usability
play

Usability Engineering Secure Software Last Revised: October 28, - PowerPoint PPT Presentation

Sep 04, 2023 •442 likes •753 views

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Quote: Taher El-Gamal, Inventor of SSL Security professionals always struggle with the general public because

  1. Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1

  2. Quote: Taher El-Gamal, Inventor of SSL “Security professionals always struggle with the general public because usability always wins.” Source: https://www.cnet.com/ Source: https://en.wikipedia.org/ SWEN-331: Engineering Secure Software Benjamin S Meyers 2

  3. Users are NOT the Enemy Security mechanisms are designed, implemented, applied, ● maintained, and breached by people Human factors is the key ○ Hackers can leverage human factors, too (e.g. social engineering, ○ “rubber hose” cryptanalysis) Why do users not adhere to security criteria? ● Lack of security knowledge ○ Lack of motivation ○ Users are guided by what they actually see -- or don’t see ○ Developers not considering human factors with respect to ○ security mechanisms (e.g. constantly changing passwords) SWEN-331: Engineering Secure Software Benjamin S Meyers 3

  4. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● SWEN-331: Engineering Secure Software Benjamin S Meyers 4

  5. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Balloon Giraffe Sphinx SWEN-331: Engineering Secure Software Benjamin S Meyers 5

  6. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● SWEN-331: Engineering Secure Software Benjamin S Meyers 6

  7. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Ball Moon Jerry Alex India Chair Graph SWEN-331: Engineering Secure Software Benjamin S Meyers 7

  8. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● SWEN-331: Engineering Secure Software Benjamin S Meyers 8

  9. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Be Pluto Daisy All Train Byte Lime Fact Screen Zoo SWEN-331: Engineering Secure Software Benjamin S Meyers 9

  10. Do Not Overload Users’ Memory Human memory has a limitation of about 7 items ● Users will use externalization to cope ● Sticky notes, password managers ○ Facilitates insider attacks ○ Source: https://www.lastpass.com/ Source: https://www.flickr.com/ SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10

  11. Human Factors Minimize the mental workload for the user ● Recognition rather than recall (e.g. recognize images) ○ Forgiving mechanisms (93% successful login with 9th attempt) ○ Realistic security vs. theoretical security ■ Resetting passwords overload help desks ■ Delay logins instead of lockouts ■ Source: https://thycotic.com/products/password-reset-server/user-experience/ SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11

  12. Human Factors Awkward behavior ● e.g. organizations mandate that users must lock their screens ○ when leaving their desks, even for brief periods Users will not comply with security mechanisms that conflict ○ with their values or self-image Solution: label such behaviors positively ○ Source: https://tenor.com/ SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12

  13. Usability of Permission Granting Global resources Prompts (iOS, browsers) ● ● e.g. smartphones expose a Used to verify user intent ○ ○ global clipboard to apps Repetitiveness teaches users ○ User friendly to ignore them ○ Violates least-privilege (prompt-fatigue) ○ Manifests (Android, WinPhone) User-driven access controls ● ● Out of context: checked at Via access control gadgets ○ ○ time of install, not time of use Captures users’ intent, ○ Disruptive: only prompted at minimizes interaction ○ first use to avoid Enables in-context, ○ prompt-fatigue non-disruptive, and Violates least-privilege least-privilege permission ○ granting SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13

  14. Usability of Permission Granting SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14

  15. Usability of Authentication Mechanisms Criteria for assuring password security ● Composition (length, valid characters) ○ Lifetime ○ Ownership (individual vs. group) ○ Source: https://xkcd.com/936/ SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15

  16. Usability of Authentication Mechanisms Attacked by phishing ● Protection software ● Password alert extension for Chrome ○ New login alerts ○ Source: https://chrome.google.com/ SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16

