@darrenkallDarren Kall   #secUX
Employment KALL Consulting Microsoft  ◦ Windows Security User Experience team: founder  ◦ Windows Security Assurance tea...
User Experience(UX)       Insight              Innovation           Impact       Research             Design              ...
   Problem: If a security system wasn’t designed to be    usable by each person who touches it, then the    people create...
Limited                      “Imperfect”                               Memory                       cognitive             ...
“The system would besecure if we just got ridof the people.”      Every IT person who ever worked on security
 That   is not an option It   is a lot easier to change the system than to change people
 If   a system is not designed to be usable by the people who have to use it, the people are not to blame The   system is
   Dialog boxes and vigilance       If an end-user sees a security dialog 100        times, they agree without reading t...
 It   is not just end-users but every human in the end-to-end system
   End-users              Installers   Product Managers       Administrators   Business Analysts      Hackers   Sys...
   Developer       If a developer does not have insight into the        security skills of the user, they assume the use...
 Am   I exaggerating?
 Comodo   Cert Auth◦ Problem: tricked into issuing  fraudulent certs◦ UX: people are easily deceived◦ Result: employees w...
   DigiNotar    ◦ Problem: hacker access to cert issuing    ◦ UX: people can’t perceive patterns      over broad data    ...
   Sony    ◦ Problem: data breach 77 Million ID      thefts    ◦ UX: people susceptible to confirmation      bias    ◦ Re...
 RSA ◦ Problem: token information hacked ◦ UX: limited ability to predict   consequences ◦ Result: people post info in so...
   H.323 Protocol    ◦ Problem: ~150,000 corporate video      systems set to auto-answer allowing      spying    ◦ UX: st...
 Improveend-to-endsystem security bytaking a UX approach todesign anddevelopment
Insight            Innovation           ImpactResearch           Design               EvaluationCustomer Insight   Design ...
   Insight Research: Detailed attention to the    needs, limitations, and behaviors of people in a    system to gain insi...
   Deeply studying the people in the system   Gathering insight into their    skills, motivations, limitations, behavior...
   Keep all users in mind when designing    systems   Use the deep insights about users to match    design to their limi...
   Test with people in the real world not    theoretical ideal world conditions   Iterate improvement, evaluate, insight...
   Problem: A security IT tool was not being    adopted   UX Action: Ethnographic research and contextual    inquiry on ...
   Problem: Significant implementation and    customization errors on install and    administration   UX Action: Usabili...
   Problem: System configuration taking too    long and requiring repeated revisions   UX Action: UX evaluation of confi...
   Problem: Client with ~900,000 users globally;    vendors, employees, on variety of devices, no    easy way to see netw...
   Problem: Users relying on password customer    support on failed logins    ◦ Wanted to minimize user frustration    ◦ ...
PSWD           PSWD            PSWD           PSWD            PSWD             PSWD      PSWD      PSWD      PSWD      PSW...
   Problem: Client with some divisions having    repeated auth setup issues while others didn’t   UX Action: Compared SO...
   UX approach is not a substitute for good    security technology engineering, it is an    addition   You have to do bo...
   Add a UX approach to your security    improvement plans   If you have a specific UX-based security    problem    ◦ De...
   Start your UX approach today    1. Implement: Start with the UX basics    2. Design: Adopt and tailor known UX solutio...
 If   we all take a UX approach to security system design and improvement, their real-world security value will increase
   Darren Kall   darrenkall@kallconsulting.com   http://www.linkedin.com/in/darrenkall   @darrenkall   +1 (937) 648-4...
Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012
Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012
Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012
Upcoming SlideShare
Loading in …5
×

Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012

481 views

Published on

This is one of two talks. This one encourages the security community to adopt a user experience approach to the development and deployment of security products. The second encourages the user experience community to focus their skills on usable security issues. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
481
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012

