Cyber Security and the Opportunity for User-Centered Design

By Tanya Snook, on
Credit: Perspecsys on Flickr
I am curious. I like to play: with toys, with ideas, with tech. And I used to be very scared of hardware until the cloud came along and I started using all of my tech as dumb-smart devices that simply access stuff stored elsewhere. Now, I'll happily play around with my device configuration knowing that (unless I accidentally brick it), I can just do a factory reset and nothing will be lost (other than a little time in my day).



Which is why I was exploring all of the security and encryption settings on my LG G4 smartphone when I accidentally locked my SIM card.



When you first set up the LG G4, the security settings options allow you to create a 4-digit access code which can be used to lock your SIM. I thought I had skipped the setup originally, so when I came to that screen I entered in what I thought would be a new 4-digit code.



Error message.

Hmm.

Maybe I did set this up.

Enter 2 possible codes.

Then this happened:





PUK Lock Screen
Doh.

Reboot.

Same screen.

Doh.



Google told me I would have to call my service provider to get the unlock code. Thankfully, within a few minutes of calling them, my phone was back in full operational mode.



But locking my SIM card was waaaaaay too easy.



Now, I don't get easily scared by these things. Like I said, I like to play. But I started thinking: what if this had happened to some normal non-nerd user?



Since I started working in Cyber Security a few months ago, I've been studying up on the impact of design on the safety and security of our systems. People are the entire reason we build devices, systems and apps, and yet we treat them with contempt: like they are the weakest link in the chain. We enforce hieroglyphic passwords when groups such as the Electronic Frontier Foundation tell us that:

Computers are now fast enough to quickly guess passwords shorter than ten or so characters. That means short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY or gaG5^bG, are not strong enough for use with encryption today.
In fact, a sentence with spaces or a series of random short words with spaces can be far more secure, and easier to remember. So why is it that we still develop systems with stringent (and less secure!) password requirements? Or complicated steps that confuse users who will try to circumvent them to make their lives easier... which makes our systems less secure overall.



Part of my work entails looking at the business case for identity management systems, the big question being: why bother? What will make organizations clean their data and provide authoritative credentials into a common repository for re-use in a variety of systems across the enterprise?



Isn't that a crazy question?



Shouldn't it be a no-brainer? And yet, it's not. Really. There are legacy systems to contend with, existing operational requirements, silos, etc etc etc. The idea of creating the ability for users to have a single common identity follow them around during the day and as they move between jobs is an idea we have to sell in order to make it happen. The end user isn't even the focus here; it's the IT crowd. Someone mentioned to me that our total cost of ownership calculations should include the cost of the time people spend logging into apps throughout the day. Of course it should. But that's not what people think about first. They think about the backend client, not the end user's productivity.



Sadly, end users are often considered just that: end users. We think of them at the end. Yet, if we took a more user-centered approach to designing secure systems, not only could we have happier and more productive end users, we could have stronger security overall.