  17. Usability of Authentication Mechanisms Recall-based graphical passwords ● Recall-based (drametric systems) ○ Users recall and reproduce a secret drawing (grid or canvas) ○ Drawbacks: phishing, easy to guess ○ Source: https://arstechnica.com/ Source: www.researchgate.net/ SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17

  18. Usability of Authentication Mechanisms Recognition-based graphical passwords ● Recognition-based (cognometric systems) ○ Users memorize a portfolio of images during password creation ○ and then recognize their images from among decoys to login More difficult to be phished ○ Drawbacks: limited memory, ○ shoulder-surfing Source: semanticscholar.org/ SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18

  19. Usability of Authentication Mechanisms Cued-recall graphical passwords ● Cued-recall (locimetric systems) ○ Users remember and target specific locations in an image ○ Tolerance area of 14x14 pixels ○ Easier memory task than pure recall ○ Drawback: vulnerable to visual ○ hotspots and simple geometric patterns in images Source: semanticscholar.org/ SWEN-331: Engineering Secure Software Benjamin S Meyers 19 19

  20. Usability of Authentication Mechanisms Multi-Factor Authentication ● Something you know → passwords, image recognition ○ Passwords are bad ■ Something you have → auth app, YubiKey ○ Mobile authenticators are annoying ■ Something you are → fingerprints, facial recognition ○ Biometrics have high false-positive rates ■ Source: https://blockspot.io/ Source: computer.howstuffworks.com SWEN-331: Engineering Secure Software Benjamin S Meyers 20 20

  21. Usability of Authentication Mechanisms Continuous Authentication ● Auth mechanism continuously verifies that you’re still you ○ e.g. regular pings for your phone’s location ○ e.g. are you typing the way you normally do? ○ e.g. are you clicking what you normally click? ○ e.g. continuous facial recognition ○ If the system thinks you might not be you, it can prompt you for ○ more information → password, card number, fingerprint Drawbacks: ○ Resource consumption ■ Not always possible ■ Needs a failsafe (which needs to be secure) ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 21 21

  22. Authorization Over Authentication Sign in with Google/GitHub/Facebook ● Instead of creating a new account (with a new password), ○ authorize the app/site to authenticate you using another service Pros: ○ Centralized management/revoking ■ Less passwords to remember ■ Cons: ○ Single point of failure ■ What if Microsoft buys GitHub? ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 22 22

  23. Vulnerabilities are a Usability Problem Every developer mistake could be justified as a usability ● mistake (e.g. misusing C) Software vulnerabilities are blind spots in developers’ ● heuristic-based decision-making processes Humans use heuristics (simple computational models) to find ○ feasible (not optimized) solutions quickly due to: Limitation of working memory ■ Cognitive effort ■ Source: fotosearch.com.br SWEN-331: Engineering Secure Software Benjamin S Meyers 23 23

  24. Development Tools Can Help Reusable components that accomplish a single task ● e.g. SSL/TLS implementations (Java, OpenSSL) ○ Security information should research users (app developers) ● when they need it, on the spot e.g. IDE’s, text editors, browsers, compilers, etc. bring security ○ information while coding SWEN-331: Engineering Secure Software Benjamin S Meyers 24 24

  25. Example: PGP “Why Johnny Can’t Encrypt” [USENIX 1999, Whitten et al.] ● Advanced technical users failed to encrypt and decrypt their ○ mail using PGP 5.0, even after receiving instruction and practice Encryption is a complex concept ○ Terminology employed is fundamentally at odds with everyday ○ language (e.g. key, private, public) Corroborated by similar studies ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 25 25

  26. Usable OpenSSL → Confusion OpenSSL is an open source implementation for SSL/TLS ● Cryptography library written in C ○ Easy to use for simple encryption ○ Becomes synonym for “secure” ○ # Encrypt “I love OpenSSL!” with AES and 256 bits of encryption > touch plain.txt > echo “I love OpenSSL!” > plain.txt > openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin enter aes-256-cbc encryption password: hello Verifying - enter aes-256-cbc encryption password: hello # Decrypt > openssl enc -aes-256-cbc -d -in encrypted.bin -pass pass:hello I love OpenSSL! SWEN-331: Engineering Secure Software Benjamin S Meyers 26 26

