Usable security it isn't secure if people can't use it mwux 2 jun2012

1,264 views

Published on

This is one of a pair of talks. This one encourages the UX community to get involved in security products and security aspects. It outlines how UX skills can help make security more secure by making it more usable. It challenges the UX community to adopt "security thinking" because it stretches the traditional boundaries of UX focus. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability. It isn't secure if people can't use it. ™

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,264
On SlideShare
0
From Embeds
0
Number of Embeds
93
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Usable security it isn't secure if people can't use it mwux 2 jun2012

  1. 1. 1 Usable Security UX Review Usable Security It isn’t secure if people can’t use it. Darren Kall – Midwest UX 2012 @darrenkall #secUX #mwux12 KALL Consulting customer and user experience design and strategy 20-min version: 2Jun2012 @darrenkall #secux #mwux12
  2. 2. 2 enough Usable SecurityNot Usable Security UX Review There are some UX people focusing on security UX But not enough Because we don’t see it as our problem It is our problem We can’t solve all the problem We may be the only people who can help @darrenkall #secux #mwux12
  3. 3. 3InfoSec Credentials Usable Security UX Review Founded the Windows Security UX team Founded the Windows Security Assurance team GPM of the Windows Core Security team GPM of the Microsoft Passport UX team GPM of the Microsoft Passport front-end PM team Founded the MSN-client security and privacy teams Worked on designing the security for the AT&T phone system for the Whitehouse @darrenkall #secux #mwux12
  4. 4. 4 Usable Security UX Review I’mI’mApology to ~900 Million people I’m sorry. I’m I’m I’mI’m I’m sorry. I’m sorry. sorry. sorry. sorry. I’m sorry. I’m I’m sorry. I’m sorry. sorry. sorry. sorry. I’mI’m I’mI’m I’m sorry. I’m I’m I’m I’m sorry. sorry. sorry. sorry. I’m sorry. I’m sorry. I’m sorry.sorry. sorry. I’m I’m I’m sorry. sorry. I’m I’m I’m I’m sorry.sorry. sorry. sorry. I’m sorry.I’m I’m sorry. I’m sorry. I’m I’m sorry.sorry.sorry. I’m sorry. sorry.sorry. @darrenkall #secux #mwux12
  5. 5. 5Bookend Talk Usable Security UX Review Spoke at an InfoSec conference 2012 encouraged them to adopt a UX approach Speaking to you at Midwest UX 2012 encourage you to focus on security Weak on the encouragement side Scare you @darrenkall #secux #mwux12
  6. 6. 6 stuff firstScary Usable Security UX Review Mobile device malware increased 1,200% in 1Q 2012 Cybercrime in 2011 had more revenue than the international illicit drug trade US Treasury reports 100’s of billions lost per year due to security breaches 2011 mobile app market = 8.5 B 2016 project mobile app market = 46 B 2011 tablet and smartphone market = 190 B 2015 saturation Security incidents increase: Overall US 2011 = 77%, Federal (5 years) = 650% GNP growth 2012 = 2.4% - 3% @darrenkall #secux #mwux12
  7. 7. 7 will it continue to get worse?Why Usable Security UX Review Increased cloud usage Increased mobile usage “New” web tech: HTML 5, CSS3, etc. More powerful access to data Social, geolocation, connectedness … Hactivism Government to government attacks - cyberwar Etc. @darrenkall #secux #mwux12
  8. 8. 8Hacker Credentials Usable Security UX Review Short and sweet hacking career Caught by US military IT security forensics team No charges Just wanted to know how a graduate student in New Hampshire got into a secure military network in Colorado Never asked me why Never asked about problem solving Did not take a UX approach @darrenkall #secux #mwux12
  9. 9. 9Current meme Usable Security UX Review “The system would be secure if we just got rid of the people.” Every IT person who ever worked on security @darrenkall #secux #mwux12
  10. 10. 10 way – they are rightIn a Usable Security UX Review The problems with people Limited “Imperfect” Memory cognitive Lazy models Don’t respond quickly Limited number enough crunching Don’t Emotional understand responses security Limited ability to visualize Fear Limited decision negative making skill outcomes Too Not tech busy savvy Limits to vigilance Cognitive biases Easily deceived @darrenkall #secux #mwux12
  11. 11. 11Security issues are UX design issues Usable Security UX Review Security issues are human issues Human issues are UX design issues @darrenkall #secux #mwux12
  12. 12. 12WheelhouseUX Usable Security UX Review UX design has the techniques and skills to solve security issues But there’s a catch Systems are secure only if every aspect of the end- to-end system can be used @darrenkall #secux #mwux12
  13. 13. 13Traditional UX focus Usable Security UX Review End-users Product and features Trending tech/industries Critical path – core aspects @darrenkall #secux #mwux12
  14. 14. 14improve securityTo Usable Security UX Review Go beyond traditional UX Adopt “Security Thinking” @darrenkall #secux #mwux12
