Meetup on Usable Security with Kompetenzzentrum Usability

November 24, 2020

“You don’t need to be a lawyer or a cryptographer to work in security.”

Last Thursday we met to talk about Information Security again. This time we focused on an important aspect when designing secure systems: the user experience. This evening was a cooperation between the Kompetenzzentrum Usability and moinworld. It supports small and medium-sized companies in designing digital technologies in such a way that they can be used easily and experienced positively, funded by the federal ministry for economic affairs and energy (BMWi)

The good thing about remote Meetups is that we can invite international keynote speakers. This evening we had Ame Elliot and Eleanor Saitta - both longtime security experts as guests.

In her opening speech of the evening Ame talked about building trust with UX design.

Following her talk we had a panel discussion on what value design can bring to security and help building products people can trust.

Opening Speach: Building Trust with UX Design: Examples from IoT and beyond by Ame Elliot

Ame Elliott is Design Director at nonprofit Simply Secure, where she cultivates a community of professional designers, developers, and researchers working on privacy, security, and ethical technology. Previously, Ame spent 15 years working in Silicon Valley, as Design Research Lead for IDEO San Francisco, and as a research scientist for Xerox PARC and Ricoh Innovations. She has delivered technology strategy for global clients including Acer, Ericsson, Fuji-Xerox, HP, and Samsung. Ame earned a Ph.D. from the University of California, Berkeley and a Bachelor of Environmental Design from the University Colorado, Boulder.

In her talk Ame focused on understanding the risks to users coming from four different groups: hackers, governments, companies and stalkers. She gave us some ideas about design leadership and some practical advice on how things like style guides can help build trust. She pointed out that we should move the cyber security and privacy conversation away from a negative shaming “no you should not do this” “don’t click these links”.., into something that is more positive and closer to conveying a sense of benefits, something somebody wants. Along with these messages showed us ”You don’t need to be a lawyer or a cryptographer to work in security.” In fact we need different people with different backgrounds, especially designers who can help us change the negative culture we currently have in security.

Ame gave a similar talk at a conference which can be watched here:

Panel on user centered information security

After this talk of Ame we had a panel discussion with different experts.

airbus-moinworld-meetup-protospace.png

The personalities that were part of our discussion

Eleanor Saitta is an independent security and privacy architecture and strategy consultant with media, finance, healthcare, infrastructure, and software clients across the US and Europe. She was previously the security architect for Etsy, Inc., and has worked for a number of commercial consultancies (Bishop Fox, IOACtive, and others) over the past fifteen years.

From Airbus Miriam Göllner, Cyber Security Engineer joined us. Previously she has worked in the public sector developing a Cyber Security solution for the Computer Emergency Response Team in Berlin.

Karoline Busse a computer scientist and researcher with a focus on human-centered security, also lecturer at NSI/HSVN, bringing digital transformation and usable Security into public administration.

Yasemin Acar is a Research Group Leader at MPI-SP Max Planck Institute for Security and Privacy, where she focuses on human factors in computer security. Her research centers humans, their comprehension, behaviors, wishes and needs. She aims to better understand how software can enhance users’ lives without putting their data at risk.

The moderator of this panel discussion was Timo Jakobi. He is consulting for Usable Privacy and PostDoc at Einstein Center Digital Future and University of Siegen.

All together they discussed questions like why should companies care about usable security? Legal challenges of adopting GDPR and making it something meaningful. What would be the answer of usable privacy - how can you communicate you are a trustworthy company? What can the small companies do? Uses in the real world differ from what we think users are doing with our products. What can we do as a company? What kind of expertise do we need on a team that is responsible for building systems?

Examples for usable security

Eleanor pointed out that one way to look at user security - and that is often a point of view that is currently missing in the industry- is “how do we help people accomplish the thing in the world that they are trying to do”. She often sees a lot of focus on “lets make a widget usable” and too little focus on “lets try to understand what users might be trying to accomplish in the world”. That has nothing to do with the system that we are building. We need to understand that user goal in the presence of whatever adversaries they are dealing with.

Karoline mentioned the start of the research field usable privacy which was a study on how users interacted with PGP. The outcome was that users failed in interacting with a technology that was over complex and over complicated. And here we are in 2020 and everybody is using Whatsapp and nobody has to worry about encryption anymore. Encryption has become from this overly complicated monster to this “little nice oh yeah everythings fine you can relax and sit back we got this”. Thats a great example and achievement of usable security Karoline brought up.

Yasemin added we should call it user centered security. To center security around what people are actually doing.

The takeaway: you are not your user - do the security design work. Groups worth looking at are for example sex workers, domestic violance victims, whistle blowers, children rights

As a summary “you are not your user” is the essence of usability but also of designing for usable security and privacy. There might be things people consider private even in the same country other people do not think need to be private. Companies should take a look at who their users are in practise but often it can also be useful to look at user groups who can be especially vulnerable. This involves user research. Groups worth looking at are for example sex workers, domestic violance victims, whistle blowers and union workers. Children rights are also an interesting group to design for and it will lead you to different roads. Also keep in mind that privacy needs of users shift. The threat models are constantly changing during a life. Current solutions most of the time do not really cater to that. Security teams should consist of a good mix of privileges. It is hard to recruit for that. People from different backgrounds and people who are marginalized in different ways bring different perspectives.

If you look at the percentage of the marginalized people in society you might think that those people are not relevant. Then you find out that most of your users have some kind of marginalization, for example parents with small children might not have the same attention or the same capacities that somebody else has. So disability is sometimes something else than what you might think.

It is very difficult to have the building mindset and the braking mindset at the same time. It is useful to have somebody in the team to think about how systems might be abused. You have to make sure that within shipping deadlines security will not be forgotten.

If you are interested and want to learn more about the topic here are some resources to dive into:

Resources that were mentioned during the evening:

We are looking forward to our next meetup! If you are interested in our next events check out our events page!