This is one of two talks. This one encourages the security community to adopt a user experience approach to the development and deployment of security products. The second encourages the user experience community to focus their skills on usable security issues. Security products and security issues do not get enough attention from user experience. Yet user experience is at the root cause of many, if not most, security issues. The weakest link in security is not technology but the gap between technology and people. The developer, IT implementer, administrator, and end-user each create vulnerabilities if the system wasn’t designed to be usable for each of them. Technology, policies, management and metrics all improve with a user-centric approach that merges development, security implementation and monitoring with usability.

1. @darrenkall
Darren Kall #secUX

2. Employment
 KALL Consulting
 Microsoft
◦ Windows Security User Experience team: founder
◦ Windows Security Assurance team: founder
◦ Windows Core Security: group program manager
◦ Microsoft Passport: group program manager
◦ Microsoft Passport User Experience team: manager
◦ MSN-client: security and privacy team founder
 AT&T Bell Laboratories, IBM, H.E.L.P., LexisNexis
Patents
 11 US patents, 6 international patents,104 patent citations
Education
 Dartmouth College, Rutgers College

3. User Experience
(UX)
Insight Innovation Impact
Research Design Evaluation
Product UX
Design & Improve Product UX
Sec UX M&A UX
Security Merger & Acquisition
User Experience User Experience
PI UX Strategic UX
Product Integration Strategic UX
User Experience Management

4.  Problem: If a security system wasn’t designed to be
usable by each person who touches it, then the
people create vulnerabilities
 Solution: An end-to-end UX approach that merges
technology possibilities, business imperatives, and a
deep knowledge of users to improve security
 Next Steps: Practical steps to a UX approach

6. Limited
“Imperfect” Memory
cognitive Lazy
models
Don’t
respond
quickly Limited number
enough crunching
Don’t
Emotional understand
responses security
Limited ability
to visualize
Fear
Limited decision negative
making skill outcomes
Too Not
busy tech
Limits to savvy
vigilance
Cognitive
biases
Easily
deceived

7. “The system would be
secure if we just got rid
of the people.”
Every IT person who ever worked on security

8.  That is not an option
 It
is a lot easier to
change the system than
to change people

9.  If
a system is not
designed to be usable by
the people who have to
use it, the people are not
to blame
 The system is

10.  Dialog boxes and vigilance
 If an end-user sees a security dialog 100
times, they agree without reading the 101st time
 Passwords and memory
 If a person has to have a 15 character password
that must change every 30 days and must contain
special characters, they write the password on a
Post-it note
 Trojans and decision making
 If a user opens an Excel spreadsheet without
questioning the source, they invite hidden
exploits

11.  It
is not just end-users
but every human in the
end-to-end system

12.  End-users  Installers
 Product Managers  Administrators
 Business Analysts  Hackers
 System Designers  Trainers
 Program Managers
 Maintenance
 Project Managers
 Developers  Monitoring
 Testers  Forensics
 Marketing  Deprecation
 Sales  etc.

13.  Developer
 If a developer does not have insight into the
security skills of the user, they assume the user is
like them
 Installer
 If it is too hard for an installer to figure out how
to configure security, it goes in with a risky
default
 Sales
 If a sales person can’t model a customer’s
security needs sufficiently, they sell them the
wrong system

14.  Am I exaggerating?

15.  Comodo Cert Auth
◦ Problem: tricked into issuing
fraudulent certs
◦ UX: people are easily deceived
◦ Result: employees were socially
engineered

16.  DigiNotar
◦ Problem: hacker access to cert issuing
◦ UX: people can’t perceive patterns
over broad data
◦ Result: breach not in admin awareness
◦ UX: people susceptible to impact bias;
a cognitive bias of estimation
◦ Result: did not prepare a user scenario
for cert revocation

17.  Sony
◦ Problem: data breach 77 Million ID
thefts
◦ UX: people susceptible to confirmation
bias
◦ Result: did not perceive risk and made
poor security choices, insufficient
maintenance of patches
◦ UX: overconfidence in decision making
◦ Result: provoked the hacker
community

18.  RSA
◦ Problem: token information hacked
◦ UX: limited ability to predict
consequences
◦ Result: people post info in social
media
◦ UX: people are easily deceived
◦ Result: fooled by phishing attack
with Adobe-Excel exploit

19.  H.323 Protocol
◦ Problem: ~150,000 corporate video
systems set to auto-answer allowing
spying
◦ UX: status quo bias
◦ Result: system default configuration
implications overlooked
◦ UX: risk assessment skills
◦ Result: not deployed within secure
corporate networks

21.  Improveend-to-end
system security by
taking a UX approach to
design and
development

22. Insight Innovation Impact
Research Design Evaluation
Customer Insight Design Usability testing
User Research User-friendly A/B testing
Ideation Interaction design Customer validation
Workflow Information Arch Beta testing
Task flow Transformation Analytics
Activity Cycles Specification Evaluation
Pain points Design guidelines Measurements
Touch points Look and Feel Iterations
Journey map Development Etc.
Etc. Etc.

