![Page 1: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/1.jpg)
Usable Security:It isn’t secure if people can’t use it.
Darren Kall @darrenkall#secUX
![Page 2: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/2.jpg)
Employment KALL Consulting Microsoft
◦ Windows Security User Experience team: founder◦ Windows Security Assurance team: founder◦ Windows Core Security: group program manager◦ Microsoft Passport: group program manager◦ Microsoft Passport User Experience team: manager◦ MSN-client: security and privacy team founder
AT&T Bell Laboratories, IBM, H.E.L.P., LexisNexisPatents 11 US patents, 6 international patents,104 patent citationsEducation Dartmouth College, Rutgers College
Speaker Biography
![Page 3: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/3.jpg)
Insight Research
Innovation Design
Impact Evaluation
M&A UXMerger & Acquisition User Experience
PI UXProduct Integration User Experience
Strategic UXStrategic UX Management
Sec UXSecurityUser Experience
Product UXDesign & Improve Product UX
User Experience(UX)
![Page 4: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/4.jpg)
Problem: If a security system wasn’t designed to be usable by each person who touches it, then the people create vulnerabilities
Solution: An end-to-end UX approach that merges technology possibilities, business imperatives, and a deep knowledge of users to improve security
Next Steps: Practical steps to a UX approach
Agenda
![Page 5: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/5.jpg)
Problem
![Page 6: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/6.jpg)
The problems with people
Limited decision making skill
Limited number crunching
Emotional responses
Limited Memor
y
Limited ability to visualize
Easily deceived
Limits to vigilance
“Imperfect” cognitive models
Cognitive biases
Too busy
Not tech
savvy
Don’t understand
security
Fear negative outcomes
Don’t respond quickly enough
Lazy
![Page 7: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/7.jpg)
“The system would be secure if we just got rid of the people.”
Every IT person who ever worked on security
Conclusion
![Page 8: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/8.jpg)
That is not an option
It is a lot easier to change the system than to change people
Rebuttal
![Page 9: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/9.jpg)
If a system is not designed to be usable by the people who have to use it, the people are not to blame
The system is
Who is to blame?
![Page 10: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/10.jpg)
Dialog boxes and vigilance If an end-user sees a security dialog 100 times,
they agree without reading the 101st time Passwords and memory
If a person has to have a 15 character password that must change every 30 days and must contain special characters, they write the password on a Post-it note
Trojans and decision making If a user opens an Excel spreadsheet without
questioning the source, they invite hidden exploits
Examples of People’s Limitations
![Page 11: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/11.jpg)
It is not just end-users but every human in the end-to-end system
End-to-end
![Page 12: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/12.jpg)
End-users Product Managers Business Analysts System Designers Program Managers Project Managers Developers Testers Marketing Sales
End-to-end
Installers Administrators Hackers Trainers Maintenance Monitoring Forensics Deprecation etc.
![Page 13: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/13.jpg)
Developer If a developer does not have insight into the
security skills of the user, they assume the user is like them
Installer If it is too hard for an installer to figure out how to
configure security, it goes in with a risky default Sales
If a sales person can’t model a customer’s security needs sufficiently, they sell them the wrong system
Examples of Non-end-user Limitations
![Page 14: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/14.jpg)
Am I exaggerating?Severity Test
![Page 15: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/15.jpg)
Comodo Cert Auth◦Problem: tricked into issuing fraudulent certs
◦UX: people are easily deceived◦Result: employees were socially engineered
Recent Examples
![Page 16: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/16.jpg)
DigiNotar ◦Problem: hacker access to cert issuing◦UX: people can’t perceive patterns over broad data
◦Result: breach not in admin awareness◦UX: people susceptible to impact bias; a cognitive bias of estimation
◦Result: did not prepare a user scenario for cert revocation
Recent Examples
![Page 17: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/17.jpg)
Sony◦Problem: data breach 77 Million ID thefts◦UX: people susceptible to confirmation bias
◦Result: did not perceive risk and made poor security choices, insufficient maintenance of patches
◦UX: overconfidence in decision making◦Result: provoked the hacker community
Recent Examples
![Page 18: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/18.jpg)
RSA◦Problem: token information hacked◦UX: limited ability to predict consequences
◦Result: people post info in social media
◦UX: people are easily deceived◦Result: fooled by phishing attack with Adobe-Excel exploit
Recent Examples
![Page 19: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/19.jpg)
H.323 Protocol◦Problem: ~150,000 corporate video systems set to auto-answer allowing spying
◦UX: status quo bias◦Result: system default configuration implications overlooked
◦UX: risk assessment skills◦Result: not deployed within secure corporate networks
Recent Examples
![Page 20: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/20.jpg)
Solution
![Page 21: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/21.jpg)
Improve end-to-end system security by taking a UX approach to design and development
Take the UX approach
![Page 22: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/22.jpg)
Many UX TechniquesInsight Research
Innovation Design
Impact Evaluation
Customer InsightUser ResearchIdeationWorkflowTask flowActivity CyclesPain pointsTouch pointsJourney mapEtc.
DesignUser-friendlyInteraction designInformation ArchTransformationSpecificationDesign guidelinesLook and FeelDevelopment Etc.
