Jason I. Hong

1
Human Computer Interaction,Security, and Privacy

• Jason I. Hong

2
Everyday Security Problems
3
Everyday Security Problems
4
Everyday Security Problems
5
Everyday Security is Important

• People increasingly asked to make trust decisions
• Open this email attachment?
• Install and run this software?
• Enter username and password?
• Consequence of wrong trust decision can be
  dramatic
• Spyware
• Malware (viruses, worms)
• Identity theft
• But these trust decisions only part of
  bigger picture of usable privacy
  and security

6
Costs of Unusable Security Privacy High

• Still lots of unpatched Windows machines
• Phishing web sites increasing by 28 each month
• Lots of PCs infected with spyware
• Users have more passwords than they can remember
  and practice poor password security
• Enterprises store confidential information on
  laptops and mobile devices that are frequently
  lost or stolen

7
Grand Challenge

• Give end-users security controls they can
  understandand privacy they can control forthe
  dynamic, pervasive computing environments of the
  future.
• - Computing Research Association 2003

8
Good Usability is Key

• Still lots of unpatched Windows machines
• Phishing web sites increasing by 28 each month
• Lots of PCs infected with spyware (avg. 25)
• Users have more passwords than they can remember
  and practice poor password security
• Enterprises store confidential information on
  laptops and mobile devices that are frequently
  lost or stolen

• Design / implementation failure, but
• Not man-in-middle
• Not encryption failure
• A lot of people dont realize you have to keep
  system up to date

9
Good Usability is Key

• Still lots of unpatched Windows machines
• Phishing web sites increasing by 28 each month
• Lots of PCs infected with spyware (avg. 25)
• Users have more passwords than they can remember
  and practice poor password security
• Enterprises store confidential information on
  laptops and mobile devices that are frequently
  lost or stolen

• SSL, email headers, certificates, URLs pretty
  much all in place
• A lot of people still fall for simple attacks,
  just straight email
• Dont realize mail is spoofable
• Cant differentiate fake sites from real web
  sites

10
Main Points of Todays Talk

• People are a critical and often overlooked aspect
  of the systems we design
• We need to design systems that mesh well with
  peoples existing knowledge and abilities
• Otherwise, your security mechanisms will be
• Overlooked (leading people to do the wrong
  thing), or
• Subverted (so people can get their work done)

11
Outline

• Whirlwind Overview of HCI-Security
• Passwords
• File permissions
• Web
• Design Guidelines

12
Outline

• Whirlwind Overview of HCI-Security
• Passwords
• File permissions
• Web
• Design Guidelines

13
PasswordsTypical Advice

• Pick a hard to guess password
• Dont use it anywhere else
• Change it often
• Dont write it down
• Implications?

14
Many Homes and Offices
15
Solutions?

• Password Keeper Software
• Run on PC, in web browser, or handheld
• Only remember one password
• Single sign-on
• Login once to get access to all your passwords
• PwdHash Web Browser plug-in (Stanford)
• User only needs to remember one password
• Automatically hashed by web site

16
Biometrics
17
Graphical Passwords
18
Forgotten Password Mechanism

• Email password or magic URL to address on file
• Challenge questions

For all practical purposes, this is the standard
way to access infrequently used sites
19
Summary Solving the password proliferation
problem

• Existing solutions (password keepers and
  fingerprint readers) let users to cope, but still
  have problems
• Graphical passwords look promising, but more
  research needed
• Need to think about solutions that eliminate
  passwords altogether

20
File Permissions

• Rob Reeder and Roy Maxion (here at CMU)
• Old MS Windows file sharing UI
• Lets say you wanted to make sure user Alice
  couldnt see your files
• (or let unscrupulous Republican aides see your
  files)

21
Steps to Do Check Permissions
22
Salmon User Interface
23
Salmon User Interface

• Add users you are interested in seeing or
  modifying permissions for

24
Salmon User Interface

• Expand file permissions
• (Turns out that in user studies, some people
  didnt realize Change Permissions and Take
  Ownership also had to be changed)
• Still a lot of permissions, perhaps collapse
  into most important

25
Salmon User Interface

• Preview effects of permissions before making
  changes
• Shows effective permissions after merging all
  user and group permissions

26
Kazaa File Sharing Study

• Good and Krekelberg, CHI 2003
• Given an arbitrary setup of Kazaa, would people
  be able to understand what files could in
  theory be downloaded by others?

27
Kazaa File Sharing Study
28
Kazaa File Sharing Study
29
Kazaa File Sharing Study
30
Kazaa File Sharing Study

• Three main problems with Kazaa UI
• Any guesses?

