usable security it isn't secure if people can't use it mwux 2 jun2012
DESCRIPTION
This is one of a pair of talks. This one encourages the UX community to get involved in security products and security aspects. It outlines how UX skills can help make security more secure by making it more usable. It challenges the UX community to adopt "security thinking" because it stretches the traditional boundaries of UX focus. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability. It isn't secure if people can't use it. ™TRANSCRIPT
UX Review1 Usable Security
@darrenkall #secux #mwux12
Usable SecurityIt isn’t secure if people can’t use it.
Darren Kall – Midwest UX 2012
KALL Consultingcustomer and user experience design and strategy
20-min version: 2Jun2012
@darrenkall#secUX#mwux12
UX Review2 Usable Security
@darrenkall #secux #mwux12
There are some UX people focusing on security UX
But not enough
Because we don’t see it as our problem
It is our problem
We can’t solve all the problem
We may be the only people who can help
Not enough Usable Security
UX Review3 Usable Security
@darrenkall #secux #mwux12
Founded the Windows Security UX team
Founded the Windows Security Assurance team
GPM of the Windows Core Security team
GPM of the Microsoft Passport UX team
GPM of the Microsoft Passport front-end PM team
Founded the MSN-client security and privacy teams
Worked on designing the security for the AT&T phone system for the Whitehouse
InfoSec Credentials
UX Review4 Usable Security
@darrenkall #secux #mwux12
Apology to ~900 Million people
I’m sorry.I’m sorry.I’m sorry.I’m sorry.
I’m sorry.
I’m sorry.I’m sorry.I’m sorry.I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.I’m
sorry.
I’m sorry.
I’m sorry.
I’m sorry.I’m
sorry. I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.I’m
sorry.I’m sorry.I’m sorry.I’m
sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
I’m sorry.
UX Review5 Usable Security
@darrenkall #secux #mwux12
Spoke at an InfoSec conference 2012encouraged them to adopt a UX approach
Speaking to you at Midwest UX 2012encourage you to focus on security
Weak on the encouragement side
Scare you
Bookend Talk
UX Review6 Usable Security
@darrenkall #secux #mwux12
Mobile device malware increased 1,200% in 1Q 2012
Cybercrime in 2011 had more revenue than the international illicit drug trade
US Treasury reports 100’s of billions lost per year due to security breaches
2011 mobile app market = 8.5 B2016 project mobile app market = 46 B
2011 tablet and smartphone market = 190 B2015 saturation
Security incidents increase: Overall US 2011 = 77%, Federal (5 years) = 650%
GNP growth 2012 = 2.4% - 3%
Scary stuff first
UX Review7 Usable Security
@darrenkall #secux #mwux12
Increased cloud usage
Increased mobile usage
“New” web tech: HTML 5, CSS3, etc.
More powerful access to data
Social, geolocation, connectedness …
Hactivism
Government to government attacks - cyberwar
Etc.
Why will it continue to get worse?
UX Review8 Usable Security
@darrenkall #secux #mwux12
Short and sweet hacking career
Caught by US military IT security forensics team
No charges
Just wanted to know how a graduate student in New Hampshire got into a secure military network in Colorado
Never asked me why Never asked about problem solvingDid not take a UX approach
Hacker Credentials
UX Review9 Usable Security
@darrenkall #secux #mwux12
Current meme
“The system would be secure if we just got rid of the people.”
Every IT person who ever worked on security
UX Review10 Usable Security
@darrenkall #secux #mwux12
In a way – they are right
The problems with people
Limited decision making skill
Limited number crunching
Emotional responses
Limited Memory
Limited ability to visualize
Easily deceived
Limits to vigilance
“Imperfect” cognitive models
Cognitive biases
Too busy
Not tech savvy
Don’t understand
security
Fear negative outcomes
Don’t respond quickly enough
Lazy
UX Review11 Usable Security
@darrenkall #secux #mwux12
Security issues are human issues
Human issues are UX design issues
Security issues are UX design issues
UX Review12 Usable Security
@darrenkall #secux #mwux12
UX design has the techniques and skills to solve security issues
But there’s a catch
Systems are secure only if every aspect of the end-to-end system can be used
UX Wheelhouse
UX Review13 Usable Security
@darrenkall #secux #mwux12
End-usersProduct and featuresTrending tech/industriesCritical path – core aspects
Traditional UX focus
UX Review14 Usable Security
@darrenkall #secux #mwux12
Go beyond traditional UX
Adopt “Security Thinking”
To improve security
UX Review15 Usable Security
@darrenkall #secux #mwux12
Security UX is not just end-users but every human in the end-to-end system
Go beyond end-users
UX Review16 Usable Security
@darrenkall #secux #mwux12
Go beyond end-users
Product Managers Business Analysts System Designers Program Managers Project Managers Developers Testers Marketing Sales etc.
