Talk: Human Factors Engineering for IT Security

René Pfeiffer/ October 7, 2011/ Conference

Members of IT staff love acronyms such as RTFM, PEBKAC, PICNIC and ID-10T error. These will often be mentioned when human factors are playing a key role. If you dig deeper and analyse typical situations where human errors are involved, then you will have to deal with user interfaces (UIs) and technical documentation. It’s easy to blame operators (it doesn’t matter if you look at end user, power users or IT staff) even if UIs or manuals have failed before the human erred. This is exactly why the talk Human Factors Engineering for IT Security of Peter Wolkerstorfer (Center of Usability Research and Engineering, CURE) will focus on the human factor in the context of operating security tools by UI. The user is often the weakest link in the chain and this fact has to be understood when designing any IT security system.

Designers and developer have to make sure that their security system can be handled in exceptional situations as well. If you are composed, calm and have ample time to think you’ll probably be fine and won’t be confused by complex UIs with funny labels. What about an incident response scenario? Can your security system still be operated by panicked operators? How easy is it to make fatal decisions? Does your system even give out warnings or report errors in a fashion that is easy to understand? This is a crucial point that needs to be reflected in the design of the system. By using practical Web 2.0 examples Peter’s talk highlights the design challenges for modern IT-security systems, which are used by a mass of end-users. A lot of security-challenges are mainly caused by human factors instead of technical problems. Based on “Personas” from the EC funded project uTRUSTit the talk will highlight the challenges in modern IT-security system design. By comparing the cognitive nature of end-users and developers Peter will show usability challenges and attempt to provide processes for the solution of current problems and misunderstandings.

The talk is recommended to anyone working on security tools and trying to ready these tools for production use. Even if your product, gadget, software or tool is already deployed, this talk will help you to improve the performance under pressure and during (security) incidents. Bear in mind that security needs to be usable security, otherwise it won’t be deployed or may even backfire when handled incorrectly. Once your UI has „gone bad“ no amount of technical documentation will fix this. Be aware that building strong and usable security controls is exceptionally difficult. There is human behaviour involved, so a simple list of „top 10 things to remember“ won’t do the trick. The same is true for any tool that tries to visualise data or has to report alerts. People don’t read any more, mainly because they are flooded with information. All these issues have to be anticipated and addressed in the design phase. In case you forgot, visit DeepSec 2011, attend Peter’s talk and have some chats with the experts. You have been warned. ☻

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.