Pro Yearly is on sale from $80 to $50! »

Design for Security — Web Directions Summit 2019

Design for Security — Web Directions Summit 2019

C2817e27f333415dec3be6e5b805469a?s=128

Serena Chen

October 31, 2019
Tweet

Transcript

  1. design for security web directions summit 2019

  2. tena koutou
 tena koutou
 tena koutou tena koutou tena koutou

    tena koutou
  3. None
  4. None
  5. tena koutou
 tena koutou
 tena koutou tena koutou tena koutou

    tena koutou
  6. None
  7. None
  8. None
  9. None
  10. the internet owns our lives

  11. –Literally everyone not watching Mr Robot right now “I don’t

    care about security.”
  12. product design hierarchy of needs content, accessibility, performance, security information

    architecture, consistency typography, colour animation
  13. good security is a part of 
 good design

  14. Usability Security

  15. Usability Security

  16. Usability Security

  17. –Literally everyone not watching Mr Robot right now “I don’t

    care about security.”
  18. –Serena Chen, lone nerd shouting into the void “I care

    !!!”
  19. it’s our job 
 to care.

  20. None
  21. it’s our job 
 to care.

  22. design nerds security nerds-

  23. the design/security trilogy 1. 2. 3. 4.

  24. the design/security trilogy 1. paths of least resistance 2. 3.

    4.
  25. paths of least resistance

  26. None
  27. it’s always 1989 in security • Security through obfuscation •

    Security through excessive complexity • Password rotation
  28. Source: https://mobile.twitter.com/joernchen/status/915587942130896896

  29. bad security: 
 walls everywhere

  30. Illustration by Megan Pendergrass

  31. —Serena Chen, “I KNOW HOW TO INTERNET” a grown adult

  32. people are lazy efficient

  33. align your goals to your users’ goals

  34. bad security: 
 walls everywhere

  35. good security: 
 smartly placed doors

  36. Illustration by Susanna Yee ☠ ⚠

  37. None
  38. None
  39. Illustration by Susanna Yee ☠ ⚠

  40. normalise security

  41. None
  42. look at journey maps • determine likely paths • what

    is the easiest path? • what is the most secure / ideal path? • can you merge the two?
  43. align your goals to your users’ goals

  44. Illustration by Susanna Yee

  45. the design/security trilogy 1. paths of least resistance 2. 3.

    4.
  46. the design/security trilogy 1. paths of least resistance 2. intent

    3. 4.
  47. finding intent

  48. Usability Security

  49. tension happens when we can’t determine intent

  50. None
  51. Usability Security

  52. we fall back on patterns everything needs to be easy

    usability is my responsibility Illustration by Chloe Cathcart
  53. it’s not our job to make everything easy

  54. Our job is to make legitimate actions • that legitimate

    users want to take • at that time • in that place … easy Everything else we can lock down.
  55. get more specific about the user’s intent

  56. None
  57. None
  58. None
  59. the design/security trilogy 1. paths of least resistance 2. intent

    3. 4.
  60. the design/security trilogy 1. paths of least resistance 2. intent

    3. (mis)communication 4.
  61. (mis)commu- nication

  62. miscommunications are human security vulnerabilities

  63. what are you unintentionally miscommunicating?

  64. https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html

  65. connection is encrypted domain is who they say they are

  66. miscommunications are human security vulnerabilities

  67. None
  68. None
  69. None
  70. None
  71. (i didn’t actually do this)

  72. human
 security
 vulnerability https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html

  73. do your users know 
 what you're trying to communicate?

  74. what is their mental model of what’s happening?

  75. the design/security trilogy 1. paths of least resistance 2. intent

    3. (mis)communication 4.
  76. the design/security trilogy 1. paths of least resistance 2. intent

    3. (mis)communication 4. mental models
  77. mental models

  78. design model user model system image Source: The Design of

    Everyday Things, Don Norman designers users
  79. design model user model system image Source: The Design of

    Everyday Things, Don Norman designers users
  80. design model user model system image

  81. None
  82. None
  83. A system is secure when the user expectations match the

    design intentions and the system itself A system is secure when the user expectations match the design intentions and the system itself A system is secure when the users’ expectations match the design intentions and the system itself A system is secure when the users’ expectations match the design intentions and the system itself A system is secure when the users’ expectations match the design intentions and the system itself
  84. • observe non-tech users, customer sessions • ask them what

    they expect • infer intent through context 1 understand their model
  85. 2 influence their model • when we make, we teach

    • whenever someone interacts
 a thing we made, they learn. • path of least resistance becomes the default “way to do things”.
  86. how are we already influencing users’ models?

  87. https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking iOS Phish

  88. what are we teaching?

  89. —Serena Chen, “I KNOW HOW TO INTERNET” a grown adult

  90. None
  91. it’s all about their mental model

  92. None
  93. what are your users’ mental models?

  94. takeaways takeaways takeaways takeaways takeaways takeaways

  95. take take take take take take • cross-pollination is a

    missed opportunity • our jobs are about outcomes, 
 not “what we’re supposed to do” • align user goals to your security goals
  96. take take take take take take • aim to know

    their intent • craft a path of least resistance • understand their mental model • communicate accurately to that model
  97. one final anecdote

  98. None
  99. None
  100. None
  101. thanks! fight me @sereeena