1 LECTURE 11: User Interface and System Security and Controls ITEC 3010 “Systems Analysis and Design, I” [Prof. Peter Khaiter]
2 Topics Inputs and Outputs Inputs and Outputs User and System Interface User and System Interface User-Centered Design User-Centered Design Metaphors for HCI Metaphors for HCI Designing System Inputs Designing System Inputs Designing System Outputs Designing System Outputs Designing Integrity Controls Designing Integrity Controls Designing Security Controls Designing Security Controls Managing User Access Managing User Access Data Security Data Security
3 Identifying and Classifying Inputs and Outputs Identified by analyst when defining system scope Requirements model produced during analysis Event table includes trigger to each external event Triggers represent inputs Outputs are shown as responses to events
4 Traditional and OO Approaches to Inputs and Outputs Traditional approach to inputs and outputs Shown as data flows on context diagram, data flow diagram (DFD) fragments, and detailed DFDs OO approach to inputs and outputs Defined by message entering or leaving system Documented in system sequence diagram (SSD) Actors provide inputs for many use cases Use cases provide outputs to actors
5 User versus System Interface System interfaces – I/O requiring minimal human interaction User interfaces I/O requiring human interaction User interface is everything end user comes into contact with while using the system To the user, the interface is the system Analyst designs system interfaces separate from user interfaces Requires different expertise and technology
6 Understanding the User Interface Physical aspects of the user interface Devices touched by user, manuals, documentation, and forms Perceptual aspects of the user interface Everything else user sees, hears, or touches such as screen objects, menus, and buttons Conceptual aspects of the user interface What user knows about system and logical function of system
7 Aspects of the User Interface
8 User-Centered Design Focus early on the users and their work by focusing on requirements Usability - system is easy to learn and use Iterative development keeps focus on user Continually return to user requirements and evaluate system after each iteration Human-computer interaction (HCI) Study of end users and interaction with computers Human factors engineering (ergonomics)
9 Metaphors for Human-Computer Interaction Direct manipulation metaphor User interacts with objects on display screen Document metaphor Computer is involved with browsing and entering data in electronic documents WWW, hypertext, and hypermedia Dialog metaphor Much like carrying on a conversation
10 Desktop Metaphor Based on Direct Manipulation Shown on Display Screen
11 Document Metaphor Shown as Hypermedia in Web Browsers
12 Dialog Metaphor Expresses the Messaging Concept
13 Guidelines for Designing User Interfaces Visibility All controls should be visible Provide immediate feedback to indicate control is responding Affordance Appearance of control should suggest its functionality – purpose for which it is used System developers should use published interface design standards and guidelines
14 Eight Golden Rules for Interactive Interface Design
15 Documenting Dialog Designs Done simultaneously with other system activities Based on inputs and outputs requiring user interaction Used to define menu hierarchy Allows user to navigate to each dialog Provides overall system structure Storyboards, prototypes, and UML diagrams
16 Overall Menu Hierarchy Design: Each Use Case is Listed Under a Menu Utilities, Preferences, and Help Are Added
17 Dialogs and Storyboards Many methods exist for documenting dialogs Written descriptions following flow of activities like in use case description Narratives Sketches of screens Storyboarding – showing sequence of sketches of display screen during a dialog
18 Storyboard for the Downtown Videos Rent Videos Dialog
19 Guidelines for Designing Windows and Browser Forms Each dialog might require several windows forms Standard forms are widely available Windows: Visual Basic, C++, C#, Java Browser: HTML, VBScript, JavaScript, ASP, Java servlets Implementation Identify objectives of form and associated data fields Construct form with prototyping tools
20 Form Design Issues Form layout and formatting consistency Headings, labels, logos Font sizes, highlighting, colors Order of data-entry fields and buttons Data keying and data entry (use standard controls) Text boxes, list boxes, combo boxes, and so on Navigation and support controls Help support – tutorials, indexes, context- sensitive
21 Design for RMO Phone-Order Dialog Steps in dialog models 1. Record customer information 2. Create new order 3. Record transaction details 4. Produce order confirmation Traditional approach – use structure charts OO approach – expand SSD to include forms
22 Required Forms for RMO Main menu Customer Item search Product detail Order summary Shipping and payment options Order confirmation
23 Design Concept for Sequential Approach to Create New Order Dialog
24 Design Concept for Order-Centered Approach to Create New Order Dialog
25 Prototype Main Menu Form for Order-Centered Approach to Dialog
26 Order Summary and Product Detail Forms
27 Completed Order Summary and Shipping Payment Forms
28 Identifying System Interfaces System interfaces are broadly defined as inputs or outputs with minimal or no human intervention Inputs from other systems (messages, EDI) Highly automated input devices such as scanners Inputs that are from data in external databases Outputs to external databases Outputs with minimal HCI Outputs to other systems Real-time connections (both input and output)