23.  Insight Research: Detailed attention to the
needs, limitations, and behaviors of people in a
system to gain insights
 Innovation Design: Apply this insight to
intentional design in all stages of
development, implementation, and use for
specific user types
 Impact Evaluation: A multi-stage approach
requiring analysis, design, and evaluation
iterations to ensure successful improvement

24.  Deeply studying the people in the system
 Gathering insight into their
skills, motivations, limitations, behaviors, etc.
 Using that information to drive innovative
designs for security problems

25.  Keep all users in mind when designing
systems
 Use the deep insights about users to match
design to their limitations and behaviors
 Designing to address user pain points and
limitations

26.  Test with people in the real world not
theoretical ideal world conditions
 Iterate improvement, evaluate, insight, design
cycles
◦ UX is an ongoing, incremental approach that
depends on data

27.  Problem: A security IT tool was not being
adopted
 UX Action: Ethnographic research and contextual
inquiry on the variety of IT people using this
security system to determine root cause
 Result: Identified 4-5 distinct IT persona types
for each of four company IT segments:
enterprise, large, medium, and small groups
 Separated roles from
titles, skills, motivations, and activity/behaviors
 Solution: One-size fits all was not working for
any group, segmented core product into
company/role specific products

28.  Problem: Significant implementation and
customization errors on install and
administration
 UX Action: Usability study of system with
representative users. Included a UX
assessment of technical writing.
 Result: Root cause was both product interface
and the training/documentation
 Solution: Improved interaction and improved
documentation and training to reduce errors

29.  Problem: System configuration taking too
long and requiring repeated revisions
 UX Action: UX evaluation of configuration
process
 Result: Total over 3,000 configuration
options, 6 that system developers could not
tell apart, detachment between desired
outcome and configurations
 Solution: Reduced configuration complexity,
options based on real use, aligned outcomes
with options, created profiles, offered service

30.  Problem: Client with ~900,000 users globally;
vendors, employees, on variety of devices, no
easy way to see network security status
 UX Action: Reviewed current system, modeled
pattern of monitoring workflow, prioritized
events into semantic map for this audience
 Result: Needed situational awareness drill down
from simple to detailed, not event alerts
 Solution: Created visualizations for quick overall
system status with 4 layers of drill down to
improve awareness

31.  Problem: Users relying on password customer
support on failed logins
◦ Wanted to minimize user frustration
◦ Wanted to separate real users from non-users
◦ Wanted to minimize customer support costs
 UX Action: Researched a variety of real user
behaviors to determine optimum design to
meet goals

32. PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Average Success Trial of Forgetters with no Lock Out, No CS, and no Self Help
PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Average Abandon Trial of Forgetters with no Lock Out, No CS, and no Self Help
PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Average Call if have CS Link
PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Average Self Help if have Self Help Link
PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Average CS Call if have CS Link and Self Help Link
PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Average Self Help if have Self Help Link and Lock Out @ 3
PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD PSWD
attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt attempt
Purple add Self Help Link, Blue add CS link, Yellow you know you’ve got a hacker

33.  Problem: Client with some divisions having
repeated auth setup issues while others didn’t
 UX Action: Compared SOP, reports of use, with
actual use patterns
 Result: Some divisions had activity cycles of use
and complete non-use based on business cycle.
Start of each cycle users forgot and created
issues
 Solution: Redesign system for infrequent use to
make more intuitive, require users to have
refresher when return

34.  UX approach is not a substitute for good
security technology engineering, it is an
addition
 You have to do both
 Keep advancing security technologies

36.  Add a UX approach to your security
improvement plans
 If you have a specific UX-based security
problem
◦ Develop a tailored UX initiative
 If you DO NOT have a specific UX-based
security problem
◦ Introduce a UX approach in steps

37.  Start your UX approach today
1. Implement: Start with the UX basics
2. Design: Adopt and tailor known UX solutions to fit
your situation
3. Evaluation: Specifically evaluate your UX problems,
your users, your environment of use, etc. and
implement specific solutions
4. Research: Invest in long-term research into the
people in your system to drive deep UX
understanding

38.  If
we all take a UX
approach to security
system design and
improvement, their
real-world security
value will increase

39.  Darren Kall
 darrenkall@kallconsulting.com
 http://www.linkedin.com/in/darrenkall
 @darrenkall
 +1 (937) 648-4966
SecUX: We’re glad to help your company
have more usable security.