Security people say users are the weakest link. But are they? When complying with security becomes too burdensome, users take shortcuts, find workarounds, and end up jeopardizing security. Blaming users is lazy and easy. Making security usable is time consuming and challenging. How does design research help us understand our customers? What patterns and principles drive secure behavior? How can we build empathy with customers and make the right thing to do the easiest thing to do? This session explores these questions, and provides examples of how design thinking and research can help us be more secure. We will walk through our creation of core user personas, design principles, and how these inform and direct our design choices and intent. Don’t blame your users anymore. Come learn how to be part of a future where usability leads security.
27. @jwgoerlich
What path are the criminals taking?
What are the steps along that path?
What choices are they making?
What choices are they NOT making?
Starting Questions
29. @jwgoerlich
Investigate and manually block suspicious accounts
Enhance the credit card approval logic
Block certain telephone numbers
Add controls to the signup to limit mass signups
Not on the Users’ Path
30. @jwgoerlich
Limit the number of calls for trial accounts
Geo-fencing to block countries
Credit card statement validation
On the Users’ Path
56. @jwgoerlich
Measure compliance rates, BUT ALSO
Measure process and communication sludge
Trudging Through Sludge
Source: Seeing Sludge:Towards a Dashboard to Help Organizations Recognize
Impedance to End-User Decisions and Action
61. @jwgoerlich
Users and Developers
Behavior or journey maps
BSIMM
Reduce steps
Reduce choices
Simplify
Clarify
Criminals
Threat model or attack path
Mitre ATT&CK
Increase steps
Increase choices
Complicate
Confound
How to Apply this Model?
63. @jwgoerlich
Zero Trust for the Workforce
(Data Plane)
Policy Administration
Policy Engine
Trust Inference
64. @jwgoerlich
To enter Israel, I need a negative Covid Test
… which means I need my PCR test results
... which means I need my password manager
... which sees I’m traveling
… and therefore prompts to login
… which requires MFA
… which in turn sees my MacBook needs an update
… which begins downloading over a hotel Wi-Fi
Duo story about where people begin on the app restore process.
Nudge and Sludge: Driving Security with Design
DevOpsDays Tel Aviv with Cloud Native & OSS Day & StatsCraft
Stockholm, Sweden. “The interactive staircase persuaded 66% more people than normal chose to use the staircase instead of the escalator.”
https://sites.psu.edu/siowfa15/2015/09/16/the-fun-theory/
Hartson’s taxonomy of affordances
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.499.252&rep=rep1&type=pdf
Duo story about different frowning faces leading to different responses in unpatched software.
Physical affordances – I know where the buttons are and I’ve built muscle memory. Power users.
Cognitive affordances – The buttons are where I’d expect based on other apps. New users.
Mention doing an analysis of e-commerce MFA and finding almost no support for anything other than SMS.
Mention http://sso.tax/ or the SSO wall of shame.
https://www.pexels.com/photo/antique-communication-phone-museum-35886/
Long distance calls are expensive.
Shady Telco’s asked: What if we could have people generate long distance calls to increase revenue?
Scammers asked: What if I could generate long distance calls and get a kickback from the telco’s?
Shady Telco’s stand up premium numbers that scammers direct traffic to for a kickback.
Wayfinding: What path are the criminals taking?
Wayfinding – cognitive load: What are the steps along that path?
Choice architecture – choice cost: What choices are they making?
Choice architecture – defaults: What choices are they NOT making?
Path:
Scammer establishes trial account with stolen credit card.
Scammer registers the shady telco’s premium number as second factor.
Scammer performs authentication to place the phone call.
Shady telco charges for the call, provides kick-back to scammer.
PROFIT!!!
Choices:
API or headless browser
Specific IP addresses - country of origin
Specific telephone numbers
Image by Janine Bolon from Pixabay
Balance usability with defensibility using design.
Nudge and Sludge: Driving Security with Design
DevOpsDays Tel Aviv with Cloud Native & OSS Day & StatsCraft
Initial Access
Execution
Persistence
Seek out user-driven cognitive affordances. This is people’s way of trying to fix an underlying design issue. Here, it’s the lack of password manager or password vault.
Tell the story about trying to update production APX when you were at Munder Capital.
Give the example of Merrill’s on-call people having prod access only when on-call.
Security depends upon how well the needs of the developer are met by the affordances of the security controls.
If they don’t meet, developers will creatively satisfy their own needs with their own affordances.
From:
Affordances as an alliance to design
https://www.udemy.com/course/affordances/learn/lecture/637602#overview
Excessive error messages and reports and tickets, what Richard Thaler calls “useless clutter” sludge.
Can Stock Photo, Wolf’s license
Order 6379855
“Think Better” with Richard Thaler
https://youtu.be/KYuaKMrquYQ?t=1006
Friction is the metaphor of rumble strips on highways. Completely out of the way for most of the time. Only kick in when drivers go off track, hopefully to prevent car crashes.
Highway
https://www.flickr.com/photos/kenlund/14467590123
Rumble Strip
http://asphaltmagazine.com/rumble-strips-keep-drivers-on-the-road/
Car crash
https://commons.wikimedia.org/wiki/File:Car_crash_1.jpg
Master Class added steps to the sign-up process. This should have resulted in more sludge.
“What Master Class found, however, was a substantial increase in subscriptions, which is potentially attributable to the idea that even though the number of steps increased, the perceived level of “ask” on each step was reduced.”
Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019
Image by Daniel Nebreda from Pixabay
Nudge and Sludge: Driving Security with Design
DevOpsDays Tel Aviv with Cloud Native & OSS Day & StatsCraft
Royalty-free stock photo ID: 458236126
Garden Brick Pathway Paving by Professional Paver Worker.
By welcomia
https://www.shutterstock.com/image-photo/garden-brick-pathway-paving-by-professional-458236126
Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs.
Live the story you want to tell, even if it’s a cautionary tale.