Helping users make better security decisions by design

Helping users make better security decisions by design

Helping users make better security decisions by designAs a technically minded individual I fall into the same trap as many others. I obsess over implementation and every tiny detail when designing something, often everything but how users will interact with my creation.

Nearly ten years ago I was asked to help design the Sophos Email Appliance. More precisely, I was asked to represent the role of the user in the process.

This was one of the best decisions we ever made from a usability perspective. While the technical details of how we would securely provide technical support and auditing still had to be worked out, just as much time was being spent on how it would work for an administrator.

Many of the same processes were explained by Adam Shostack of Microsoft in the closing talk at Vancouver BSides last week.

Using Star Wars as an example, Shostack explained the importance of context in security prompts and guidelines for designing user experiences that make sense and lead to good security outcomes.

His team at Microsoft has created a wallet card for developers to use when designing security prompts to remind them to think carefully about all of the aspects involved.

The acronyms they chose are NEAT and SPRUCE. Not exactly the easiest to remember, but if you work with them everyday they might stick.

Is your security/privacy user interface:

(N)ecessary – Can you change the Architecture to eliminate or defer this decision?
(E)xplained – Do you explain everything necessary to make a good decision?
(A)ctionable – Have you determined the steps needed for the user to make the decision?
(T)ested – Is the UX NEAT for all experiences, both benign and malicious?

When you involve the user in a NEAT decision explain the follow six elements:

(S)ource – Clearly state who or what is prompting the user to make a choice
(P)rocess – Give the user actionable steps to follow
(R)isk – Explain what bad thing could happen if the user makes the wrong decision
(U)nique knowledge user has – Tell the user what information they bring to the table
(C)hoices – List available options and clearly recommend one
(E)vidence – Highlight information the user should use to inform their decision

While I don’t use much software from Microsoft (my primary desktop is a Linux box) I have to agree that the NEAT/SPRUCE model results in superior outcomes.

Internet Explorer 9 and 10 do a fantastic job of presenting security information to users. If something is risky and not very important IE doesn’t interrupt your workflow.

Better yet, applications like Office open files in a usable form while quietly warning you about disabled macros.

I can read/use the document safely and if something doesn’t work the way I expect I notice the warning that contains a description of the risks of enabling active content in Office.

LOLCatSecrets170Security isn’t always about buffer overflows, zero-days and the red menace “stealing ur corprate secretz”.

Spending extra effort to only present usable, informative information to users can go a long way to protecting them and enabling them to make decisions that cannot be determined with more lines of code.

Road sign image courtesy of Shutterstock.