Recommend

Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Do gma 1 Deliverables from usability professionals must be highly usable Reports,

Myths about usability testing Copies of Slides U X Day Graz 2013 F ive use rs will find 85% o f the usability pro ble ms Rolf Molich - and o the r myths abo ut DialogDesign usability te sting Do gma 1 Deliverables from

659 views • 18 slides
Rigorous Evaluation Usability Testing To Review - What is Usability? A measure of the quality

Rigorous Evaluation Usability Testing To Review - What is Usability? A measure of the quality

Rigorous Evaluation Usability Testing To Review - What is Usability? A measure of the quality of the users experience when interacting with a product or system How usable is the interface? Usability Measures Ease of learning

912 views • 24 slides
USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU WILL HAVE WORKED THROUGH THE LYNDA.COM UX-1 SECTION. FOR THIS CLASS USABILITY WHAT is Usability? WHY is Usability important? USER

611 views • 21 slides
Web Design and Usability CSE 190 M (Web Programming) Spring 2007 University of Washington

Web Design and Usability CSE 190 M (Web Programming) Spring 2007 University of Washington

CSE 190 M: Web Design and Usability Page 1 Web Design and Usability CSE 190 M (Web Programming) Spring 2007 University of Washington References: J. Nielsen's Designing Web Usability (2) What is usability? usability: the effectiveness with

187 views • 6 slides
Usability and Eye Tracking Marco Pretorius Usability Manager & Researcher UNISA: School of

Usability and Eye Tracking Marco Pretorius Usability Manager & Researcher UNISA: School of

Usability and Eye Tracking Marco Pretorius Usability Manager & Researcher UNISA: School of Computing Agenda Introduction What is usability? User-centered design Eye tracking Benefits and ROI UNISA usability

931 views • 60 slides
Ergonomi mics and usability usability tes3ng s3ng in in the the de design sign of f

Ergonomi mics and usability usability tes3ng s3ng in in the the de design sign of f

Ergonomi mics and usability usability tes3ng s3ng in in the the de design sign of f applic applica3o a3ons f ns for c r chr hronic nic c condi3o ndi3on n ma manageme ment and health promo mo3on Ba Backg ckgrou ound

637 views • 34 slides
Topics in Usability Testing [Reading assignment: Chapter 11, pp. 169-182] Software Usability

Topics in Usability Testing [Reading assignment: Chapter 11, pp. 169-182] Software Usability

Topics in Usability Testing [Reading assignment: Chapter 11, pp. 169-182] Software Usability Eventually a person will interact with a software system. Software usability is how: appropriate functional effective that

678 views • 21 slides
My Background curiosities and interests getting a career Usability A recent

My Background curiosities and interests getting a career Usability A recent

Agenda My Background curiosities and interests getting a career Usability A recent gradate perspective Usability in the industry Some good usability resources. 2 Auckland University CS 345 My background Psychology

511 views • 5 slides
AMIA Usability Task Force HIMSS Usability Task Force Robert Schumacher, Janey Barnes

AMIA Usability Task Force HIMSS Usability Task Force Robert Schumacher, Janey Barnes

AMIA Usability Task Force HIMSS Usability Task Force Robert Schumacher, Janey Barnes original learning module creators Formative Usability Testing is a methodology used to obtain qual alitati ative r e reacti tion ons to

327 views • 15 slides
Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing using a structured process Validate adherence to interaction requirements Actual users who perform realistic and representative tasks

490 views • 38 slides
Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and

Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and

Universal Usability Ethical, good business, the law SWEN-444 Topics Universal usability and software ethics Visually impaired Deaf and hard of hearing Dexterity and mobility impairments Section 508 the law Universal

593 views • 33 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Medical Device Usability David Adams Global Head, Active Medical Devices Add logo on slide 4

