Usable security it isn't secure if people can't use it mwux 2 jun2012

1. 1 Usable Security UX Review Usable Security It isn’t secure if people can’t use it. Darren Kall – Midwest UX 2012 @darrenkall #secUX #mwux12 KALL Consulting customer and user experience design and strategy 20-min version: 2Jun2012 @darrenkall #secux #mwux12

2. 2 enough Usable Security Not Usable Security UX Review There are some UX people focusing on security UX But not enough Because we don’t see it as our problem It is our problem We can’t solve all the problem We may be the only people who can help @darrenkall #secux #mwux12

3. 3 InfoSec Credentials Usable Security UX Review Founded the Windows Security UX team Founded the Windows Security Assurance team GPM of the Windows Core Security team GPM of the Microsoft Passport UX team GPM of the Microsoft Passport front-end PM team Founded the MSN-client security and privacy teams Worked on designing the security for the AT&T phone system for the Whitehouse @darrenkall #secux #mwux12

4. 4 Usable Security UX Review I’mI’m Apology to ~900 Million people I’m sorry. I’m I’m I’mI’m I’m sorry. I’m sorry. sorry. sorry. sorry. I’m sorry. I’m I’m sorry. I’m sorry. sorry. sorry. sorry. I’mI’m I’m I’m I’m sorry. I’m I’m I’m I’m sorry. sorry. sorry. sorry. I’m sorry. I’m sorry. I’m sorry. sorry. sorry. I’m I’m I’m sorry. sorry. I’m I’m I’m I’m sorry.sorry. sorry. sorry. I’m sorry.I’m I’m sorry. I’m sorry. I’m I’m sorry.sorry.sorry. I’m sorry. sorry.sorry. @darrenkall #secux #mwux12

5. 5 Bookend Talk Usable Security UX Review Spoke at an InfoSec conference 2012 encouraged them to adopt a UX approach Speaking to you at Midwest UX 2012 encourage you to focus on security Weak on the encouragement side Scare you @darrenkall #secux #mwux12

6. 6 stuff first Scary Usable Security UX Review Mobile device malware increased 1,200% in 1Q 2012 Cybercrime in 2011 had more revenue than the international illicit drug trade US Treasury reports 100’s of billions lost per year due to security breaches 2011 mobile app market = 8.5 B 2016 project mobile app market = 46 B 2011 tablet and smartphone market = 190 B 2015 saturation Security incidents increase: Overall US 2011 = 77%, Federal (5 years) = 650% GNP growth 2012 = 2.4% - 3% @darrenkall #secux #mwux12

7. 7 will it continue to get worse? Why Usable Security UX Review Increased cloud usage Increased mobile usage “New” web tech: HTML 5, CSS3, etc. More powerful access to data Social, geolocation, connectedness … Hactivism Government to government attacks - cyberwar Etc. @darrenkall #secux #mwux12

8. 8 Hacker Credentials Usable Security UX Review Short and sweet hacking career Caught by US military IT security forensics team No charges Just wanted to know how a graduate student in New Hampshire got into a secure military network in Colorado Never asked me why Never asked about problem solving Did not take a UX approach @darrenkall #secux #mwux12

9. 9 Current meme Usable Security UX Review “The system would be secure if we just got rid of the people.” Every IT person who ever worked on security @darrenkall #secux #mwux12

10. 10 way – they are right In a Usable Security UX Review The problems with people Limited “Imperfect” Memory cognitive Lazy models Don’t respond quickly Limited number enough crunching Don’t Emotional understand responses security Limited ability to visualize Fear Limited decision negative making skill outcomes Too Not tech busy savvy Limits to vigilance Cognitive biases Easily deceived @darrenkall #secux #mwux12

11. 11 Security issues are UX design issues Usable Security UX Review Security issues are human issues Human issues are UX design issues @darrenkall #secux #mwux12

12. 12Wheelhouse UX Usable Security UX Review UX design has the techniques and skills to solve security issues But there’s a catch Systems are secure only if every aspect of the end- to-end system can be used @darrenkall #secux #mwux12

13. 13 Traditional UX focus Usable Security UX Review End-users Product and features Trending tech/industries Critical path – core aspects @darrenkall #secux #mwux12

14. 14improve security To Usable Security UX Review Go beyond traditional UX Adopt “Security Thinking” @darrenkall #secux #mwux12

15. 15beyond end-users Go Usable Security UX Review Security UX is not just end-users but every human in the end-to-end system @darrenkall #secux #mwux12

16. 16beyond end-users Go Usable Security UX Review  End-users  Product Managers  Installers  Business Analysts  Administrators  System Designers  Hackers  Program Managers  Project Managers  Trainers  Developers  Maintenance  Testers  Monitoring  Marketing  Forensics  Sales  Deprecation  etc. @darrenkall #secux #mwux12

