Design for Security — Web Directions Summit 2019

Transcript

1. design for security web directions summit 2019

2. tena koutou
 tena koutou
 tena koutou tena koutou tena koutou

   tena koutou
3. None
4. None

5. tena koutou
 tena koutou
 tena koutou tena koutou tena koutou

   tena koutou
6. None
7. None
8. None
9. None

10. the internet owns our lives

11. –Literally everyone not watching Mr Robot right now “I don’t

    care about security.”

12. product design hierarchy of needs content, accessibility, performance, security information

    architecture, consistency typography, colour animation

13. good security is a part of 
 good design

14. Usability Security

15. Usability Security

16. Usability Security

17. –Literally everyone not watching Mr Robot right now “I don’t

    care about security.”

18. –Serena Chen, lone nerd shouting into the void “I care

    !!!”

19. it’s our job 
 to care.

20. None

21. it’s our job 
 to care.

22. design nerds security nerds-

23. the design/security trilogy 1. 2. 3. 4.

24. the design/security trilogy 1. paths of least resistance 2. 3.

    4.

25. paths of least resistance

26. None

27. it’s always 1989 in security • Security through obfuscation •

    Security through excessive complexity • Password rotation

28. Source: https://mobile.twitter.com/joernchen/status/915587942130896896

29. bad security: 
 walls everywhere

30. Illustration by Megan Pendergrass

31. —Serena Chen, “I KNOW HOW TO INTERNET” a grown adult

32. people are lazy efficient

33. align your goals to your users’ goals

34. bad security: 
 walls everywhere

35. good security: 
 smartly placed doors

36. Illustration by Susanna Yee ☠ ⚠

37. None
38. None

39. Illustration by Susanna Yee ☠ ⚠

40. normalise security

41. None

42. look at journey maps • determine likely paths • what

    is the easiest path? • what is the most secure / ideal path? • can you merge the two?

43. align your goals to your users’ goals

44. Illustration by Susanna Yee

45. the design/security trilogy 1. paths of least resistance 2. 3.

    4.

46. the design/security trilogy 1. paths of least resistance 2. intent

    3. 4.

47. finding intent

48. Usability Security

49. tension happens when we can’t determine intent

50. None

51. Usability Security

52. we fall back on patterns everything needs to be easy

    usability is my responsibility Illustration by Chloe Cathcart

53. it’s not our job to make everything easy

54. Our job is to make legitimate actions • that legitimate

    users want to take • at that time • in that place … easy Everything else we can lock down.

55. get more specific about the user’s intent

56. None
57. None
58. None

59. the design/security trilogy 1. paths of least resistance 2. intent

    3. 4.

60. the design/security trilogy 1. paths of least resistance 2. intent

    3. (mis)communication 4.

61. (mis)commu- nication

62. miscommunications are human security vulnerabilities

63. what are you unintentionally miscommunicating?

64. https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html

65. connection is encrypted domain is who they say they are

66. miscommunications are human security vulnerabilities

67. None
68. None
69. None
70. None

71. (i didn’t actually do this)

72. human
 security
 vulnerability https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html

73. do your users know 
 what you're trying to communicate?

74. what is their mental model of what’s happening?

75. the design/security trilogy 1. paths of least resistance 2. intent

    3. (mis)communication 4.

76. the design/security trilogy 1. paths of least resistance 2. intent

    3. (mis)communication 4. mental models

77. mental models

78. design model user model system image Source: The Design of

    Everyday Things, Don Norman designers users

79. design model user model system image Source: The Design of

    Everyday Things, Don Norman designers users

80. design model user model system image

81. None
82. None

83. A system is secure when the user expectations match the

    design intentions and the system itself A system is secure when the user expectations match the design intentions and the system itself A system is secure when the users’ expectations match the design intentions and the system itself A system is secure when the users’ expectations match the design intentions and the system itself A system is secure when the users’ expectations match the design intentions and the system itself

84. • observe non-tech users, customer sessions • ask them what

    they expect • infer intent through context 1 understand their model

85. 2 influence their model • when we make, we teach

    • whenever someone interacts
 a thing we made, they learn. • path of least resistance becomes the default “way to do things”.

86. how are we already influencing users’ models?

87. https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking iOS Phish

88. what are we teaching?

89. —Serena Chen, “I KNOW HOW TO INTERNET” a grown adult

90. None

91. it’s all about their mental model

92. None

93. what are your users’ mental models?

94. takeaways takeaways takeaways takeaways takeaways takeaways

95. take take take take take take • cross-pollination is a

    missed opportunity • our jobs are about outcomes, 
 not “what we’re supposed to do” • align user goals to your security goals

96. take take take take take take • aim to know

    their intent • craft a path of least resistance • understand their mental model • communicate accurately to that model

97. one final anecdote

98. None
99. None
100. None

101. thanks! fight me @sereeena