  1. 1. @darrenkallDarren Kall #secUX
  2. 2. Employment KALL Consulting Microsoft ◦ Windows Security User Experience team: founder ◦ Windows Security Assurance team: founder ◦ Windows Core Security: group program manager ◦ Microsoft Passport: group program manager ◦ Microsoft Passport User Experience team: manager ◦ MSN-client: security and privacy team founder AT&T Bell Laboratories, IBM, H.E.L.P., LexisNexisPatents 11 US patents, 6 international patents,104 patent citationsEducation Dartmouth College, Rutgers College
  3. 3. User Experience(UX) Insight Innovation Impact Research Design Evaluation Product UX Design & Improve Product UX Sec UX M&A UX Security Merger & Acquisition User Experience User Experience PI UX Strategic UX Product Integration Strategic UX User Experience Management
  4. 4.  Problem: If a security system wasn’t designed to be usable by each person who touches it, then the people create vulnerabilities Solution: An end-to-end UX approach that merges technology possibilities, business imperatives, and a deep knowledge of users to improve security Next Steps: Practical steps to a UX approach
  5. 5. Limited “Imperfect” Memory cognitive Lazy models Don’t respond quickly Limited number enough crunching Don’tEmotional understandresponses security Limited ability to visualize FearLimited decision negative making skill outcomes Too Not busy tech Limits to savvy vigilance Cognitive biases Easily deceived
  6. 6. “The system would besecure if we just got ridof the people.” Every IT person who ever worked on security
  7. 7.  That is not an option It is a lot easier to change the system than to change people
  8. 8.  If a system is not designed to be usable by the people who have to use it, the people are not to blame The system is
  9. 9.  Dialog boxes and vigilance  If an end-user sees a security dialog 100 times, they agree without reading the 101st time Passwords and memory  If a person has to have a 15 character password that must change every 30 days and must contain special characters, they write the password on a Post-it note Trojans and decision making  If a user opens an Excel spreadsheet without questioning the source, they invite hidden exploits
  10. 10.  It is not just end-users but every human in the end-to-end system
  11. 11.  End-users  Installers Product Managers  Administrators Business Analysts  Hackers System Designers  Trainers Program Managers  Maintenance Project Managers Developers  Monitoring Testers  Forensics Marketing  Deprecation Sales  etc.
  12. 12.  Developer  If a developer does not have insight into the security skills of the user, they assume the user is like them Installer  If it is too hard for an installer to figure out how to configure security, it goes in with a risky default Sales  If a sales person can’t model a customer’s security needs sufficiently, they sell them the wrong system
  13. 13.  Am I exaggerating?
  14. 14.  Comodo Cert Auth◦ Problem: tricked into issuing fraudulent certs◦ UX: people are easily deceived◦ Result: employees were socially engineered
  15. 15.  DigiNotar ◦ Problem: hacker access to cert issuing ◦ UX: people can’t perceive patterns over broad data ◦ Result: breach not in admin awareness ◦ UX: people susceptible to impact bias; a cognitive bias of estimation ◦ Result: did not prepare a user scenario for cert revocation
  16. 16.  Sony ◦ Problem: data breach 77 Million ID thefts ◦ UX: people susceptible to confirmation bias ◦ Result: did not perceive risk and made poor security choices, insufficient maintenance of patches ◦ UX: overconfidence in decision making ◦ Result: provoked the hacker community
  17. 17.  RSA ◦ Problem: token information hacked ◦ UX: limited ability to predict consequences ◦ Result: people post info in social media ◦ UX: people are easily deceived ◦ Result: fooled by phishing attack with Adobe-Excel exploit
  18. 18.  H.323 Protocol ◦ Problem: ~150,000 corporate video systems set to auto-answer allowing spying ◦ UX: status quo bias ◦ Result: system default configuration implications overlooked ◦ UX: risk assessment skills ◦ Result: not deployed within secure corporate networks
  19. 19.  Improveend-to-endsystem security bytaking a UX approach todesign anddevelopment
  20. 20. Insight Innovation ImpactResearch Design EvaluationCustomer Insight Design Usability testingUser Research User-friendly A/B testingIdeation Interaction design Customer validationWorkflow Information Arch Beta testingTask flow Transformation AnalyticsActivity Cycles Specification EvaluationPain points Design guidelines MeasurementsTouch points Look and Feel IterationsJourney map Development Etc.Etc. Etc.
  21. 21.  Insight Research: Detailed attention to the needs, limitations, and behaviors of people in a system to gain insights Innovation Design: Apply this insight to intentional design in all stages of development, implementation, and use for specific user types Impact Evaluation: A multi-stage approach requiring analysis, design, and evaluation iterations to ensure successful improvement
