Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure Interaction Design Cynthia Kuo. 2 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Secure Interaction Design Cynthia Kuo. 2 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe."— Presentation transcript:

1 1 Secure Interaction Design Cynthia Kuo

2 2 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe Browsing Talk about how you can design for security

3 3 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe Browsing Talk about how you can design for security

4 4 Wi-Fi Also known as 802.11 a/b/g October 2006: 4 million units shipped each week

5 5 Going Back a Few Years… Returns –~30% return rate Technical Support –12 – 20 minutes / call –~10% of sales  technical support call $50 / hr technical support 15 minute call = $12.50 $10 materials  $2 profit / unit (assume 20%) 1 call = profit from unit + 5 other units! Rough Estimate

6 6 Research Question Why don’t users configure their wireless networks securely? –Cannot? –Choose not to? –Don’t know to?

7 7 Traditional Solution “Layer” different study techniques –Interviews: assess values, thought processes, and level of security knowledge –Surveys –Contextual inquiry: observe users –Usability study: evaluate features

8 8 Why Not? Evaluation of configuration process must be holistic –One user study method will not provide insight into entire process to pinpoint problems –Security is not a primary task Takes a long time! –Number of qualified users may be small

9 9 Designing a User Study How do we evaluate a system where the end goal may be different for every user? How can we ask about security concepts (e.g., encryption) if we don’t know whether users know what they are? People know that they’re supposed to care about security. How do we design a study without social acceptability bias?

10 10 Assumptions Textbook study methods make assumptions that may not hold for security software

11 11 Common Assumptions 1.Clear-cut criteria for success –Good security is risk management 2.Multiple ways to reach end result –No “undo” for some security breaches 3.Familiarity with underlying concepts –Task list may unintentionally provide information 4.Tasks are primary goals –No one wants to “do” security 5.Users respond without bias –Social acceptability biases Kuo, Perrig, and Walker, ACM, May + June 2006

12 12 Configuration Process

13 13 Evaluation Methodology What do people know about wireless security? What security issues do people care about? If users are aware of the security issues and care about them, are users able to configure the access points? Uses laptop as primary computer Has broadband connectivity at home Uses wireless on a daily basis (5+ times/week) Target Home User Interview (25 min) Questionnaire (5 min) Tasks (45 min) Questionnaire (5 min) Debriefing (10 min) Study Design Evaluating the Whole Process

14 14 Interview: Broadcasting?

15 15 Questionnaire –Availability –Reliability –Connection speed –Ease of use –Open networks –Security –Privacy –Health Opinions & concerns

16 16 Experimental Setup Okay, let’s pretend you just received this 802.11 access point as a gift. You would like to set up and use a wireless network at home today. Just set up the access point as you would if you were at home. Scenario Gradual revelation User task –Set up access point for home –Explain motivation & understanding of possible consequences

17 17 Findings Users are reasonably knowledgeable about wireless technologies …but have difficulty translating that knowledge into security policies and feature configurations Novice users perform significantly worse than expert users –Expanding market  novice users

18 18 What Does that Mean for Products?

19 19 Goal-Based Design Can “level the playing field” between novice and expert users –Start from human goals, not technical features –Do not assume people are familiar with technical terms or particular technologies –Anticipate common error states –Minimize time & human effort required

20 20 Prototype Design

21 21 Results

22 22 Lessons More than one user study method may be needed to evaluate your problem Watch out for assumptions in your user study methods Adapt existing methods for your needs

23 23 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe Browsing Talk about how you can design for security

24 24 Google Safe Browsing Anti-phishing alert Part of Google Toolbar for Firefox http://www.google.com/tools/firefox/safe browsing/index.htmlhttp://www.google.com/tools/firefox/safe browsing/index.html

25 25 Maps Bubble Warning bubble and icon used to appear trustworthy Gray background to emphasize danger and to catch attention Bubble attached to browser chrome to convey message origin Active elements on page disabled

26 26 Lessons Establish trustworthiness of message –Origin –Authority Match intrusiveness to severity –No false positives Recommend what actions to take Provide a feeling of closure

27 27 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe Browsing Talk about how you can design for security

28 28 Design for Security Think like your user –Use personas Stop thinking like yourself –Design for your personas User test, user test, user test –Watch your users –Don’t always believe what they say

29 29 Think Like Your User Personas –A precise description of your user and what s/he wants to accomplish –Make up archetypical users More specific is better! –Design for these users You may have primary and secondary personas 3 - 12 Cooper (1999)

30 30 Example Persona Dan is a 46-year old sales executive for a sports magazine. He has never heard of encryption, Diffie-Hellman, or EKE. Dan sent 38 emails from his Blackberry 8700c yesterday. He travels 50% of the time to meet with clients all over the East Coast. Using his IBM T41 laptop, he checks his email from different hotels – he prefers Wyndham - every night. Dan often needs to download sensitive documents that contain his company’s business strategies. After 10 hours of meetings during the day, Dan does not want to spend any time configuring anything. Dan likes to play basketball in his spare time. Dan

31 31 Stop Thinking Like Yourself You are probably not the typical user Your user does not think like you Your user probably does not know as much as you do (about security in general and especially your product) Your user is not dumb, but will almost always make mistakes

32 32 Common Mistake #1: Thinking Like an Engineer “The user might want to disable L2TP Passthrough.” No! Dan doesn’t know what L2TP is - and he doesn’t ever want to.

