kdcf0p

mailto:[email protected]

http://www.slideshare.net/DarrenKall



Media Credits

Man drawing Patty Borgman

Scared woman http://www.etftrends.com/2010/06/safe-haven-bear-etfs-lead-asset-grab-may/

Beer http://www.bestfreeicons.com/c47-3d-icons-0.html

http://www.etftrends.com/2010/06/safe-haven-bear-etfs-lead-asset-grab-may/

http://www.bestfreeicons.com/c47-3d-icons-0.html