End-users Installers Administrators Hackers Trainers Maintenance Monitoring Forensics Deprecation
UX Review17 Usable Security
@darrenkall #secux #mwux12
Security UX is not just the product and features but every interaction with the end-to-end system
Go beyond the product
UX Review18 Usable Security
@darrenkall #secux #mwux12
Go beyond the product
Installation Uninstall Purchase Supply chain Relationship Trust Predictability Availability etc.
Product Documentation Customer Support System logic Cognitive Model Perception Services Updates Upgrades
UX Review19 Usable Security
@darrenkall #secux #mwux12
Security UX is not just trending technology or industries but every component in the end-to-end system
Go beyond trending tech
UX Review20 Usable Security
@darrenkall #secux #mwux12
Go beyond trending tech
NFC Voice Gestures “Old” Tech “Old” industries Existing tech etc.
Trending Tech Trending Industries Mobile Touch computing Social Social gestures Healthcare Big data Green
UX Review21 Usable Security
@darrenkall #secux #mwux12
Security UX is not just the critical path and core aspects but every deep detail of the end-to-end system
Go beyond the critical path
UX Review22 Usable Security
@darrenkall #secux #mwux12
Go beyond the critical path
Training Vigilance Awareness Alerting Adoption Usage Proper configuration Errors etc.
Critical path Data sharing Profile Passwords Management Purchasing Billing Customization Returns
UX Review23 Usable Security
@darrenkall #secux #mwux12
When going beyond traditional UX could have helped security
Examples from 2011
UX Review24 Usable Security
@darrenkall #secux #mwux12
Problem: issued fraudulent certs
UX root cause: people are easily deceived
Result: employees were socially engineered
UX solution: improve system, process, probes, teaching, etc. to allow employees to do confidence test of applicants
Comodo Cert Auth
UX Review25 Usable Security
@darrenkall #secux #mwux12
Problem: hackers had access to issue their own certs
UX root cause: people can’t perceive patterns over broad data
Result: breach not in admin awareness for some unknown duration
UX solution: pattern recognition, visualization of data
DigiNotar
UX Review26 Usable Security
@darrenkall #secux #mwux12
Problem: DigiNotar had no easy way to revoke certs
UX root cause: people susceptible to impact bias (a cognitive bias of estimation) so did not prepare a user scenario for cert revocation
Result: Even after identified no easy way to stop certs
UX solution: lifecycle interaction flow design, unbiased risk evaluation
DigiNotar
UX Review27 Usable Security
@darrenkall #secux #mwux12
Problem: data breach 77 Million ID thefts
UX root cause: people susceptible to confirmation bias – see what they want
Result: did not perceive risk and made poor security choices, insufficient maintenance of patches
UX solution: processes that remove biased decision making from product usage
Sony
UX Review28 Usable Security
@darrenkall #secux #mwux12
Problem: data breach 77 Million ID thefts
UX root cause: overconfidence in decision making, provoked the hacker community
Result: hackers accepted the invitation
UX solution: hacker persona profiling as part of IT decision making
Sony
UX Review29 Usable Security
@darrenkall #secux #mwux12
Problem: ~150,000 corporate video systems set to auto-answer allowing spying
UX root cause: status quo bias and poor risk assessment skills
Result: system default configuration implications overlooked, not deployed within secure corporate networks
UX solution: interface alerts, configuration defaults, and awareness training for implementation staff
H.323 Protocol
UX Review30 Usable Security
@darrenkall #secux #mwux12
You can make a huge difference in solving the human aspects of security issues.
Challenge
UX Review31 Usable Security
@darrenkall #secux #mwux12
Thank You
We’re glad to help your product
become more usable
and more secure.
We’re hiring UX contractors and
freelancers.
Security UX Daily Paper.li • http://is.gd/kdcf0p
Darren Kall @darrenkall +1 (937) 648-4966• [email protected]• http://www.slideshare.net/DarrenKall
UX Review32 Usable Security
@darrenkall #secux #mwux12
Media Credits
Man drawing Patty Borgman
Scared woman http://www.etftrends.com/2010/06/safe-haven-bear-etfs-lead-asset-grab-may/
Beer http://www.bestfreeicons.com/c47-3d-icons-0.html