17. 17beyond the product Go Usable Security UX Review Security UX is not just the product and features but every interaction with the end-to-end system @darrenkall #secux #mwux12

18. 18beyond the product Go Usable Security UX Review  Product  Installation  Documentation  Uninstall  Customer Support  Purchase  System logic  Supply chain  Cognitive Model  Relationship  Perception  Trust  Services  Predictability  Updates  Availability  Upgrades  etc. @darrenkall #secux #mwux12

19. 19beyond trending tech Go Usable Security UX Review Security UX is not just trending technology or industries but every component in the end-to-end system @darrenkall #secux #mwux12

20. 20beyond trending tech Go Usable Security UX Review  Trending Tech  NFC  Trending Industries  Voice  Mobile  Gestures  Touch computing  “Old” Tech  Social  “Old” industries  Social gestures  Existing tech  Healthcare  etc.  Big data  Green @darrenkall #secux #mwux12

21. 21beyond the critical path Go Usable Security UX Review Security UX is not just the critical path and core aspects but every deep detail of the end-to-end system @darrenkall #secux #mwux12

22. 22beyond the critical path Go Usable Security UX Review  Critical path  Training  Data sharing  Vigilance  Profile  Awareness  Passwords  Alerting  Management  Adoption  Purchasing  Usage  Billing  Proper configuration  Customization  Errors  Returns  etc. @darrenkall #secux #mwux12

23. 23 Examples from 2011 Usable Security UX Review When going beyond traditional UX could have helped security @darrenkall #secux #mwux12

24. 24 Comodo Cert Auth Usable Security UX Review Problem: issued fraudulent certs UX root cause: people are easily deceived Result: employees were socially engineered UX solution: improve system, process, probes, teaching, etc. to allow employees to do confidence test of applicants @darrenkall #secux #mwux12

25. 25 DigiNotar Usable Security UX Review Problem: hackers had access to issue their own certs UX root cause: people can’t perceive patterns over broad data Result: breach not in admin awareness for some unknown duration UX solution: pattern recognition, visualization of data @darrenkall #secux #mwux12

26. 26 DigiNotar Usable Security UX Review Problem: DigiNotar had no easy way to revoke certs UX root cause: people susceptible to impact bias (a cognitive bias of estimation) so did not prepare a user scenario for cert revocation Result: Even after identified no easy way to stop certs UX solution: lifecycle interaction flow design, unbiased risk evaluation @darrenkall #secux #mwux12

27. 27 Sony Usable Security UX Review Problem: data breach 77 Million ID thefts UX root cause: people susceptible to confirmation bias – see what they want Result: did not perceive risk and made poor security choices, insufficient maintenance of patches UX solution: processes that remove biased decision making from product usage @darrenkall #secux #mwux12

28. 28 Sony Usable Security UX Review Problem: data breach 77 Million ID thefts UX root cause: overconfidence in decision making, provoked the hacker community Result: hackers accepted the invitation UX solution: hacker persona profiling as part of IT decision making @darrenkall #secux #mwux12

29. 29 Protocol H.323 Usable Security UX Review Problem: ~150,000 corporate video systems set to auto-answer allowing spying UX root cause: status quo bias and poor risk assessment skills Result: system default configuration implications overlooked, not deployed within secure corporate networks UX solution: interface alerts, configuration defaults, and awareness training for implementation staff @darrenkall #secux #mwux12

30. 30 Challenge Usable Security UX Review You can make a huge difference in solving the human aspects of security issues. @darrenkall #secux #mwux12

31. 31 You Thank Usable Security UX Review We’re glad to help your product become more usable and more secure. We’re hiring UX contractors and freelancers. Security UX Daily Paper.li • http://is.gd/kdcf0p Darren Kall @darrenkall +1 (937) 648-4966 •darrenkall@kallconsulting.com •http://www.slideshare.net/DarrenKall @darrenkall #secux #mwux12

32. 32 Credits Media Usable Security UX Review Man drawing Patty Borgman Scared woman http://www.etftrends.com/2010/06/safe-haven-bear-etfs-lead-asset-grab-may/ Beer http://www.bestfreeicons.com/c47-3d-icons-0.html @darrenkall #secux #mwux12

Usable security it isn't secure if people can't use it mwux 2 jun2012

Esté a ler uma amostra.

Confira estes a seguir

Usable security it isn't secure if people can't use it mwux 2 jun2012

Mais Conteúdo rRelacionado

Diapositivos para si (18)

Quem viu também gostou (12)

Semelhante a Usable security it isn't secure if people can't use it mwux 2 jun2012 (20)

Mais de Darren Kall (9)

Mais recentes (20)