29 Just for Fun!
30 Full Range of Inputs and Outputs
31 Design of System Inputs Identify devices and mechanisms used to enter input High-level review of most up-to-date methods to enter data Identify all system inputs and develop list of data content for each Provide link between design of application software and design of user and system interfaces Determine controls and security necessary for each system input
32 Input Devices and Mechanisms Capture data as close to original source as possible Use electronic devices and automatic entry whenever possible Avoid human involvement as much as possible Seek information in electronic form to avoid data re-entry Validate and correct information at entry point
33 Prevalent Input Devices to Avoid Human Data Entry Magnetic card strip readers Bar code readers Optical character recognition readers and scanners Radio-frequency identification tags Touch screens and devices Electronic pens and writing surfaces Digitizers, such as digital cameras and digital audio devices
34 Defining the Details of System Inputs Ensure all data inputs are identified and specified correctly Can use traditional structured models Identify automation boundary Use DFD fragments Segment by program boundaries Examine structure charts Analyze each module and data couple List individual data fields
35 Automation Boundary on a System-Level DFD
36 Create New Order DFD with an Automation Boundary
37 List of Inputs for Customer Support System
38 Data Flows, Data Couples, and Data Elements Making Up Inputs
39 Using Object-Oriented Models Identifying user and system inputs with OO approach has same tasks as traditional approach OO diagrams are used instead of DFDs and structure charts System sequence diagrams identify each incoming message Design class diagrams and sequence diagrams identify and describe input parameters and verify characteristics of inputs
40 Partial System Sequence Diagram for Payroll System Use Cases
41 System Sequence Diagram for Create New Order
42 Input Messages and Data Parameters from RMO System Sequence Diagram
43 Designing System Outputs Determine each type of output Make list of specific system outputs required based on application design Specify any necessary controls to protect information provided in output Design and prototype output layout Ad hoc reports – designed as needed by user
44 Defining the Details of System Outputs Types of reports Printed reports Electronic displays Turnaround documents Can use traditional structured models to identify outputs Data flows crossing automation boundary Data couples and report data requirements on structure chart
45 Table of System Outputs Based on Traditional Structured Approach
46 Using Object-Oriented Models Outputs indicated by messages in sequence diagrams Originate from internal system objects Sent to external actors or another external system Output messages based on an individual object are usually part of methods of that class object To report on all objects within a class, class-level method is used that works on entire class
47 Table of System Outputs Based on OO Messages
48 Designing Integrity Controls Mechanisms and procedures built into a system to safeguard it and information contained within Integrity controls Built into application and database system to safeguard information Security controls Built into operating system and network
49 Objectives of Integrity Controls Ensure that only appropriate and correct business transactions occur Ensure that transactions are recorded and processed correctly Protect and safeguard assets of the organization Software Hardware Information
50 Points of Security and Integrity Controls
51 Input Integrity Controls Used with all input mechanisms Additional level of verification to help reduce input errors Common control techniques Field combination controls Value limit controls Completeness controls Data validation controls
52 Database Integrity Controls Access controls Data encryption Transaction controls Update controls Backup and recovery protection
53 Output Integrity Controls Ensure output arrives at proper destination and is correct, accurate, complete, and current Destination controls - output is channeled to correct people Completeness, accuracy, and correctness controls Appropriate information present in output
54 Integrity Controls to Prevent Fraud Three conditions are present in fraud cases Personal pressure, such as desire to maintain extravagant lifestyle Rationalizations, including “I will repay this money” or “I have this coming” Opportunity, such as unverified cash receipts Control of fraud requires both manual procedures and computer integrity controls
55 Fraud Risks and Prevention Techniques
56 Designing Security Controls Security controls protect assets of organization from all threats External threats such as hackers, viruses, worms, and message overload attacks Security control objectives Maintain stable, functioning operating environment for users and application systems (24 x 7) Protect information and transactions during transmission outside organization (public carriers)
57 Security for Access to Systems Used to control access to any resource managed by operating system or network User categories Unauthorized user – no authorization to access Registered user – authorized to access system Privileged user – authorized to administrate system Organized so that all resources can be accessed with same unique ID/password combination
58 Users and Access Roles to Computer Systems
59 Managing User Access Most common technique is user ID / password Authorization – Is user permitted to access? Access control list – users with rights to access Authentication – Is user who they claim to be? Smart card – computer-readable plastic card with embedded security information Biometric devices – keystroke patterns, fingerprinting, retinal scans, voice characteristics
60 Data Security Data and files themselves must be secure Encryption – primary security method Altering data so unauthorized users cannot view Decryption Altering encrypted data back to its original state Symmetric key – same key encrypts and decrypts Asymmetric key – different key decrypts Public key – public encrypts; private decrypts
61 Symmetric Key Encryption
62 Asymmetric Key Encryption
63 Digital Signatures and Certificates Encryption of messages enables secure exchange of information between two entities with appropriate keys Digital signature encrypts document with private key to verify document author Digital certificate is institution’s name and public key that is encrypted and certified by third party Certifying authority VeriSign or Equifax
64 Using a Digital Certificate
65 Secure Transactions Standard set of methods and protocols for authentication, authorization, privacy, integrity Secure Sockets Layer (SSL) renamed as Transport Layer Security (TLS) – protocol for secure channel to send messages over Internet IP Security (IPSec) – newer standard for transmitting Internet messages securely Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)
66 The End!