Presentation is loading. Please wait.

Presentation is loading. Please wait.

USABILITY Ben Aaron.

Published byAlice Johnston Modified over 7 years ago

Similar presentations

Presentation on theme: "USABILITY Ben Aaron."— Presentation transcript:

1 USABILITY Ben Aaron

2 http://www.signiant.com/wp-content/uploads/2015/02/Dilbert-on-Security.jpeg

3 The Relationship Between Usability and Security We have to have both. http://www.rlvision.com/blog/wp-content/uploads/2013/12/Password-Security-vs-Usability1.png

4 TECHNICAL OVERVIEW (But not so technical)

5 What Is Usability? ■“Usability is a quality attribute that assesses how easy user interfaces are to use.” (Nielson 2012) ■Incorporates elements of Learnability, Efficiency, Memorability, Errors and Satisfaction (Nielson 2012)

6 Psychological Acceptability ■“It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors” – Saltzer & Schroeder, 1974 (24 Deadly Sins pg 218) ■“Security only works if the secure way also happens to be the easy way” – Culp, 2000 (24 Deadly Sins pg 218)

7 How Does It Occur ■Tunnel vision of designers/software engineers – “It’s easy for me to use!” ■Not understanding your audience: –Administrators ■Deal with lots of information ■Optimization over security –End users ■Generally not technically literate ■Will find ways to circumvent security if it gets in their way

8 Where Does It Occur? ■Security messages to users –Too little information – bad for administrators –Too much information – bad for users –Too many messages – users won’t read or will disable them –Inaccurate or generic information – may keep out attackers, but won’t help users –Errors with only error codes – users won’t understand ■Authentication –Password restrictions may be too hard for users

9 EXAMPLES

10 Authentication ■Password Trouble at Lowes: –Password must be 8 characters long –Password must contain 1 letter and one number –Can’t be both? ■Security Questions for Online Insurance: –Generic questions –Non-specific answers –Case sensitive

11 Error Messages BadGood https://msdn.microsoft.com/en-us/library/ms995351.aspx

12 DETECTION AND AVOIDANCE

13 Detection Methods ■Code Review –UI code for security options ■Is security on by default? –Look at authentication system ■Option to accept an unauthenticated external connection? ■Obvious way to reset password? Can this be exploited for denial-of-service attack? ■Use/Misuse/Abuse Cases –Essential element of usability testing ■Field Testing

14 Avoidance of Errors ■Invisibly Strengthen Security (OWASP & 24 Deadly Sins) –Set tighter security features automatically so that user’s are not responsible –Hide security features so that users won’t disable them ■Typical users won’t expend more than three clicks to select an option (24 Deadly Sins pg 226) ■Make Security Understandable (OWASP & 24 Deadly Sins) –Easier to read messages –Positive Reinforcement ■Green browser bar for secure websites ■Train Users (OWASP) –Phishing emails as learning tools

15 Avoidance of Errors ■Make Selective Relaxing of Security Easier, but Inform Users of Consequenses (24 Deadly Sins) –Information bars in browsers –Don’t be too technical! Rule of thumb: go for 8 th grade reading level. ■Make It Actionable (24 Deadly Sins) –Users like to have control over their computing environment, and can sometimes be able to fix a problem on their own if guided to do so ■Provide Central Management (24 Deadly Sins) –Active Directory Group Policy in Windows – everything in one window

16 CONCLUSION

17 Conclusion ■Applications must be both secure and usable in order to be either. ■Security engineers and software developers need to work with usability engineers. ■Users aren’t Lusers! ■Don’t lose the forest for the trees.

18 References ■"Building Usable Security." OWASP. OWASP, 15 Dec. 2014. Web. 25 July 2016. ■Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, 2010. Print. ■Nielson, Jakob. "Usability 101: Introduction to Usability." Nielson Norman Group: Evidence-Based User Experience Research, Training, and Consulting. Nielson Norman Group, 4 Jan. 2012. Web. 25 July 2016.

Download ppt "USABILITY Ben Aaron."

Similar presentations

1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.

1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
People: Usability IS 101Y/CMSC 101Y November 5, 2013 Marie desJardins Amanda Mancuso University of Maryland Baltimore County.

People: Usability IS 101Y/CMSC 101Y November 5, 2013 Marie desJardins Amanda Mancuso University of Maryland Baltimore County.
Usability. Definition of Usability Usability is a quality attribute that assesses how easy user interfaces are to use. The word usability also refers.

Usability. Definition of Usability Usability is a quality attribute that assesses how easy user interfaces are to use. The word "usability" also refers.
Customer Service and Support Sutherland Global Services Consultant Learning Services Microsoft Store.

Customer Service and Support Sutherland Global Services Consultant Learning Services Microsoft Store.
SWE205 Review Spring 2014. Why is software unusable? Users are no longer trained. Why? Feature creep Inherently hard: a problem of communication Designed.

SWE205 Review Spring Why is software unusable? Users are no longer trained. Why? Feature creep Inherently hard: a problem of communication Designed.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Security & Usability Charles Frank. Convenience is the Antithesis to Security  Computer systems must employ mechanisms that are difficult to use!

Security & Usability Charles Frank. Convenience is the Antithesis to Security  Computer systems must employ mechanisms that are difficult to use!
Computer Security By Rachel Gaines. Computers are used for work, play, and everything in between. So here’s how to keep it fun and protected.

Computer Security By Rachel Gaines. Computers are used for work, play, and everything in between. So here’s how to keep it fun and protected.
Web Site Design. Overview Why? Internet and Intranet Common Mistakes. Elements of a Web Site. Structure. Navigation.

Web Site Design. Overview Why? Internet and Intranet Common Mistakes. Elements of a Web Site. Structure. Navigation.
Security Windows 2000 Richard Goldman © December 4, 2001.

Security Windows 2000 Richard Goldman © December 4, 2001.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Usability Olaa Motwalli CIS764, DR Bill – KSU. Overview Usability factors. Usability guidelines.  Software application.  Website. Common mistakes. Good.

Usability Olaa Motwalli CIS764, DR Bill – KSU. Overview Usability factors. Usability guidelines.  Software application.  Website. Common mistakes. Good.
Slide #13-1 Design Principles CS461/ECE422 Computer Security I Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and.

Slide #13-1 Design Principles CS461/ECE422 Computer Security I Fall 2008 Based on slides provided by Matt Bishop for use with Computer Security: Art and.
1 Saltzer [1974] and later Saltzer and Schroeder [1975] list the following principles of the design of secure protection systems, which are still valid:

1 Saltzer [1974] and later Saltzer and Schroeder [1975] list the following principles of the design of secure protection systems, which are still valid:
1 Design Principles CS461 / ECE422 Spring 2012. 2 Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.

1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
How to fix Missing Windows Sockets Registry Entries required for Network Connectivity in Windows 10 /pages/Reimage- Repair- Tool/1460676797566 490 /u/6/b/1118250664.

How to fix Missing Windows Sockets Registry Entries required for Network Connectivity in Windows 10 /pages/Reimage- Repair- Tool/ /u/6/b/
Windows Vista Configuration MCTS 70-620: Internet Explorer 7.0.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Similar presentations

Ads by Google