Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE –...
Transcript of Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE –...
![Page 1: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/1.jpg)
Human Factors Engineering for IT Security Peter Wolkerstorfer Senior HCI Researcher CURE – Center for Usability Research and Engineering
![Page 2: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/2.jpg)
2
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 3: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/3.jpg)
3
About CURE
• CURE – Center for Usability Research & Engineering
– Non-profit research organisation
– Spin-off from University of Vienna since 1998
– Industrial consulting done by USECON
– Team of over 25 researchers (multidisciplinary)
– HCISEC Team (5 researchers)
– Experienced in EC research (FP5,6&7) >20 int. projects, >300 nat. projects
![Page 4: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/4.jpg)
4
uTRUSTit Facts “Usable Trust in the Internet of Things (IoT)”
Project duration: 3 years – Start: Sept. 2010
Project funding:
EU 7th Framework Programme ICT-2009.1.4
Project coordinator:
CURE – Center for Usability Research & Engineering
Contact:
http://www.utrustit.eu [email protected]
uTRUSTit Project
![Page 5: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/5.jpg)
5
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 6: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/6.jpg)
6
Human Behaviour & Security
Source: blogs.oracle.com
![Page 7: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/7.jpg)
7
Principle of Psychological Acceptance
“It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply
the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals
matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he
will make errors.”
Jerome Saltzer and Michael Schroeder: “The Protection of Information in
Computer Systems”, Proceedings of the IEEE 63:9 (1975), 1278-1308.
![Page 8: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/8.jpg)
8
Usability Definition
ISO 9241:
The effectiveness, efficiency and satisfaction with which specified users achieve specified goals in specified contexts.
• How to not read it:
– The effectiveness, efficiency and satisfaction with which specified users
achieve specified goals in specified contexts.
• Hot to read it:
– The effectiveness, efficiency and satisfaction with which
specified users achieve specified goals in specified contexts.
![Page 9: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/9.jpg)
9
Usability Principles
• Consistency
• Feedback
• Efficiency
• Flexibility
• Clearly marked exits
• Wording in users‘ language
• Task orientation
• Control
• Recovery and forgiveness
• Minimize memory load
• Transparency
• Aesthetics and emotional effect
These principles enable learnability, efficiency, effectiveness, reduced error-rate, memorability, and subjective satisfaction.
![Page 10: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/10.jpg)
10
Example: Personal Firewall
![Page 11: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/11.jpg)
11
11
What is „openvpn.exe“? I clicked on „VPN-Connection“...
What is a „Destination IP“?
Yes - and...?
What does „193.201.22.83“ want to tell me?
But what if I want to change it in the future?
What does this decision imply?
![Page 12: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/12.jpg)
12
12
If you want to proceed click
„Allow“! If you also do not want to be bothered in
the future then activate
„Remember this setting.“.
![Page 13: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/13.jpg)
13
13
Example Solution
Source: Stoll et. Al. Sesame: Informing User Security Decisions with System Visualization
![Page 14: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/14.jpg)
14
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 15: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/15.jpg)
15
Mental Models 1/2
• Definition:
– A mental model...
![Page 16: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/16.jpg)
16
Mental Models 2/2
A mental model is an explanation of a thought process about how something
works in the real world. It is an explanation on a person’s perception about their own
acts and consequences in the world.
Source: Young, I. 2008. Mental Models: Aligning Design
Strategy with human behavior. Rosenfeld Media, New York.
![Page 17: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/17.jpg)
17
Mental-Models Research Example
![Page 18: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/18.jpg)
18
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 19: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/19.jpg)
19
User Experience (UX)
Trust Privacy
Security
Aesthetics
Fun
Performance
Usability
Identity
Comfort
Convenience
Benefit
Enjoyment
Accessibility
Findability
Usefulness Credibility
Desire
UX Attractivity
Stimulation
Playfulness Pleasure
![Page 20: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/20.jpg)
20
Example 1: Authentication UX
S T TS Smartcard Token Token + Storage
7
6
5
4
3
2
1
0
Source: Piazzalunga et al. The Usability of Security Devices
Learnability Installability Low cost to operate
Mobility Attractiveness User friendliness Security interaction
User rating: 1 = poor 7= excellent
![Page 21: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/21.jpg)
21
Example 2: „Road Apple Attack“
Source: http://hack5.org Source: http://hack5.org
![Page 22: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/22.jpg)
![Page 23: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/23.jpg)
23
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 24: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/24.jpg)
24
HCISEC Challenges 1/2
• Security is a secondary task
– Users focus on primary task
• Concepts are hard to communicate
• “Informed decision” hard to undertake
– Users lack a working mental model
– GUIs often support wrong mental models
– GUI elements and interaction processes are hard to interpret
Why is a sheet of paper dangerous?
![Page 25: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/25.jpg)
25
HCISEC Challenges 2/2
• Technical origins shine through
– “Technical language” hard to understand
• Users’ Trust Perception
– Lack of transparency of underlying security properties
• Lack of awareness of possible consequences
• Heuristic risk analysis not appropriate online
Is this a „good“
or a „bad“ doubleclick?
![Page 26: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/26.jpg)
26
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 27: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/27.jpg)
27
User Centred Design Process
ISO/TR 16982
1 Iteration (HCISEC: >5)
![Page 28: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/28.jpg)
28
HCISEC Design Process
• User centred Design Process (extended HCI methodology)
1. Personas
2. Mental model research
3. Evaluation beyond task-times and error rates (additional questionnaires)
4. Pre-studies (e.g. wording…)
5. Retrospective testing
1
2 3
4
5
2
![Page 29: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/29.jpg)
29
Example: The uTRUSTit Approach
• Personas
• Scenarios
• User-studies
– Laboratory evaluations
– Mental model research
• VR-Evaluations
• Design guidelines
– Accumulate results from studies
– Iterated three times
• End-user trials
![Page 30: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/30.jpg)
30
Example Persona: Fredrik Clasen • Has dyslexia • Uses assistive technologies • Technophile • Supports his family in
technical matters • Tries to avoid reading • Always online
![Page 31: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/31.jpg)
31
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 32: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/32.jpg)
32
Conclusions
• Why?
– Maintain holistic security
– Avoid damage & threats (customer/client/organisation)
– Effective application & usage of security technology
• Who?
– Real end-users
– Specified users (Not “the user”; e.g. use Personas)
• How?
– End-user studies
– Mental model research
– Iterative end-user testing & re-engineering
• Users are not the enemy!
![Page 33: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/33.jpg)
33
Thank you for your attention!
![Page 34: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/34.jpg)
34
Agenda
• About CURE
• Usability
• Mental Models
• User Experience (UX)
• HCISEC Challenges
• User Centred Design (UCD) Process
• Conclusions
• Contact
![Page 35: Human Factors Engineering for IT Security · Human Factors Engineering for IT Security ... CURE – Center for Usability Research and Engineering. 2 Agenda •About CURE •Usability](https://reader034.fdocuments.us/reader034/viewer/2022051813/6033904b0ad9004cc908b1d2/html5/thumbnails/35.jpg)
35
Contact
Peter Wolkerstorfer
Senior HCI Researcher
CURE - Center for Usability Research & Engineering
[Mail] wolkerstorfer at cure dot at
[Web] http://www.cure.at