Explore emerging issues in information security with a human-centered design focus
This list of questions about the security features of software can help UX professionals collaborate with security experts.
Simply Secure focuses its collaborative efforts on open-source, privacy-preserving software projects. In my conversations with designers, developers, and end users, I'm often struck by a divergence in their understanding of what "openness" means in software. For example, last December during a user study, participants reading app store descriptions of secure messaging apps consistently thought that "open source" meant that their messages were public. The distinction between "source code" and "content generated in apps"
This look at UX design decisions from WhatsApp’s 2016 end-to-end encryption update shares lessons for designers and developers.
Your team has reached the stage where you need to hire a professional designer. Maybe you want to finally get a great-looking logo, make a website that doesn't look like it was designed in 1996, or create a really compelling video for your Kickstarter campaign. In any case, you know that it might be tricky to express what you're looking for – especially if you come from a technical background and aren't used to dealing with folks who work in pixels.
From quick-start guides to professional discussion, the Knowledge Base helps you hone security and privacy skills.
Information security focuses on third parties’ access to user data without permission. Develop your knowledge of principles and practices to design transparent and accountable systems
Learn best practices for security, privacy, and transparency
Simply Secure provides information security professionals with resources that include uses cases, emerging research issues, and the implications of current events for the field
This year's Consumer Electronics Show (CES ‘17) showcased numerous internet of things (IoT) devices but was found wanting when it came to security concerns. In his UX of IoT report from CES, Scott Jenson assesses that “companies really, really, REALLY want to make home automation systems,” but how can we begin to consider the ethics when developers don’t even consider security risks? IoT systems pose two security challenges. First, they can be manipulated as surveillance infrastructure to target vulnerable people.
To help you assess risks to your data, we provide ways to dissect threats and tips to protect against them.
Building trustworthy technology requires more than technical expertise. Interaction design, service design, brand strategy, and writing are needed.
Get prepared to discuss security with more technical team mates. If you’re a designer, learn useful background information.
My last post examined the concept of phishing, which is a type of social-engineering attack to con people into divulging private information like passwords or credit card numbers. When you look for advice on how to protect against phishing, most of what you’ll find is tired wisdom such as “check the email carefully” or “never click on links in emails.” This type of advice assumes that the burden is entirely on would-be victims to protect themselves.
Most people who spend time online have a general idea of what "phishing" is, but it can be hard for folks outside of the security community to pin down an exact definition. Understanding the threat that phishing attacks pose can help designers and other UX experts become effective advocates for experiences that protect users. In this post, we will explore the basics of how phishing attacks work, and in a follow-up post, we will examine some of the mechanisms that protect users against them.
Web browsers are utility software; they are designed to work for all people. Not only must their features meet the needs of average members of a population, they must also work for people with special needs. As Firefox says on its mobile accessibility features page, the browser has been "designed to meet the needs of the broadest population possible," but "sometimes that is not enough." In particular, software that is built for everyone can too often leave people with specific security or privacy needs at risk.
Visual design makes for compelling software; learn about color and how to choose a persuasive color scheme.
If you're new to UX design, wireframing is a powerful tool to understand how users experience your software. People with technical backgrounds benefit from wireframing because it forces them to take a step back from their coding mentality. Rather than focusing on the technical architecture, wireframing exposes the user-experience structure: how the user moves from one screen to another. Example wireframes taken from GoodUI.org. Both show the same content organized with two different structures, but the left wireframe is better because it discloses choices rather than keeping them hidden.
Building great software requires understanding what users want and need. If you’re building privacy-preserving software, this includes understanding the privacy threats that your users face. One of the participants in Ame’s NYC study. When Ame set out to talk to people in the New York City neighborhoods of Brownsville and Harlem about their experiences with mobile messaging, she wanted to amplify voices that are frequently underrepresented in the software community.
Naming software is hard because the name needs to convey a lot of meaning about what the program does to an unfamiliar audience, and do it all using only a word or short phrase. You want something memorable and easy to say – which becomes more complex when designing with a global audience in mind. Android's recently-announced competition to name the latest operating system has been met with skepticism. The accompanying parody video pokes fun at naming as an unskilled and silly exercise.
I really enjoyed my time at the Internet Freedom Festival in Valencia, Spain. I was inspired and humbled to meet so many talented people as part of a global event about internet freedom. From powerful conversations about privilege to UX design jam sessions, it was a great week. With more than 600 people registered and 160+ sessions, there was more terrific discussion than I could be part of, but here are some themes that stuck with me.
Many regular readers of our blog have already drunk the metaphorical Kool-Aid. You know that a good user experiences is critical to an app's success; moreover, you know that when a piece of software seeks to preserve its users' privacy, a poor UX can have disastrous results. But working in a community of passionate individuals – whether it's as a designer, a cryptographer, or an internet-freedom activist – can make it easy to forget that the majority of the human race isn't aware of your favorite issues.
