Security people say users are the weakest link. But are they? When complying with security becomes too burdensome, users take shortcuts, find workarounds, and end up jeopardizing security. Blaming users is lazy and easy. Making security usable is time consuming and challenging. How does design research help us understand our customers? What patterns and principles drive secure behavior? How can we build empathy with customers and make the right thing to do the easiest thing to do? This session explores these questions, and provides examples of how design thinking and research can help us be more secure. We will walk through our creation of core user personas, design principles, and how these inform and direct our design choices and intent. Don’t blame your users anymore. Come learn how to be part of a future where usability leads security.

1. @jwgoerlich
Design Nudge
and
Sludge

2. @jwgoerlich
J Wolfgang Goerlich
Advisory CISO @ Cisco Secure
WGoerlic@Cisco.com
https://jwgoerlich.com
Twitter: @jwgoerlich
Wolf@JWGoerlich.com
Hi. I’m Wolf.

3. @jwgoerlich
Intentionally or
accidentally, we
create experiences.
How can we design
a better experience?

4. @jwgoerlich
@jwgoerlich
Predictability of each
choice
Number of
steps
Number of choices
Familiarity of each step
Friction at each
step
Cognitive load at each choice
Paths They Take
Choices They Make

5. @jwgoerlich
Affordances
Nudges
Sludge

6. “
@jwgoerlich
Affordance is what the environment
offers the individual.
– James J. Gibson

7. “
@jwgoerlich
Nudge was written as an alternative
to rules and mandates.
– Richard Thaler

8. @jwgoerlich
Sludge: when people face high
levels of friction obstructing
their efforts to get work done

9. “
@jwgoerlich
Friction and bad intentions.
– Richard Thaler

10. @jwgoerlich
Process analysis
Journey mapping
Behavior mapping
Wayfinding
Look at the paths they take

11. @jwgoerlich
what we build Nudge
and
Sludge

12. @jwgoerlich
Affordances

13. @jwgoerlich

14. @jwgoerlich
Epic Games
unlocks the Boogie
Down emote for
turning on 2FA.

15. @jwgoerlich
Content Warning:
Many of my examples will be
authentication and authorization. Please
expand these concepts to your area of
security.

16. @jwgoerlich
Cognitive, physical, sensory, and functional affordances in interaction design. BIT 22(5) (pp.315-338)

17. @jwgoerlich
😕 🙁 ☹️
Emotional Affordances

18. @jwgoerlich
X
✓ X ✓
Physical Affordance Cognitive Affordance

19. @jwgoerlich
Nudges

20. @jwgoerlich https://thegeekpage.com/chrome-sync-is-paused/
Indicating
something is amiss
without interrupting
user tasks.

21. @jwgoerlich
Nudge Towards More Security
Bank of America, November 2021

22. @jwgoerlich
Sludge

23. @jwgoerlich
Multi-Factor Authentication (MFA)
Single Sign-On (SSO)
Security & Privacy Settings *everywhere*

24. @jwgoerlich
For example

25. @jwgoerlich
The features we give our users are the exploits we give our attackers.

26. @jwgoerlich

27. @jwgoerlich
What path are the criminals taking?
What are the steps along that path?
What choices are they making?
What choices are they NOT making?
Starting Questions

28. @jwgoerlich

29. @jwgoerlich
Investigate and manually block suspicious accounts
Enhance the credit card approval logic
Block certain telephone numbers
Add controls to the signup to limit mass signups
Not on the Users’ Path

30. @jwgoerlich
Limit the number of calls for trial accounts
Geo-fencing to block countries
Credit card statement validation
On the Users’ Path

31. @jwgoerlich
Good security is applied along the paths and choices users and
adversaries make.

32. @jwgoerlich
how we build Nudge
and
Sludge

33. @jwgoerlich
Apply UX to securing DevOps.

34. @jwgoerlich
Let’s look at the paths they take.

35. @jwgoerlich
DevOps Path

36. @jwgoerlich

37. @jwgoerlich
Adversary Path
Deliver Exploit Control Execute Maintain
Command & Control
Exfiltration
Discovery
Lateral Movement
Collection
Privileged
Escalation
Defense Evasion
Credential Access
Initial Access
Execution
Persistence
Lockheed Martin Cyber Kill Chain
Mitre Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

38. @jwgoerlich

39. @jwgoerlich
Good security gets out of the way of developers and gets in the way
of adversaries.

40. @jwgoerlich
Affordances

41. @jwgoerlich
People writing down passwords is a
creative cognitive affordance.

42. @jwgoerlich
Role-Based Access Control (RBAC)
Just In Time Access (JIT)
Updated images and packages

43. @jwgoerlich
Functional
Emotional
Cognitive
Physical
Sensory
Functional
Emotional
Cognitive
Physical
Sensory
Needs Affordances
Developers Security
Design
DevOps
∞

44. @jwgoerlich
Constrained users are creative, and creative users are dangerous.

45. @jwgoerlich
Nudges

46. @jwgoerlich
DevOps but Securely
Design Review
Code Review
Code Inventory
Asset Inventory
DAST
IAST
SCA
Change Monitoring
FIM
Vulnerability Management
RASP
WAF
Container Monitoring
Cloud Monitoring
SAST

47. @jwgoerlich
Sludge

48. @jwgoerlich
Security: SCAN ALL THE
THINGS.
Developers…

49. @jwgoerlich

50. “
@jwgoerlich
Friction and bad intentions.
– Richard Thaler

51. @jwgoerlich

52. @jwgoerlich

53. @jwgoerlich
Good friction is the natural consequence of poor security behaviors.

54. @jwgoerlich
Reducing sludge
doesn’t always
mean reducing
steps.

55. @jwgoerlich
Bad friction is determined by perceived friction, not just actual
friction.

56. @jwgoerlich
Measure compliance rates, BUT ALSO
Measure process and communication sludge
Trudging Through Sludge
Source: Seeing Sludge:Towards a Dashboard to Help Organizations Recognize
Impedance to End-User Decisions and Action

57. @jwgoerlich
Good security is as little security as
possible.

58. @jwgoerlich
Nudge
and
Sludge

59. @jwgoerlich
@jwgoerlich
Predictability of each
choice
Number of
steps
Number of choices
Familiarity of each step
Friction at each
step
Cognitive load at each choice
Paths They Take
Choices They Make

60. @jwgoerlich

61. @jwgoerlich
Users and Developers
Behavior or journey maps
BSIMM
Reduce steps
Reduce choices
Simplify
Clarify
Criminals
Threat model or attack path
Mitre ATT&CK
Increase steps
Increase choices
Complicate
Confound
How to Apply this Model?

62. @jwgoerlich
One final example

63. @jwgoerlich
Zero Trust for the Workforce
(Data Plane)
Policy Administration
Policy Engine
Trust Inference

64. @jwgoerlich
To enter Israel, I need a negative Covid Test
… which means I need my PCR test results
... which means I need my password manager
... which sees I’m traveling
… and therefore prompts to login
… which requires MFA
… which in turn sees my MacBook needs an update
… which begins downloading over a hotel Wi-Fi

65. @jwgoerlich

66. @jwgoerlich
Good security is a design problem.
And like any design problem, it will take many iterations to get right.

67. @jwgoerlich
Thank You!
J Wolfgang Goerlich
Advisory CISO @ Cisco Secure
WGoerlic@Cisco.com
https://jwgoerlich.com
Twitter: @jwgoerlich
Wolf@JWGoerlich.com