This is one of a pair of talks. This one encourages the UX community to get involved in security products and security aspects. It outlines how UX skills can help make security more secure by making it more usable. It challenges the UX community to adopt "security thinking" because it stretches the traditional boundaries of UX focus. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability. It isn't secure if people can't use it. ™
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Usable security it isn't secure if people can't use it mwux 2 jun2012
1. 1 Usable Security
UX Review
Usable Security
It isn’t secure if people can’t use it.
Darren Kall – Midwest UX 2012
@darrenkall
#secUX
#mwux12
KALL Consulting
customer and user experience design and strategy
20-min version: 2Jun2012
@darrenkall #secux #mwux12
2. 2 enough Usable Security
Not
Usable Security
UX Review
There are some UX people focusing on security UX
But not enough
Because we don’t see it as our problem
It is our problem
We can’t solve all the problem
We may be the only people who can help
@darrenkall #secux #mwux12
3. 3
InfoSec Credentials
Usable Security
UX Review
Founded the Windows Security UX team
Founded the Windows Security Assurance team
GPM of the Windows Core Security team
GPM of the Microsoft Passport UX team
GPM of the Microsoft Passport front-end PM team
Founded the MSN-client security and privacy teams
Worked on designing the security for the AT&T
phone system for the Whitehouse
@darrenkall #secux #mwux12
5. 5
Bookend Talk
Usable Security
UX Review
Spoke at an InfoSec conference 2012
encouraged them to adopt a UX approach
Speaking to you at Midwest UX 2012
encourage you to focus on security
Weak on the encouragement side
Scare you
@darrenkall #secux #mwux12
6. 6 stuff first
Scary
Usable Security
UX Review
Mobile device malware increased 1,200% in 1Q 2012
Cybercrime in 2011 had more revenue than the
international illicit drug trade
US Treasury reports 100’s of billions lost per year
due to security breaches
2011 mobile app market = 8.5 B
2016 project mobile app market = 46 B
2011 tablet and smartphone market = 190 B
2015 saturation
Security incidents increase: Overall US 2011 = 77%,
Federal (5 years) = 650%
GNP growth 2012 = 2.4% - 3%
@darrenkall #secux #mwux12
7. 7 will it continue to get worse?
Why
Usable Security
UX Review
Increased cloud usage
Increased mobile usage
“New” web tech: HTML 5, CSS3, etc.
More powerful access to data
Social, geolocation, connectedness …
Hactivism
Government to government attacks - cyberwar
Etc.
@darrenkall #secux #mwux12
8. 8
Hacker Credentials
Usable Security
UX Review
Short and sweet hacking career
Caught by US military IT security forensics team
No charges
Just wanted to know how a graduate student in New
Hampshire got into a secure military network in
Colorado
Never asked me why
Never asked about problem solving
Did not take a UX approach
@darrenkall #secux #mwux12
9. 9
Current meme
Usable Security
UX Review
“The system would be secure
if we just got rid of the people.”
Every IT person who ever worked on security
@darrenkall #secux #mwux12
10. 10 way – they are right
In a
Usable Security
UX Review
The problems with people
Limited
“Imperfect” Memory
cognitive Lazy
models
Don’t
respond
quickly Limited number
enough crunching
Don’t
Emotional understand
responses security
Limited ability to
visualize
Fear
Limited decision negative
making skill outcomes
Too Not tech
busy savvy
Limits to
vigilance
Cognitive
biases
Easily
deceived
@darrenkall #secux #mwux12
11. 11
Security issues are UX design issues
Usable Security
UX Review
Security issues are human issues
Human issues are UX design issues
@darrenkall #secux #mwux12
12. 12Wheelhouse
UX
Usable Security
UX Review
UX design has the techniques and skills to solve
security issues
But there’s a catch
Systems are secure only if every aspect of the end-
to-end system can be used
@darrenkall #secux #mwux12
13. 13
Traditional UX focus
Usable Security
UX Review
End-users
Product and features
Trending tech/industries
Critical path – core aspects
@darrenkall #secux #mwux12
14. 14improve security
To
Usable Security
UX Review
Go beyond traditional UX
Adopt “Security Thinking”
@darrenkall #secux #mwux12
15. 15beyond end-users
Go
Usable Security
UX Review
Security UX is not just end-users
but every human in the end-to-end
system
@darrenkall #secux #mwux12
17. 17beyond the product
Go
Usable Security
UX Review
Security UX is not just the product
and features but every interaction
with the end-to-end system
@darrenkall #secux #mwux12
18. 18beyond the product
Go
Usable Security
UX Review
Product Installation
Documentation Uninstall
Customer Support Purchase
System logic Supply chain
Cognitive Model Relationship
Perception Trust
Services Predictability
Updates Availability
Upgrades etc.
