Design for Security — O'Reilly Velocity 2018

Transcript

1. Design for Security Serena Chen | @Sereeena | O’Reilly Velocity

   2018

2. !

3. Usability Security

4. Good user experience design and good security cannot exist without

   each other

5. Everyone deserves to be secure without being experts

6. We need to stop expecting people to become security experts

7. –Everyone not watching Mr Robot right now “I don’t care

   about security.”

8. –MCGRAW, G., FELTEN, E., AND MACMICHAEL, R. 
 Securing Java:

   getting down to business with mobile code. Wiley Computer Pub., 1999 “Given a choice between dancing pigs and security, the user will pick dancing pigs every time.”

9. –Serena Chen, not allowed pets in her apartment “Given a

   choice between dancing pigs and security, the user will pick dancing pigs every time.” CATS CATS
10. None
11. None
12. None
13. None
14. None

15. "

16. Shaming people is lazy

17. Obligatory xkcd: https://xkcd.com/149/

18. –Everyone not watching Mr Robot right now “I don’t care

    about security.”

19. –Serena Chen, lone nerd screaming into the void “I care!!!”

20. None
21. None
22. None
23. None

24. Design thinking is another tool in the problem solving tool

    belt

25. For your consideration: 1. 2. 3. 4.

26. For your consideration: 1. Paths of Least Resistance 2. 3.

    4.

27. Paths of Least Resistance

28. None
29. None
30. None

31. To stop internet, press firmly

32. None

33. Consider the 
 “secure by default” principle

34. None
35. None

36. Normalise security

37. None

38. Group similar tasks

39. People are lazy efficient

40. Align your goals with the end user’s goals

41. None

42. “I KNOW HOW TO INTERNET”

43. “I KNOW HOW TO INTERNET” —Serena Chen, 
 a Real

    Human Adult™

44. “I KNOW HOW TO INTERNET” —Serena Chen, 
 a Real

    Human Adult™

45. Path of (Perceived) Least Resistance

46. –S. Breznitz and C. Wolf. The psychology of false alarms.

    
 Lawrence Erbaum Associates, NJ, 1984 “Each false alarm reduces the credibility of a warning system.”

47. Anderson et al. How polymorphic warnings reduce habituation in the

    brain: Insights from an fMRI study. In Proceedings of CHI, 2015

48. Shadow IT is a massive vulnerability

49. None
50. None
51. None

52. Illustration by Megan Pendergrass

53. Fixing bad paths •Use security tools for security concerns, not

    management concerns •If you block enough non-threats, people will get really good at subverting your security

54. Building good paths •Don’t make me think! •Make the secure

    path the easiest path •e.g. BeyondCorp model at Google

55. “We designed our tools so that the user- facing components

    are clear and easy to use. […] For the vast majority of users, BeyondCorp is completely invisible. –V. M. Escobedo, F. Zyzniewski, B. (A. E.) Beyer, M. Saltonstall, “BeyondCorp: The User Experience”, Login, 2017
56. None

57. Align your goals with the end user’s goals

58. For your consideration: 1. Paths of Least Resistance 2. 3.

    4.

59. For your consideration: 1. Paths of Least Resistance 2. Intent

    3. 4.

60. Intent

61. Tension between usability and security happens when we cannot accurately

    determine intent.

62. “make it easy” “lock it down”

63. It is not our job to make everything easy

64. It is not our job to make everything locked down

65. Our job is to make a specific action •that a

    specific user wants to take •at that specific time •in that specific place …easy Everything else we can lock down.

66. Knowing intent = usability and security without compromise

67. None
68. None
69. None
70. None

71. For your consideration: 1. Paths of Least Resistance 2. Intent

    3. 4.

72. For your consideration: 1. Paths of Least Resistance 2. Intent

    3. (Mis)communication 4.

73. (Mis)communication

74. Wherever there is a miscommunication, there exists a human security

    vulnerability.

75. What are you unintentionally miscommunicating?

76. None

77. Wherever there is a miscommunication, there exists a human security

    vulnerability.
78. None
79. None
80. None
81. None

82. (I didn’t actually do this)

83. https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

84. Do your end users know 
 what you’re trying to

    communicate?

85. What is their mental model of what’s happening, compared to

    yours?

86. For your consideration: 1. Intent 2. Path of Least Resistance

    3. (Mis)communication 4.

87. For your consideration: 1. Intent 2. Path of Least Resistance

    3. (Mis)communication 4. Mental model matching

88. Mental models

89. It’s the user’s expectations that define whether a system is

    secure or not.
90. None
91. None

92. –Ka-Ping Yee, “User Interaction Design for Secure Systems”, 
 Proc.

    4th Int’l Conf. Information and Communications Security, Springer-Verlag, 2002 “A system is secure from a given user’s perspective if the set of actions that each actor can do are bounded by what the user believes it can do.”

93. Find their model, match to that Influence their model, match

    to system +

94. Find their model • Go to customer sessions! • Observe

    end users • Infer intent through context

95. Influence their model • When we make, we teach •

    Whenever someone interacts with us / 
 a thing we made, they learn. • Path of least resistance becomes the default “way to do things”.

96. How are we already influencing users’ models?

97. https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking iOS Phish

98. What are we teaching?

99. “I KNOW HOW TO INTERNET” —Serena Chen, 
 a Real

    Human Adult™
100. None

101. Understand end user mental models

102. None

103. What are your users’ mental models?

104. Review

105. None

106. Takeaways •Cross pollination is rare. This is a missed opportunity!

     •Our jobs are about outcomes based on our specific goals •Align the user’s goals to your security goals

107. Takeaways •Aim to know their intent •Collaborate with design to

     craft secure paths of least resistance •Understand their mental model vs yours •Communicate to that model

108. One final anecdote…

109. None
110. None
111. None

112. Thanks! Fight me @Sereeena