Security is more than filtering input and escaping output (FIEO), and it’s more than cross-site scripting (XSS) and cross-site request forgeries (CSRF). Security isn’t even always black and white. In order to create a more secure user experience, we need to understand how people think. Perception is as important as reality, and meeting user expectations is a fundamental of good security. In this multifarious talk, I’ll introduce some of what I have learned about cognitive psychology, exploring topics such as change blindness and ambient signifiers, and I’ll show some real-world examples that demonstrate the profound impact human behavior can have on security.

1. SECURITY-
CENTERED
DESIGN
Chris Shiflett
shiflett.org
@shiflett
Tuesday, February 21, 12

2. Tuesday, February 21, 12

3. STOP
Tuesday, February 21, 12

4. STOP
Collaborate & Listen
Tuesday, February 21, 12

5. Tuesday, February 21, 12

6. Web craftsman from Brooklyn, NY, working on
Who am I? Mapalong and Brooklyn Beta from Studiomates.
Tuesday, February 21, 12

7. TALK OUTLINE
Psychology Fun
– Ambient Signifiers, Change Blindness
Authentication & Phishing
– Password Anti-Pattern, OAuth, Facebook Connect
Examples
– SmugMug Privacy, Facebook Worm, Twitter Don’t Click
Tuesday, February 21, 12

8. AMBIENT SIGNIFIERS
Tuesday, February 21, 12

9. Tokyo Subway
Tuesday, February 21, 12

10. Tokyo Subway
Tuesday, February 21, 12

11. Ambient Umbrella
Tuesday, February 21, 12

12. Ambient SSL
Tuesday, February 21, 12

13. Login Seals
Tuesday, February 21, 12

14. CHANGE BLINDNESS
Tuesday, February 21, 12

15. Tuesday, February 21, 12

16. STOP
Tuesday, February 21, 12

17. STOP
Hammertime
Tuesday, February 21, 12

18. Tuesday, February 21, 12

19. Tuesday, February 21, 12

20. Tuesday, February 21, 12

21. Tuesday, February 21, 12

22. Tuesday, February 21, 12

23. DERREN BROWN
Tuesday, February 21, 12

24. PASSWORD
ANTI-PATTERN
Tuesday, February 21, 12

25. Tuesday, February 21, 12

26. Tuesday, February 21, 12

27. OAUTH
http://shiflett.org/blog/2010/sep/twitter-oauth
Tuesday, February 21, 12

28. Tuesday, February 21, 12

29. FACEBOOK CONNECT
Tuesday, February 21, 12

30. Tuesday, February 21, 12

31. Tuesday, February 21, 12

32. Tuesday, February 21, 12

33. THE WEB IS NOT
OBVIOUS
Tuesday, February 21, 12

34. Tuesday, February 21, 12

35. OPENID OAUTH
http://openid.net/ http://oauth.net/
OPENID & OAUTH HYBRID
http://j.mp/openidoauth
SHARED RESPONSIBILITY
http://simonwillison.net/2009/Jul/16/responsibility/
Tuesday, February 21, 12

36. SMUGMUG PRIVACY
Tuesday, February 21, 12

37. Tuesday, February 21, 12

38. Accommodate users’ expectations and tendencies;
Pave the cow paths. don’t try to modify them.
Tuesday, February 21, 12

39. Tuesday, February 21, 12

40. Be Humble
Tuesday, February 21, 12

41. FACEBOOK WORM
Tuesday, February 21, 12

42. Tuesday, February 21, 12

43. Tuesday, February 21, 12

44. TWITTER DON’T CLICK
Tuesday, February 21, 12

45. Tuesday, February 21, 12

46. Tuesday, February 21, 12

47. Tuesday, February 21, 12

48. Tuesday, February 21, 12

49. RELATED POSTS
Security and User Experience
– http://shiflett.org/blog/2008/jan/security-and-user-experience
Ambient Signifiers
– http://shiflett.org/blog/2007/feb/ambient-signifiers
Facebook Worm
– http://shiflett.org/blog/2008/nov/facebook-worm
Twitter Don’t Click Exploit
– http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit
Tuesday, February 21, 12

50. PHOTOS
Tree
– http://flickr.com/photos/stuckincustoms/529110230
Cow path
– http://flickr.com/photos/suda/672714986
My backyard
– http://flickr.com/photos/shiflett/3261447115
Tuesday, February 21, 12

51. Tuesday, February 21, 12

52. FEEDBACK?
Follow me on Twitter
– @shiflett
Comment on my blog
– shiflett.org
Email me
– chris@shiflett.org
Tuesday, February 21, 12