Usability testingA/B testingCustomer validationBeta testingAnalyticsEvaluationMeasurementsIterationsEtc.
![Page 23: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/23.jpg)
Insight Research: Detailed attention to the needs, limitations, and behaviors of people in a system to gain insights
Innovation Design: Apply this insight to intentional design in all stages of development, implementation, and use for specific user types
Impact Evaluation: A multi-stage approach requiring analysis, design, and evaluation iterations to ensure successful improvement
UX Approach
![Page 24: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/24.jpg)
Deeply studying the people in the system Gathering insight into their skills,
motivations, limitations, behaviors, etc. Using that information to drive innovative
designs for security problems
Insight Research
![Page 25: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/25.jpg)
Keep all users in mind when designing systems
Use the deep insights about users to match design to their limitations and behaviors
Designing to address user pain points and limitations
Innovation Design
![Page 26: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/26.jpg)
Test with people in the real world not theoretical ideal world conditions
Iterate improvement, evaluate, insight, design cycles◦ UX is an ongoing, incremental approach that
depends on data
Impact Evaluation
![Page 27: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/27.jpg)
Problem: A security IT tool was not being adopted UX Action: Ethnographic research and contextual
inquiry on the variety of IT people using this security system to determine root cause
Result: Identified 4-5 distinct IT persona types for each of four company IT segments: enterprise, large, medium, and small groups
Separated roles from titles, skills, motivations, and activity/behaviors
Solution: One-size fits all was not working for any group, segmented core product into company/role specific products
Persona Example
![Page 28: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/28.jpg)
Problem: Significant implementation and customization errors on install and administration
UX Action: Usability study of system with representative users. Included a UX assessment of technical writing.
Result: Root cause was both product interface and the training/documentation
Solution: Improved interaction and improved documentation and training to reduce errors
Usability Testing Example
![Page 29: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/29.jpg)
Problem: System configuration taking too long and requiring repeated revisions
UX Action: UX evaluation of configuration process
Result: Total over 3,000 configuration options, 6 that system developers could not tell apart, detachment between desired outcome and configurations
Solution: Reduced configuration complexity, options based on real use, aligned outcomes with options, created profiles, offered service
UX Evaluation Example
![Page 30: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/30.jpg)
Problem: Client with ~900,000 users globally; vendors, employees, on variety of devices, no easy way to see network security status
UX Action: Reviewed current system, modeled pattern of monitoring workflow, prioritized events into semantic map for this audience
Result: Needed situational awareness drill down from simple to detailed, not event alerts
Solution: Created visualizations for quick overall system status with 4 layers of drill down to improve awareness
Visualization Design Example
![Page 31: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/31.jpg)
Problem: Users relying on password customer support on failed logins◦ Wanted to minimize user frustration◦ Wanted to separate real users from non-users◦ Wanted to minimize customer support costs
UX Action: Researched a variety of real user behaviors to determine optimum design to meet goals
Behavioral Analytics Example
![Page 32: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/32.jpg)
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
PSWD attempt
Average Success Trial of Forgetters with no Lock Out, No CS, and no Self Help
Average Abandon Trial of Forgetters with no Lock Out, No CS, and no Self Help
Average Call if have CS Link
Average Self Help if have Self Help Link
Average CS Call if have CS Link and Self Help Link
Average Self Help if have Self Help Link and Lock Out @ 3
Purple add Self Help Link, Blue add CS link, Yellow you know you’ve got a hacker
![Page 33: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/33.jpg)
Problem: Client with some divisions having repeated auth setup issues while others didn’t
UX Action: Compared SOP, reports of use, with actual use patterns
Result: Some divisions had activity cycles of use and complete non-use based on business cycle. Start of each cycle users forgot and created issues
Solution: Redesign system for infrequent use to make more intuitive, require users to have refresher when return
Workflow Mapping Examples
![Page 34: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/34.jpg)
UX approach is not a substitute for good security technology engineering, it is an addition
You have to do both Keep advancing security technologies
Not exclusive
![Page 35: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/35.jpg)
Next Steps
![Page 36: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/36.jpg)
Add a UX approach to your security improvement plans
If you have a specific UX-based security problem◦ Develop a tailored UX initiative
If you DO NOT have a specific UX-based security problem◦ Introduce a UX approach in steps
Next Steps
![Page 37: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/37.jpg)
Start your UX approach today1. Implement: Start with the UX basics2. Design: Adopt and tailor known UX solutions to
fit your situation3. Evaluation: Specifically evaluate your UX
problems, your users, your environment of use, etc. and implement specific solutions
4. Research: Invest in long-term research into the people in your system to drive deep UX understanding
Incremental Steps
![Page 38: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/38.jpg)
If we all take a UX approach to security system design and improvement, their real-world security value will increase
Take the UX approach
![Page 39: Usable security- It isn't secure if people can't use it. O-ISC conference 14mar2012](https://reader035.vdocuments.mx/reader035/viewer/2022081413/545d0f49b1af9f500a8b49a2/html5/thumbnails/39.jpg)
Darren Kall [email protected] http://www.linkedin.com/in/darrenkall @darrenkall +1 (937) 648-4966
SecUX: We’re glad to help your company have more usable security.
Thank You