31
Kazaa File Sharing Study

• Three main problems with Kazaa UI
• Downloaded files folder is also shared folder
• Users have to realize this, or very bad things
  happen

32
Kazaa File Sharing Study

• Three main problems with Kazaa UI
• Downloaded files folder is also shared folder
• Kazaa recursively shares folders
• Again, users have to know this beforehand

33
Kazaa File Sharing Study

• Three main problems with Kazaa UI
• Downloaded files folder is also shared folder
• Kazaa recursively shares folders
• Inconsistent views
• Two UIs for doing similar tasks, but show
  different information about state of system

34
Kazaa File Sharing Study

• 12 users, 10 had used file sharing before
• Figure out what files are being shared by Kazaa
• Download files set to C\ (ie all files on
  hard drive C)
• Results
• 5 people thought it was My Shared Folder
• which one UI did suggest
• 2 people used Find Files to find all shared files
• This UI had no files checked, thus no files
  shared?
• 2 people used help, said My Shared Folder
• 1 person couldnt figure it out at all
• Only 2 people got it right

35
Summary File Sharing

• Understanding what is and isnt being shared is
  difficult
• But can lead to bad situations
• Need to make an invisible aspect of system
  visible
• Need to make controls simple
• Need to provide useful feedback
• More on this in the Design part of talk

36
Outline

• Whirlwind Overview of HCI-Security
• Passwords
• File permissions
• Web
• Design Guidelines

37
User Conceptions of Web Security

• Friedman et al, CHI2003
• What do people think the lock icon in browsers
  mean?
• Survey of 72 people
• 24 rural Maine
• 24 suburban NJ
• 24 high-tech CA

38
User Conceptions of Web Security

• Recognize a secure connection vs non-secure
• About half could (https, lock icon)
• Participants asked to draw a secure connection
• 40 got a right answer
• 14 people thought of it as a secure place vs
  secure in transit
• Ex. Data safe on server and protected by firewall
• High-tech people not always accurate

39
Web Cookies

• Cookies are small pieces of data for tracking
• Session state, personalization, etc
• Can also be potential privacy risk
• DoubleClick, web image bugs
• Public understanding of cookies and implications
  slowly growing

40
Providing Better Awareness
41
Acumen Collaborative Filtering
42
Summary Web

• Users conceptions of security dont always match
  system designers
• Current browser cookie interfaces still dont
  make sense to users
• New approaches should be explored and tested
• Make cookies more visible
• Use community recommendations to manage cookies

43
Outline

• Whirlwind Overview of HCI-Security
• Passwords
• File permissions
• Web
• Design Guidelines

44
Design Guidelines

• Whole courses you can take
• Two parts today
• General human-computer interaction (most)
• Specific to hci-security (unfortunately short)

45
HCI Approach to UI Design

• Other considerations we wont look at
• Business models, level of fun

46
Myths about Good Design

• Myth 1 Good design is just common sense
• why are there so many bad web sites? hard to use
  apps?
• Myth 2 Only experts create good designs
• experts faster, this course is on simple and
  effective techniques anyone can apply
• Myth 3 We can fix the user interface at the end
• good design is more than just user interface
• having right features, building those features
  right
• Myth 4 Good design takes too long / costs too
  much
• simple and effective techniques that can reduce
  total development time cost (finds problems
  early on)

47
Myths about Good Design (cont.)

• Myth 5 Good design is just cool graphics
• graphics part of bigger picture of what to
  communicate how
• Myth 6 Customers can rely on documentation
  help
• help is the last resort of a frustrated customer
• Myth 7 Marketing takes care of understanding
  customer needs
• does not help you understand behavior
• what people say vs. what they do and what they
  actually need
• Myth 8 Quality Assurance ensures our product
  works
• QA makes sure product meets specification, not
  what happens w/ real customers on real problems

48
Who Builds User Interfaces?

• A team of specialists (ideally)
• graphic designers
• interaction / interface designers
• information architects
• technical writers
• marketers
• test engineers
• usability engineers
• software engineers
• users

49
How to Design and Build UIs

• User interface design process
• Usability goals
• User-centered design
• Task analysis contextual inquiry
• Rapid prototyping
• Evaluation
• Programming

50
User Interface Development Process
Customers, Products, Business, Marketing
Customers, Products, Business, Marketing
Customers, Products, Business, Marketing
Design Exploration
Evaluate
Execute
Design Discovery
Work together to realize the design in
detail. Evaluate with Customers
Customers - Roles (Who) - Tasks (What)
- Context (Stories) Marketing - Business
Priorities - Messages Technology -
Products - Architecture Design -
Leading/competing technologies
Storyboard
Review Iterate
Design Definition - Design Problem Statement -
Targeted User Roles (Who) - Targeted User Tasks
(What) - Design Direction Statements
Specification Hi Fidelity, Refined Design -
Based on customer feedback - Foundation in
product reality - Refined Design description
Proposal Demos/ Lo Fi Prototypes (How)
based on slide by Sara Redpath, IBM Thyra
Trauch, Tivoli
51
Iteration

• At every stage!

52
Design

• Design is driven by requirements
• what the artifact is for
• not how it is to be implemented
• e.g., PDA not as important as mobile app.
• A design represents the artifact
• for UIs these representations include (?)
• screen sketches or storyboards
• flow diagrams/outline showingtask structure
• executable prototypes
• representations simplify

Write essay start word processor write
outline fill out outline Start word processor
find word processor icon double click on
icon Write outline write down high-level
ideas . . .
53
Web Design Representations
Site Maps
Storyboards
Schematics
Mock-ups
54
Usability Goals?

