People in information security know to heed the advice of Bruce Schneier. What we often forget to do, however, is heed the advice of Don Norman, who is considered to be the father of User Experience design. In fact, when Apple hired Norman in 1993 as an Apple Fellow and User Experience Architect he was probably the first person ever to have the phrase “User Experience” in his job title.
Norman earned a Bachelor's Degree in Electrical Engineering and Computer Science from MIT followed by a PhD in Mathematical Psychology from the University of Pennsylvania. He worked as an engineer and computer scientist for a number of years, but the human element of technology always fascinated him. In 1979, he helped found the Institute for Cognitive Science at University of California San Diego.
On coining the phrase User Experience, Norman said, “I invented the term because I thought Human Interface and usability were too narrow. I wanted to cover all aspects of the person’s experience with a system, including industrial design, graphics, the interface, the physical interaction, and the manual.”
If we review what was being developed at Xerox PARC in the 1970s, we can see that Norman wasn't alone in his thinking about how technology could be more user friendly. Many of us are aware that the GUI and mouse were developed at Xerox. However, instead of becoming a patented and profitable product line for Xerox, Apple and Microsoft jumped on the ideas and successfully used and marketed them. Xerox’ work and research happened before “User Experience” or UX for short, became a bonafide area of study.
Norman's seminal book, The Design of Everyday Things, was ground-breaking when it was published in 1986. It can be credited with changing how people thought about interactions between humans and technology. Much has changed since then. Today most tech companies around the world have dedicated staff who focus on improving user experience.
In information security, we often feel that there is a compromise that needs to be made between usability and security - they can seem at odds. However, sometimes increasing usability may actually increase security, too! To elaborate on this, effectively securing endpoints requires user cooperation, whether the client machine or mobile device is being used by an employee or a consumer. When made aware of the issues, people will be concerned about security and will generally want to use their computer technology in more secure ways, as long as they can understand what's going on and it doesn't involve too much hassle or inconvenience on their end.
Recently, major technology vendors, in neglecting basic UX and UI design principles, have failed to aid users in making their devices more secure, as evidenced by the following example:
The ASUS SoHo Router Design Flaw
ASUSWRT's GUI contained two settings in the firewall section that were written as “Enable Web Access from WAN: No” and “Enable Firewall: Yes.” Unfortunately, even if “Enable Firewall” was set to “No,” public internet access to the router's admin panel would still be granted, even if “Enable Web Access from WAN” was set to “No.” Even I, with my network adminstration experience, would find that confusing.
The ASUSWRT firmware’s UI design had quirks that were reflected in how the iptables service works with the firewall in regards to its configuration lines. It seems like whoever designed the UI was thinking of technicalities rather than how something would be interpreted by a user. This situation reminds me of the error message pop-up of Microsoft Windows 3.1 through 98: “This program has performed an illegal operation and will be shut down.” Most consumers in North America would understand that they didn't perform a criminal act. However, with many millions of users worldwide, it wouldn't surprise me if thousands of users thought they may be in trouble with the cops! That error message wording didn't even give users with common sense a good idea of what happened.
That particular vulnerability in ASUSWRT's admin panel UI design was particularly problematic when you consider how many users don't change their router's default username and password. Fortunately, ASUS updated ASUSWRT's UI to patch the problem Longenecker informed them about.
The Microsoft Office Macro Malware Resurgence
For those of us who research malware will probably still remember the Melissa virus, one of the earliest Microsoft Office macro viruses. It first appeared all the way back in March 1999, when people were just starting to worry about the Y2K bug.
Victims would receive an email with “Important Message From x” in the subject line, “Here is that document you asked for... don't show anyone else 😉” in the body, and a malicious Microsoft Word document attached. If a user opened the document, then the first fifty contacts in their Outlook address book would get the same email, with the name of the last victim in the subject line. Users are much more likely to open an email attachment from somebody that they trust, never guessing that the email they received was simply written by a script on an infected PC. This malware spread rapidly within a few days, costing American businesses an estimated $80 million. Even Microsoft was affected!
Microsoft Office macro malware proliferated in the late 1990s and early 2000s, and many of these operated in a similar manner as Melissa. One of Microsoft's reactions was to add a warning pop-up when users tried to launch a document with a macro: “The document you are opening contains macros or customizations. Some macros may contain viruses that could harm your computer.” That pop-up proved to be rather effective at preventing the transmission of macro malware, and by the mid 2000s, instances of Microsoft Office macro malware had become rare.
However, with Office 2010, Microsoft changed the way that users were warned about macros. Instead of an advance pop-up, a notice would appear in a notification bar after a macro was opened: “SECURITY WARNING. Macros have been disabled.” This message was a lot more confusing to many users, and no longer informed them about the dangers associated with macros. By the time Microsoft Office 2013 came along, there was even a button that allowed users to “Enable Content.” This “content” could include macros, and we all know that users love to click on buttons! In this way, a simple UI change enabled a new resurgence of Microsoft Office macro malware.
So How Do We Solve Endpoint UX Problems?
Researcher Tom Vogt has noted
[www.lemuria.org/security/UI_vs_Security.pdf] (no longer available) that UX designers should gently lead users towards utilizing their computing devices in more secure ways.
Users are typically overwhelmed by how many passwords they use these days. Enforcing complexity in password policy illustrates the classic usability versus security problem. Vogt suggests that we should find alternatives to passwords for secure authentication as much as possible. For example, maybe consumer devices should incorporate biometric authentication a lot more often?
Vogt says that confirmation dialogues, such as pop-ups for UAC (User Account Control) in Windows, are also a poor design choice. If they're very frequent in a user's everyday life with technology, they may just quickly click on “OK” on any pop-up before reading it properly to make an educated decision.
In a nutshell, Vogt recommends that UIs should be unobtrusive, and developers must also think about human nature and psychology when designing interfaces. In my opinion, whenever I grant “sudo” to do any sort of adminstrative activity in my desktop Linux environment with a BASH command, that's less obtrusive than Windows' UAC.
The bottom line: in the computer technology industry, information security professionals and UX design professionals have been segregated from each other for far too long. Tech companies must encourage InfoSec people and UX people to work hand in hand when designing user interfaces!