Security and User Experience: Pushing for Change in the Enterprise Environment Slides from the NUX5 talk by Glenn A. Gustitus, Friday 7th October 2016. 2016.nuxconf.uk / nuxuk.org Synopsis: Pushing for change in an enterprise environment is a challenge. Improving the user experience of security solutions that historically have conflated being difficult to use with being more secure, is an even larger challenge. In this talk, Glenn is going to show you why security needs our help, and how to have a positive impact in an environment known for being especially change resilient.

1. Security and UX
Pushing for Change in the Enterprise Environment

2. “The value of personal financial and health
records is two or three times the value of financial
information alone.” – Post Gazette
http://www.post-gazette.com/news/health/2015/03/16/Healthcare-files-valuable-to-identity-
thieves/stories/201503160013

3. “Stolen health credentials can go for $10 each,
about 10 or 20 times the value of a U.S. credit card
number” – Reuters
http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924

4. “Criminals are selling the information on the black
market at a rate of $50 for each partial EHR,
compared to $1 for a stolen social security
number or credit card number” – FBI Cyber
Division
http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-
intrusions.pdf

5. Secure From the Start

6. Yahoo

7. 500 million email accounts

8. “To make computer systems more secure, a
company often has to make its products slower
and more difficult to use. It was a trade-off
Yahoo’s leadership was often unwilling to make.” –
New York Times
http://mobile.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html

9. “-their requests were often overridden because of
concerns that the inconvenience of added
protection would make people stop using the
company’s products” – NY Times

10. When we aim to improve the user experience of
security, we aren't just challenging convention, we
are challenging culture.

11. Involve Development from the Beginning

12. Involve Security from the Beginning

13. “Design happens when designers aren’t
there.” – Jarod Spool
https://articles.uie.com/designing_without_a_designer/

14. To solve these problems, we need to have a
common language.

15. Risk

16. Risk is any event that could result in the
compromise of assets.

17. We make a series of design decisions that
make assumptions about risk.

22. 1. Hard to guess (or find out)
2. Easy to remember
3. Doesn’t change over time

24. Multifactor Authentication

25. A thing you have.
A thing you know.
A thing you are.

26. https://arxiv.org/pdf/1309.5344.pdf

29. Authentication

31. Authorization

34. Globalization & Privacy

36. https://www.dlapiperdataprotection.com/#handbook/world-map-section

38. 1. Share your process.

39. 1. Share your process.
2. Understand the limitations of the other
disciplines.

40. 1. Share your process.
2. Understand the limitations of the other
disciplines.
3. Build those relationships.

41. Success Story (with a dash of failure)

42. PAM (Privileged Access Management)

44. 1. Observe your users.

45. 2. Craft Personas.
1. Observe your users.

46. 2. Craft Personas.
1. Observe your users.
3. Integrate into your user’s workflows.

47. “The Paranoids, the internal name for Yahoo’s
security team, often clashed with other parts of
the business over security costs.” – NY Times

48. Empathy

49. Thank you.