Designing user interfaces

1
Designing user interfaces

• An overview

2
Details of physical design

• Security design - Inadvertent errors
• h/w failures
• s/w failures
• data errors (audit trails and check digits)
• Remedies for inadvertent errors
• periodic backups
• stored replacement parts for h/w
• off-site processing contracts
• priority service contracts
• data entry verification and correction procedures

3
Details of physical design

• Security design - Crime
• Physical crime
• Software crime
• Security design Spyware and Greyware
• Do you have to open grey ware to be infected?
• Sources of greyware
• Downloading shareware, freeware, or other forms
• of file sharing services
• Opening infected emails
• Clicking on pop-up advertising
• Visiting frivolous or spoofed web sites
• Installing Trojan applications

4
What are greyware?

• Spyware
• Adware
• Dialers
• Gaming
• Peer-to-peer (P2P)
• Hijackers
• Plugins
• Remote administration tools
• Download managers

5
Symptoms of the presence of greyware

• Slower processing greyware is using the CPU
• Send and receive lights on cable/DSL modem or the
  network/modem icons on the task bar are flashing
  to indicate traffic
  
• Display - pop-up messages and advertisements
  appear when the PC is not connected to the
  Internet or when the browser is not running.
  
• Home page changed - from selected default and
  browsing did not instigate the change.
  
• Search engine changed - from the default setting
  and search results are delivered by an unexpected
  search site.
  

6
Symptoms (contd)

• Favorite list - modified in web browser.
  Changing it back or removing the new additions
  does not work.
  
• Antivirus/Anti-Spyware program - or other
  security related programs stop working. Receive
  warnings of missing application files and
  replacing them does not solve the problem.
  Sophisticated grayware applications may disable
  popular security programs before installing
  themselves.

7
Protection against greyware

• User education
• Host based anti-greyware protection
• Network based anti-greyware protection
• Sites to visit (copy paste the links)
• http//www.csoonline.com/read/110104/sware.
• http//www.computerworld.com/securitytopics/securi
  ty/story/0,10801,97279,00.html?SKCsecurity-97279
  

8
International risks

• Levels of risk to your IS internationally
• Physical risks to hw
• Quality issues
• Attack
• Risk to sw
• Quality
• Conversion/translation issues
• Risks to personnel
• http//www.csoonline.com/read/093004/risk.html

9
Details of physical design (contd)

• Prevention of crime
• Physical locks, biometrics, dial backs, cameras
• Software encryption, fire-walls, domestic
  translation/internationalization
  
• Regulatory organizational policies, laws,
  background checks (also foreign?)
  
• Regulation of phone use
• Regulation of e-mail instant messaging (IM)
• Microsoft's MSN Messenger, AOL's AIM, and Yahoo!
  Messenger
  
• Formulate security policies and procedures

10
Details of physical design

• Process design
• DFDs
• verify with user
• Network access design
• Applications access
• Access from varied locations
• Access by varying hardware
• Documentation
• Document process steps
• Identify points of input and output
• Identify points of control
• User walk-through

11
Types of outputs

• Printed
• line printer
• laser printer
• Screen output
• Microfilm/fiche output
• Voice output

12
Types of reports (contd)

• Internal vs. external reports
• Exception reports
• Summary/ Management reports
• Scheduled/Periodic reports
• On-demand/On-request reports
• Ad hoc reports

13
Details of physical design

• Designing reports
• identify targets of reports
• layout of reports
• title
• column headers and footers
• column and row design (size, format)
• laying out forms
• Screen layout forms
• Left justified layout
• Butterfly layout
• tools for the analyst

14
Types of inputs

• VDT
• Key-to-tape and key-to-disk
• Speech
• OCR
• POS
• Turnaround documents

15
Details of physical design

• Designing dialogues
• identify users of dialogue
• select type of dialogue to fit situation
• menu selection
• question/answer
• form fill
• sketch flow of dialogue
• specify needed response times e.g.
• display rate
• user think time
• user response time
• apply a user point of view
• Software tools
• Input charts

16
Details of physical design-I/O contd

• dialogue design dos and donts
• use simple, grammatically correct sentences.
• dont be funny or cute
• dont be condescending (dont offer rewards or
  punishments)
  
• avoid computer jargon and most abbreviations
• be consistent in the use of terminology
• convert instructions into action verbs
• use words such as PRESS (not HIT or DEPRESS)
• also, we should say POSITION THE CURSOR (not
  POINT)
  
• follow a logical flow

17
Details of physical design

• Documentation
• Document process steps
• Describe points of input and output
• Discuss points of control
• User walk-through for understanding
• Writing users manuals
• identify who the users are
• flow of logic should follow user point of view
• include examples and illustrations
• consider international users if appropriate
• ease of update

18
End designing user interfaces
19
What are greyware?

• Spyware - applications are usually included with
  freeware. Spyware is designed to track and
  analyze a user's activity, such a user's web
  browsing habits.

20
What are greyware?

• Adware - used to load pop-up browser windows to
  deliver advertisements when the application is
  open or run.
  

21
What are greyware?

• Dialers - used to control the PC's modem. These
  applications are generally used to make long
  distance calls or call premium 900 numbers to
  create revenue for the thief.

22
What are greyware?

• Gaming - usually installed to provide joke or
  nuisance games.
  

23
What are greyware?

• Peer-to-peer (P2P) - applications that are
  installed to perform file exchanges. (P2P) While
  P2P is a legitimate protocol that can be used for
  business purposes, the grayware applications are
  often used to illegally swap music, movies, and
  other files.

24
What are greyware?

• Hijackers - applications that manipulate the Web
  browser or other settings to change the user's
  favorite or bookmarked sites, start pages, or
  menu options.

25
What are greyware?

• Plug-ins - control, record, and send browsing
  preferences or other information back to an
  external destination.
  

26
What are greyware?

• Remote administration tools - allow an external
  user to remotely gain access, change, or monitor
  a computer on a network.
  

27
What are greyware?

• Download managers allow other software to be
  downloaded and installed with or without the
  user's knowledge. These applications are usually
  run during the startup process and can be used to
  install
• advertising,
• dial software,
• malicious code.

28
Protection against greyware

• User education
• Policies
• Approved programs lists
• Information about greyware
• Increase security settings on browsers
• Turn off auto-preview in e-mail client

29
Protection against greyware (contd)

• Host based anti-greyware protection
• Client based software applications that spot,
  remove, and block spyware.
  
• Policies and blockers to prevent disabling of
  greyware/spyware protection.
  

30
Protection against greyware (contd)

• Network based anti-greyware protection
• Install grayware detection on a perimeter
  security appliance where the private corporate
  network connects to the public Internet.
  
• Centralizes protection
• All machines behind perimeter appliance are
  protected
  
• What do you do when the user leaves the office
  and is no longer behind the security appliance?
  
• Host based protection?

31
Security policies and procedures

• Security budgets as portion of IT budgets,
  nationally need to be increased
  
• Average is 9
• Global average is 11
• Best practices average is 14

32
Security policies and procedures

• Separate information security from IT and then
  merge it with physical security.
  
• These disciplines can either exist under a single
  CSO or as separate entities governed by an
  executive security committee.

33
Security policies and procedures

• Conduct a penetration test annually
• Create a comprehensive risk assessment process
  prioritize threats and vulnerabilities
  
• Define overall security architecture and plan,
  base it on above
  
• responsibility structure
• penetration test
• risk assessment
• Establish a quarterly review process