Medical Device Usability David Adams Global Head, Active Medical Devices Add logo on slide 4

Medical Device Usability David Adams Global Head, Active Medical Devices Add logo on slide 4 here Topics What is usability? Why usability is so important The regulatory requirements EN 62366 Usability engineering process

789 views • 38 slides
SunyoungKim,PhD Last class Normans design principles Recap. Usability Usability is a

SunyoungKim,PhD Last class Normans design principles Recap. Usability Usability is a

Human-Computer Interaction 18. Design Mobile Design Principles SunyoungKim,PhD Last class Normans design principles Recap. Usability Usability is a measure of the effectiveness, efficiency and satisfaction with which specified

921 views • 75 slides
Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User

Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User

Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User Experience Researcher jim@measuringu.com What is Usability? Earliest known (so far) modern use of term usability Refrigerator ad from

475 views • 35 slides
KDE Usability Project August 9 2008 Celeste Lyn Paul celeste@kde.org KDE Usability Project

KDE Usability Project August 9 2008 Celeste Lyn Paul celeste@kde.org KDE Usability Project

1 The Past, Present, and Future of the KDE Usability Project Looking Back and Moving Forward The Past, Present and Future of the KDE Usability Project August 9 2008 Celeste Lyn Paul celeste@kde.org KDE Usability Project usability.kde.org

780 views • 48 slides
Usability Testing Student Web Presence Guidelines So what do we mean by usability? Watching

Usability Testing Student Web Presence Guidelines So what do we mean by usability? Watching

Usability Testing Student Web Presence Guidelines So what do we mean by usability? Watching people try to use what you have designed with the intention of (a) making it easier for people to use or (b) proving that it easier to use."

139 views • 13 slides
10 Usability Epiphanies for your Open Source web app. Sigurd Magnusson

10 Usability Epiphanies for your Open Source web app. Sigurd Magnusson

10 Usability Epiphanies for your Open Source web app. Sigurd Magnusson twitter.com/sigurdmagnusson Why care? ROZO ROMEO T.C.O. Making FOSS accessible to the mainstream [through good usability] may be the difference between an uphill

881 views • 39 slides
Android app usability a.k.a Making an app useful Riaan Cornelius Topics Because nobody likes a

Android app usability a.k.a Making an app useful Riaan Cornelius Topics Because nobody likes a

Android app usability a.k.a Making an app useful Riaan Cornelius Topics Because nobody likes a surprise A quick intro to usability What, Why, How and When? Usability Heuristics Quick intro to the design process requirements

293 views • 26 slides
Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
gruvi graphics + usability + visualization gruvi graphics + usability + visualization

gruvi graphics + usability + visualization gruvi graphics + usability + visualization

Gradient Estimation Revitalized Usman R. Alim 1 oller 1 Laurent Condat 2 Torsten M 1 Graphics, Usability, and Visualization (GrUVi) Lab. School of Computing Science Simon Fraser University 2 GREYC Lab. Image Team Caen, France gruvi graphics

532 views • 39 slides
Human-Computer Interaction Termin 8: Statistical analysis Model-based usability evaluation 1

Human-Computer Interaction Termin 8: Statistical analysis Model-based usability evaluation 1

Human-Computer Interaction Termin 8: Statistical analysis Model-based usability evaluation 1 MMI/SS06 Evaluation W hy ? Need Usability and Efficiency What ? Usability c riteri a W here ? F i eld stud y or lab experiment W ho ?

683 views • 32 slides
Usability testing on steroids How to get feedback from more people in less time Dr Nikiforos

Usability testing on steroids How to get feedback from more people in less time Dr Nikiforos

Usability testing on steroids How to get feedback from more people in less time Dr Nikiforos Karamanis Senior User Experience Designer European Bioinformatics Institute niki@ebi.ac.uk @technorasis What is usability testing? Traditional

893 views • 24 slides

More recommend