  22. 22.  Deeply studying the people in the system Gathering insight into their skills, motivations, limitations, behaviors, etc. Using that information to drive innovative designs for security problems
  23. 23.  Keep all users in mind when designing systems Use the deep insights about users to match design to their limitations and behaviors Designing to address user pain points and limitations
  24. 24.  Test with people in the real world not theoretical ideal world conditions Iterate improvement, evaluate, insight, design cycles ◦ UX is an ongoing, incremental approach that depends on data
  25. 25.  Problem: A security IT tool was not being adopted UX Action: Ethnographic research and contextual inquiry on the variety of IT people using this security system to determine root cause Result: Identified 4-5 distinct IT persona types for each of four company IT segments: enterprise, large, medium, and small groups Separated roles from titles, skills, motivations, and activity/behaviors Solution: One-size fits all was not working for any group, segmented core product into company/role specific products
  26. 26.  Problem: Significant implementation and customization errors on install and administration UX Action: Usability study of system with representative users. Included a UX assessment of technical writing. Result: Root cause was both product interface and the training/documentation Solution: Improved interaction and improved documentation and training to reduce errors
  27. 27.  Problem: System configuration taking too long and requiring repeated revisions UX Action: UX evaluation of configuration process Result: Total over 3,000 configuration options, 6 that system developers could not tell apart, detachment between desired outcome and configurations Solution: Reduced configuration complexity, options based on real use, aligned outcomes with options, created profiles, offered service
  28. 28.  Problem: Client with ~900,000 users globally; vendors, employees, on variety of devices, no easy way to see network security status UX Action: Reviewed current system, modeled pattern of monitoring workflow, prioritized events into semantic map for this audience Result: Needed situational awareness drill down from simple to detailed, not event alerts Solution: Created visualizations for quick overall system status with 4 layers of drill down to improve awareness
  29. 29.  Problem: Users relying on password customer support on failed logins ◦ Wanted to minimize user frustration ◦ Wanted to separate real users from non-users ◦ Wanted to minimize customer support costs UX Action: Researched a variety of real user behaviors to determine optimum design to meet goals
  30. 30. PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptAverage Success Trial of Forgetters with no Lock Out, No CS, and no Self Help PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptAverage Abandon Trial of Forgetters with no Lock Out, No CS, and no Self Help PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptAverage Call if have CS Link PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptAverage Self Help if have Self Help Link PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptAverage CS Call if have CS Link and Self Help Link PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptAverage Self Help if have Self Help Link and Lock Out @ 3 PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attemptPurple add Self Help Link, Blue add CS link, Yellow you know you’ve got a hacker
  31. 31.  Problem: Client with some divisions having repeated auth setup issues while others didn’t UX Action: Compared SOP, reports of use, with actual use patterns Result: Some divisions had activity cycles of use and complete non-use based on business cycle. Start of each cycle users forgot and created issues Solution: Redesign system for infrequent use to make more intuitive, require users to have refresher when return
  32. 32.  UX approach is not a substitute for good security technology engineering, it is an addition You have to do both Keep advancing security technologies
  33. 33.  Add a UX approach to your security improvement plans If you have a specific UX-based security problem ◦ Develop a tailored UX initiative If you DO NOT have a specific UX-based security problem ◦ Introduce a UX approach in steps
  34. 34.  Start your UX approach today 1. Implement: Start with the UX basics 2. Design: Adopt and tailor known UX solutions to fit your situation 3. Evaluation: Specifically evaluate your UX problems, your users, your environment of use, etc. and implement specific solutions 4. Research: Invest in long-term research into the people in your system to drive deep UX understanding
  35. 35.  If we all take a UX approach to security system design and improvement, their real-world security value will increase
  36. 36.  Darren Kall darrenkall@kallconsulting.com http://www.linkedin.com/in/darrenkall @darrenkall +1 (937) 648-4966SecUX: We’re glad to help your companyhave more usable security.

×