33 33 Common Mistake #2: Focusing on Tasks & Features, Not Goals Users’ Goals –Not feel stupid –Not make mistakes –Get work done –Have fun (or at least not be too bored) False Goals –Save memory –Run in a browser –Safeguard data integrity –Increase program- execution efficiency –Use cool technology or features Cooper, Alan. The Inmates are Running the Asylum. Sams, 1999.

34 34 Software Evaluation Inexpensive, “discount” methods –Low-fidelity –Cognitive walkthrough –Heuristic evaluation Expensive –Formal models (e.g., GOMS) –Formal experiment

35 35 Discount Methods: Predictive? # Problems that Did Occur Cognitive Walkthrough Experts System Designers Non-experts # Problems that Could Potentially Occur Heuristic Evaluation Lab 2529 11 (44%) 4 (16%) 2 (8%) 9 (31%) 7 (24%) 1 (3%) Experts System Designers Non-experts 7 (28%) 4 (16%) 2 (8%) 9 (31%) 6 (21%) 2 (7%) Desurvire, Kondziela, Atwood (1992)

36 36 Common Mistake #3: Listening to One Person “A customer said we should…” 80% rule Feature creep

37 37 Lessons Think like your user Stop thinking like yourself User test, user test, user test –Be careful about what information you use

38 Thank you! Questions? Comments? cykuo@cmu.edu

Download ppt "1 Secure Interaction Design Cynthia Kuo. 2 Overview Describe project on Wi-Fi access point configuration Show mockups and design process for Google Safe."

Similar presentations

Chapter 15: Analytical evaluation

Chapter 15: Analytical evaluation
Chapter 14: Usability testing and field studies

Chapter 14: Usability testing and field studies
User Modeling CIS 376 Bruce R. Maxim UM-Dearborn.

User Modeling CIS 376 Bruce R. Maxim UM-Dearborn.
Goal Directed Design Author: Alan Cooper This article originally appeared in the September, 1996 issue of Dr. Dobb's Journal.

Goal Directed Design Author: Alan Cooper This article originally appeared in the September, 1996 issue of Dr. Dobb's Journal.
CS305: HCI in SW Development Evaluation (Return to…)

CS305: HCI in SW Development Evaluation (Return to…)
Cognitive Walkthrough More evaluation without users.

Cognitive Walkthrough More evaluation without users.
Learning Objectives Chapter 6: Marketing Research

Learning Objectives Chapter 6: Marketing Research
Chapter 14: Usability testing and field studies. 2 FJK 2005-2011 User-Centered Design and Development Instructor: Franz J. Kurfess Computer Science Dept.

Chapter 14: Usability testing and field studies. 2 FJK User-Centered Design and Development Instructor: Franz J. Kurfess Computer Science Dept.
S2 – COMMUNICATIONS UNIT

S2 – COMMUNICATIONS UNIT
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
An evaluation framework

An evaluation framework
Feedback from Usability Evaluation to User Interface Design: Are Usability Reports Any Good? Christian M. Nielsen 1 Michael Overgaard 2 Michael B. Pedersen.

Feedback from Usability Evaluation to User Interface Design: Are Usability Reports Any Good? Christian M. Nielsen 1 Michael Overgaard 2 Michael B. Pedersen.
Administrivia Turn in ranking sheets, we’ll have group assignments to you as soon as possible Homeworks Programming Assignment 1 due next Tuesday Group.

Administrivia Turn in ranking sheets, we’ll have group assignments to you as soon as possible Homeworks Programming Assignment 1 due next Tuesday Group.
Evaluation: Inspections, Analytics & Models

Evaluation: Inspections, Analytics & Models
SE 555 Software Requirements & Specification 1 SE 555 Software Requirements & Specification Prototyping.

SE 555 Software Requirements & Specification 1 SE 555 Software Requirements & Specification Prototyping.
10th Workshop Software Engineering Education and Reverse Engineering Ivanjica, Serbia, 5-12 September 2010 First experience in teaching HCI course Dusanka.

10th Workshop "Software Engineering Education and Reverse Engineering" Ivanjica, Serbia, 5-12 September 2010 First experience in teaching HCI course Dusanka.
Allison Bloodworth, Senior User Interaction Designer, University of California, Berkeley Gary Thompson, User Experience Leader, Unicon, Inc. Introduction.

Allison Bloodworth, Senior User Interaction Designer, University of California, Berkeley Gary Thompson, User Experience Leader, Unicon, Inc. Introduction.
User Interface Design Chapter 11. Objectives  Understand several fundamental user interface (UI) design principles.  Understand the process of UI design.

User Interface Design Chapter 11. Objectives  Understand several fundamental user interface (UI) design principles.  Understand the process of UI design.
Heuristic evaluation IS 403: User Interface Design Shaun Kane.

Heuristic evaluation IS 403: User Interface Design Shaun Kane.

Similar presentations

Ads by Google