Usable security is a delicate balance. Research Saturday


Hello everyone and welcome to the cyber wires these and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace at Next Work Twenty nineteen to learn share and collaborate with game changers from with over forty breakouts and masterclasses led by distinguished engineers as well as various slash Ns t. w. r. k. and we thank Juniper for sponsoring the last gap and data security protecting data in use. It's the industry's first and perform calculations on sensitive data all without ever decrypted anything I think there oversee and security laboratory at Carnegie Mellon University the research were discussing old a usable privacy tool and went to look at what other people had done searchers that started talking around then and that spurred interest in this and so now it's becoming much more common for companies had it not really bubbled up to the top at that point well I think that a lot all very mathematical and their attitude was you know we're not experts and what happened is there wasn't time the product shipped without doing the usability work or then PGP I came out and there was some excitement about that that we we were going it really was a big problem and one of the first research papers in this area was so I mean in a basic level how do you define usability figure out how to use that people can use correctly without making errors without flow without having to stop doing whatever it is they really wanted to do in order to do it usability in a variety of contacts and we try to do user studies excusable security different than any old usability testing crypt decrypt my email but I need to be able to recognize when someone he's in the space we need to make the participants in the study feel yeah so we need to design putting them at risk and sometimes we do it by telling them upfront this is a hypothetical payments for being safe and try to simulate it through money sometimes and we tell them hey don't worry you weren't actually arrest we faked all that so as an example of on shopping study and we had them go online and purchase some inexpensive items shing email that looked like it came from the vendor they just made the purchase from and then uh-huh and almost all of them would then click on the fishing link which would then trigger they pay attention to it and it's fascinating are there common misperceptions roll your eyes you you shake your head and you say that again yes so I think that it to it's kind of like you know once you know something it's hard to imagine what it was like before you knew it and so I think because they want to I'm trying to send this email I'm not trying to encrypt to the end user at the end of the day yeah yeah that's fascinating what about that tension uh-huh and perception that you know Max are easy to use and PC's or harder there's a balance between usability but also not frustrating your users that they're interfaces for control are pretty hard the more choices you give users and make those decisions and so I think there's a delicate balance between offering who want to get down into the nitty gritty can but everybody else can just make a high level as you know option a option B. or I want to configure option a disability is there an element of fashion associated with this in other words only a lot of copying of user interface and I think that's actually usually a a new thing in the top corner the first time I saw it it's like three line stat comparison aligns day changed made them vertical lines then no one would know what that meant similar patterns across different products and services now one of the so the problem we're trying to solve here is people here that security and privacy and you wanna find out well which brand should I buy to avoid the security and in labels that you find on food products that would have security and privacy information error their security and privacy features so we have been working on designing water thank users need to now and based on that we've come up with a proposal reading on on what should be in that label and I think that leads us to a conversation about public else and so forth how do they have to consider these sorts of elements of security but more recently I think that's been coming up as an issue you know the federal trade in privacy and so companies will settle with the FTC thanks have they solve the problem and there's not kind of a strict I think it's something that the FTC and and other agencies that worry about these things actually are informed and meaningful when you look at what Congress is doing we're seeing in some of these proposed bills is that you have to inform consumers Moore's if there is a microphone or video camera we don't have too much detail about say hey here is a way to do it adopt this so we'll see what happens so many different things right now we're busy looking at how to improve flee will make some good progress on that also doing work on passwords I remember and and us so some of the work that we've done on that actually recommendations for companies who as they're doing their development they know that this is something have to actually do user studies and you know that's something that as I said earlier doing it and they have teams they hire my former students graduates are now is earth our thanks thanks to juniper networks for sponsoring our show you can learn more at juniper dot net at Yale Dot com the cyber wire research Saturday is proudly produced are amazing cyber wire team Stefan vizier.

Coming up next