  15. 15. 15beyond end-usersGo Usable Security UX Review Security UX is not just end-users but every human in the end-to-end system @darrenkall #secux #mwux12
  16. 16. 16beyond end-usersGo Usable Security UX Review  End-users  Product Managers  Installers  Business Analysts  Administrators  System Designers  Hackers  Program Managers  Project Managers  Trainers  Developers  Maintenance  Testers  Monitoring  Marketing  Forensics  Sales  Deprecation  etc. @darrenkall #secux #mwux12
  17. 17. 17beyond the productGo Usable Security UX Review Security UX is not just the product and features but every interaction with the end-to-end system @darrenkall #secux #mwux12
  18. 18. 18beyond the productGo Usable Security UX Review  Product  Installation  Documentation  Uninstall  Customer Support  Purchase  System logic  Supply chain  Cognitive Model  Relationship  Perception  Trust  Services  Predictability  Updates  Availability  Upgrades  etc. @darrenkall #secux #mwux12
  19. 19. 19beyond trending techGo Usable Security UX Review Security UX is not just trending technology or industries but every component in the end-to-end system @darrenkall #secux #mwux12
  20. 20. 20beyond trending techGo Usable Security UX Review  Trending Tech  NFC  Trending Industries  Voice  Mobile  Gestures  Touch computing  “Old” Tech  Social  “Old” industries  Social gestures  Existing tech  Healthcare  etc.  Big data  Green @darrenkall #secux #mwux12
  21. 21. 21beyond the critical pathGo Usable Security UX Review Security UX is not just the critical path and core aspects but every deep detail of the end-to-end system @darrenkall #secux #mwux12
  22. 22. 22beyond the critical pathGo Usable Security UX Review  Critical path  Training  Data sharing  Vigilance  Profile  Awareness  Passwords  Alerting  Management  Adoption  Purchasing  Usage  Billing  Proper configuration  Customization  Errors  Returns  etc. @darrenkall #secux #mwux12
  23. 23. 23Examples from 2011 Usable Security UX Review When going beyond traditional UX could have helped security @darrenkall #secux #mwux12
  24. 24. 24Comodo Cert Auth Usable Security UX Review Problem: issued fraudulent certs UX root cause: people are easily deceived Result: employees were socially engineered UX solution: improve system, process, probes, teaching, etc. to allow employees to do confidence test of applicants @darrenkall #secux #mwux12
  25. 25. 25DigiNotar Usable Security UX Review Problem: hackers had access to issue their own certs UX root cause: people can’t perceive patterns over broad data Result: breach not in admin awareness for some unknown duration UX solution: pattern recognition, visualization of data @darrenkall #secux #mwux12
  26. 26. 26DigiNotar Usable Security UX Review Problem: DigiNotar had no easy way to revoke certs UX root cause: people susceptible to impact bias (a cognitive bias of estimation) so did not prepare a user scenario for cert revocation Result: Even after identified no easy way to stop certs UX solution: lifecycle interaction flow design, unbiased risk evaluation @darrenkall #secux #mwux12
  27. 27. 27Sony Usable Security UX Review Problem: data breach 77 Million ID thefts UX root cause: people susceptible to confirmation bias – see what they want Result: did not perceive risk and made poor security choices, insufficient maintenance of patches UX solution: processes that remove biased decision making from product usage @darrenkall #secux #mwux12
  28. 28. 28Sony Usable Security UX Review Problem: data breach 77 Million ID thefts UX root cause: overconfidence in decision making, provoked the hacker community Result: hackers accepted the invitation UX solution: hacker persona profiling as part of IT decision making @darrenkall #secux #mwux12
  29. 29. 29 ProtocolH.323 Usable Security UX Review Problem: ~150,000 corporate video systems set to auto-answer allowing spying UX root cause: status quo bias and poor risk assessment skills Result: system default configuration implications overlooked, not deployed within secure corporate networks UX solution: interface alerts, configuration defaults, and awareness training for implementation staff @darrenkall #secux #mwux12
  30. 30. 30Challenge Usable Security UX Review You can make a huge difference in solving the human aspects of security issues. @darrenkall #secux #mwux12
  31. 31. 31 YouThank Usable Security UX Review We’re glad to help your product become more usable and more secure. We’re hiring UX contractors and freelancers. Security UX Daily Paper.li • http://is.gd/kdcf0p Darren Kall @darrenkall +1 (937) 648-4966 •darrenkall@kallconsulting.com •http://www.slideshare.net/DarrenKall @darrenkall #secux #mwux12
  32. 32. 32 CreditsMedia Usable Security UX Review Man drawing Patty Borgman Scared woman http://www.etftrends.com/2010/06/safe-haven-bear-etfs-lead-asset-grab-may/ Beer http://www.bestfreeicons.com/c47-3d-icons-0.html @darrenkall #secux #mwux12

×