• According to the ISOThe effectiveness,
  efficiency, and satisfaction with which specified
  users achieve specified goals in particular
  environments
• This does not mean you have to create a dry
  design or something that is only good for novices
  it all depends on your goals

55
Usability Goals

• Set goals early later use to measure progress
• Goals often have tradeoffs, so prioritize
• Example goals

• Learnable
• faster the 2nd time so on
• Memorable
• from session to session
• Flexible
• multiple ways to accomplish tasks

• Efficient
• perform tasks quickly
• Robust
• minimal error rates
• good feedback so user can recover
• Pleasing
• high user satisfaction
• Fun

56
User-centered Design

• Cognitive abilities
• perception
• physical manipulation
• memory
• Organizational / job abilities
• Keep users involved throughout
• developers working with target users
• think of the world in users terms
• understanding work process
• not technology-centered/feature driven

Know Thy User
57
Task Analysis Contextual Inquiry

• Observe existing work practices
• Create examples and scenarios of actual use
• Try-out new ideas before building software

58
Rapid Prototyping

• Build a mock-up of design so you can quickly test
• Low fidelity techniques
• paper sketches
• cut, copy, paste
• Interactive prototyping tools
• HTML, Visual Basic, HyperCard, Director, Flash,
  DENIM, etc.
• UI builders
• Visual Studio .NET, JBuilder

59
Low-fi Sketches Storyboards
60
Low-fi Sketches Storyboards
61
(No Transcript)
62
(No Transcript)
63
Evaluation

• Test with real users (participants)
• w/ interactive prototype
• low-fi with paper computer
• Build models
• GOMS
• Low-cost techniques
• expert evaluation
• walkthroughs
• online testing

64
Conducting a Test
65
Conducting a Test
66
Conceptual Models

• Mental representation of how object works how
  interface controls affect it
• People may have preconceived models that are hard
  to change
• (4 5) vs. (4 5 )
• dragging to trash?
• delete file but eject disk
• Interface must communicate model
• visually
• online help and documentation can help,
  but shouldnt be necessary

67
Refrigerator
freezer
fresh food

• Problem freezer too cold, but fresh food just
  right

68
Refrigerator Controls
Normal Settings C and 5 Colder Fresh Food C and
6-7 Coldest Fresh Food B and 8-9 Colder
Freezer D and 7-8 Warmer Fresh Food C and
4-1 OFF (both) 0

• What is your conceptual model?

69
A Common Conceptual Model
cooling unit
cooling unit

• independent controls

70
Actual Conceptual Model
cooling unit

• Now can you fix the problem?
• Possible solutions
• make controls map to users model
• make controls map to actual system

71
Design Model User Model

• Users get model from experience usage
• through system image
• What if the two models dont match?

72
Conceptual Model Mismatch

• Mismatch between designers users conceptual
  model leads to
• Slow performance
• Errors
• And inability to recover
• Frustration
• ...

73
HCI-Security

• Make it just work
• Invisible security
• Ex. SSL, HTTPS
• Train the user
• Ex. Corporate training, military
• Unlikely for consumers, however
• Make security and privacy understandable
• Make it visible
• Make it intuitive
• Use metaphors that users can relate to

74
HCI-Security

• Developers should not expect users to make
  decisions they themselves cant make
• 1. Get the defaults right
• 2. Present choices, not dilemmas
• Chris Nodder (in charge of user experience for XP
  SP2)

75
Firefox security assumptions

• Users want to believe that their products are
  keeping them secure.
• Users do not want to be responsible for, nor
  concern themselves with, their own security.
• We know more about security than our users do.
• - Blake Ross

76
Optimistic vs Pessimistic Security

• Pessimistic Security tries to prevent problems
• Ex. Access control lists
• Basically anything that needs lots of
  configuration up front
• Optimistic Security tries to detect problems and
  fix afterwards
• Ex. Emergency rooms
• Ex. Some help desks
• Ex. ATT Friend Finder
• Depends on your goals, needs, and risks

77
Main Points of Todays Talk

• People are a critical and often overlooked aspect
  of the systems we design
• We need to design systems that mesh well with
  peoples existing knowledge and abilities
• Otherwise, your security mechanisms will be
• Overlooked (leading people to do the wrong
  thing), or
• Subverted (so people can get their work done)

78
Further Reading
http//cups.cs.cmu.edu/soups/
79
(No Transcript)
80
General HCIEmpathy

• Lets say youre an engineer
• Developed a great VCR
• Uber-remote control
• High fidelity
• The whole works!
• However, complaints start coming in
• Cant figure out how to record something
• Cant figure out how to view TV channels when VCR
  on
• Cant figure out how to change clock time
• Natural engineer reaction?

They must be stupid!
81
General HCIEmpathy

• Suppress this, and see things from their point of
  view
• Slashdot, help desk jokes, etc
• Naïve users
• Naïve brain surgeon?
• We are designing systems for people
• We want to see our systems succeed
• Can be painful process, but empathy and respect
  for users necessary to good design