@darrenkall #secux #mwux12
19. 19beyond trending tech
Go
Usable Security
UX Review
Security UX is not just trending
technology or industries but every
component in the end-to-end
system
@darrenkall #secux #mwux12
20. 20beyond trending tech
Go
Usable Security
UX Review
Trending Tech NFC
Trending Industries Voice
Mobile Gestures
Touch computing “Old” Tech
Social “Old” industries
Social gestures Existing tech
Healthcare etc.
Big data
Green
@darrenkall #secux #mwux12
21. 21beyond the critical path
Go
Usable Security
UX Review
Security UX is not just the critical
path and core aspects but every
deep detail of the end-to-end
system
@darrenkall #secux #mwux12
23. 23
Examples from 2011
Usable Security
UX Review
When going beyond traditional UX
could have helped security
@darrenkall #secux #mwux12
24. 24
Comodo Cert Auth
Usable Security
UX Review
Problem: issued fraudulent certs
UX root cause: people are easily deceived
Result: employees were socially engineered
UX solution: improve system, process,
probes, teaching, etc. to allow employees to
do confidence test of applicants
@darrenkall #secux #mwux12
25. 25
DigiNotar
Usable Security
UX Review
Problem: hackers had access to issue their
own certs
UX root cause: people can’t perceive
patterns over broad data
Result: breach not in admin awareness for
some unknown duration
UX solution: pattern recognition,
visualization of data
@darrenkall #secux #mwux12
26. 26
DigiNotar
Usable Security
UX Review
Problem: DigiNotar had no easy way to
revoke certs
UX root cause: people susceptible to impact
bias (a cognitive bias of estimation) so did
not prepare a user scenario for cert
revocation
Result: Even after identified no easy way to
stop certs
UX solution: lifecycle interaction flow
design, unbiased risk evaluation
@darrenkall #secux #mwux12
27. 27
Sony
Usable Security
UX Review
Problem: data breach 77 Million ID thefts
UX root cause: people susceptible to
confirmation bias – see what they want
Result: did not perceive risk and made poor
security choices, insufficient maintenance of
patches
UX solution: processes that remove biased
decision making from product usage
@darrenkall #secux #mwux12
28. 28
Sony
Usable Security
UX Review
Problem: data breach 77 Million ID thefts
UX root cause: overconfidence in decision
making, provoked the hacker community
Result: hackers accepted the invitation
UX solution: hacker persona profiling as part
of IT decision making
@darrenkall #secux #mwux12
29. 29 Protocol
H.323
Usable Security
UX Review
Problem: ~150,000 corporate video systems
set to auto-answer allowing spying
UX root cause: status quo bias and poor risk
assessment skills
Result: system default configuration
implications overlooked, not deployed within
secure corporate networks
UX solution: interface alerts, configuration
defaults, and awareness training for
implementation staff
@darrenkall #secux #mwux12
30. 30
Challenge
Usable Security
UX Review
You can make a huge difference in
solving the human aspects of
security issues.
@darrenkall #secux #mwux12
31. 31 You
Thank
Usable Security
UX Review
We’re glad to help your product
become more usable
and more secure.
We’re hiring UX contractors and
freelancers.
Security UX Daily Paper.li
• http://is.gd/kdcf0p
Darren Kall @darrenkall +1 (937) 648-4966
•darrenkall@kallconsulting.com
•http://www.slideshare.net/DarrenKall
@darrenkall #secux #mwux12
32. 32 Credits
Media
Usable Security
UX Review
Man drawing Patty Borgman
Scared woman http://www.etftrends.com/2010/06/safe-haven-bear-etfs-lead-asset-grab-may/
Beer http://www.bestfreeicons.com/c47-3d-icons-0.html
@darrenkall #secux #mwux12