It’s always great to attend security and privacy conferences in person. But in cases where you have to miss an event, online videos of the talks can be a great way to stay current with the ongoing conversation. Art, Design, and The Future of Privacy As I promised back in September, the videos of the event we co-hosted with DIS Magazine at Pioneer Works are available online. The DIS blog had a great writeup with summaries of the different panels, and you can find transcripts over at Open Transcripts.
2015 was our first full year in operation, and we’ve come a long way! Looking back at the past twelve months, here are some resources that we’ve found to be particularly useful (or entertaining). Let us know your favorites on Twitter! Ame’s picks Thinking back on 2015, I’m really glad to be part of Simply Secure and for the opportunity to be an evangelist for design. I’m thankful for resources that make design easier.
It can be hard to communicate about security-related features with users who aren't already security experts. From word choice to the level of detail included, it's easy to overwhelm people with information, leave them scared, or bore them to indifference. For many applications, one major challenge is finding the right place to communicate. Empty states – screens in your app where there is no actual content to display – are a great opportunity for this communication, in part because they frequently occur when the user is first starting out.
Recent attacks by Daesh in Turkey, Egypt, Lebanon, and Paris have fanned the flames of an ongoing debate about software that is resistant to surveillance. It seems that some participants in that debate are trying to use these attacks as an excuse to drum up fear around end-to-end encryption. They argue that these events tell us that the general citizenry shouldn’t have access to strong privacy-preserving tools. A lot of people are saying a lot of smart things on the subject, but I want to briefly outline a couple ways in which this call for limiting encryption is problematic.
Style guides specify the look and feel of how a company or team communicates with the outside word. Styleguides.io collects examples of website visual standards that maintain a consistent online presence. Brand guidelines typically focus on how logos are treated, while style guides are more extensive – including not only look and feel, but also interactive behavior, such as the alerts and form templates in the U.S. Web Design Standards.
My recent post describing some of the reasons we choose Slack over IRC for our public forum is part of a larger conversation people are having around the promise and concerns of group-communication tools. A quick search for "Slack vs. IRC" yields a wealth of opinions on the subject; our post generated some interesting discussion (and a couple angry rants on Twitter). I focused my discussion on the usability advantages of Slack – advantages that I believe encourage designers to join our public forum in a way that they would not if it were hosted on IRC.
Rather than view feature requests as a set of highly-divergent signals, it can help to try and group requests based on the underlying need that they speak to.
People who think about computer security for a living sometimes cringe when they read about the subject in the popular press. Security is a complex and nuanced topic, and it’s easy to make assertions that don’t hold up to careful scrutiny. One basic-but-unintuitive principle is that security is not a binary property: in the absence of other context, it’s hard to definitively say that a particular system or piece of software is “secure” or “insecure”.
As a practitioner of Human-Centered Design, empathy is a core skill in the work I do. In No Flex Zone: Empathy Driven Development, Duretti Hirpa writes about how empathy can be a competitive advantage. “We build software for all kinds of people, and empathy helps us to connect to these disparate audiences. We have to choose empathy, but I’d argue, it’s undeniably the ‘one weird trick’ to future-proofing the software engineering.
Last week I went to the SOUPS conference in Ottawa. As a first-time attendee, it was a good opportunity to connect with some members of the academic usable-security community. One of the highlights was keynote speaker Valerie Steeves. Steeves, sharing findings from her Young Canadians in a Wired World research, reported results of an in-depth study of 5,436 Canadians in Grades 4-11. Based on a survey and in-person discussions, she shared sobering findings that kids’ expectations of online privacy are not being met.
This is the third and final installment in the series on Lessons from Architecture School: Lessons for IoT Security. You can also read the first and second installments, or download the presentation. Thank you to the audience at Solid Conference for good questions and lively discussion. Homes Are More Than Houses Shop houses are a type of vernacular architecture built throughout Southeast Asia. Vernacular architecture is built using folk knowledge and local customs, typically without the use of an architect.
This continues Part 1 of a series of posts drawn from a talk I gave at O’Reilly’s online conference Experience Design for Internet of Things (IoT) on “Lessons from Architecture School for IoT Security.” You can find the slides for the original talk here. The talk encourages designers to think about security and outlines some ways UX design can support privacy in IoT applications. When designing IoT applications for the home, we can take advantage of how much time we spend there by looking critically at the unspoken assumptions homes reveal.
This is the first in a series of posts pulled from a talk I gave at O’Reilly’s online conference Experience Design for Internet of Things (IoT) on “Lessons from Architecture School for IoT Security.” The talk is a call to action for designers and non-technical people to get involved — with us at Simply Secure or elsewhere — in the worthy problems of experience design for IoT security. I want to encourage more people to think about security and to outline some ways UX design can support privacy in IoT applications.