How UX Matters to Security

by | Mar 20, 2020 | Blog

Don Norman is considered to be the father of User Experience design. Norman earned a Bachelor’s Degree in Electrical Engineering and Computer Science from MIT followed by a PhD in Mathematical Psychology from the University of Pennsylvania. He worked as an engineer and computer scientist for a number of years, but the human element of technology always fascinated him. In 1979, he helped found the Institute for Cognitive Science at University of California San Diego. Apple hired Norman in 1993 as an Apple Fellow and User Experience Architect.

“I invented the term [User Experience] because I thought Human Interface and usability were too narrow. I wanted to cover all aspects of the person’s experience with a system, including industrial design, graphics, the interface, the physical interaction, and the manual,” Norman said.

Norman’s 1986 book, The Design of Everyday Things, was ground-breaking. It helped to change how people thought about their interactions with technology. While has changed since then, today most tech companies have dedicated user experience teams who develop ways to improve the human-technology interaction.

In information security, developers often feel that there is a compromise that needs to be made between usability and security. However, this is not entirely true. Effectively securing endpoints requires user cooperation. When users are given simplified ways to secure their data, use of a site or even access using passwords or biometrics, they will.

Major technology vendors who have neglected basic UX and UI design principles have also had to answer for their actions:

The ASUS SoHo Router Design Flaw

February 2016, Security Researcher David Longenecker discovered a UI problem that affected a range of ASUS router models which run ASUSWRT firmware.

ASUSWRT’s GUI contained two settings in the firewall section that were written as “Enable Web Access from WAN: No” and “Enable Firewall: Yes.” Unfortunately, even if “Enable Firewall” was set to “No,” public internet access to the router’s admin panel would still be granted, even if “Enable Web Access from WAN” was set to “No.” It was confusing.

The ASUSWRT firmware’s UI design had quirks that were reflected in how the iptables service works with the firewall in regards to its configuration lines. It seems the UI designer was working on technicalities rather than ease of use.

That particular vulnerability in ASUSWRT’s admin panel UI design was particularly problematic when users don’t change their router’s default username and password. Fortunately, ASUS updated ASUSWRT’s UI to patch the problem Longenecker informed them about.

The Microsoft Office Macro Malware Resurgence

The Melissa virus was one of the earliest Microsoft Office macro viruses. It first appeared in March 1999.

Victims would receive an email with “Important Message From x” in the subject line, “Here is that document you asked for… don’t show anyone else” in the body, and a malicious Microsoft Word document attached. If a user opened the document, then the first 50 contacts in their address book would get the same email, with the name of the last victim in the subject line. Users are much more likely to open an email attachment from somebody that they trust, never suspecting that the email they received was simply written by a script on an infected PC. This malware spread rapidly costing American businesses an estimated US$80 million.

Microsoft Office macro malware proliferated in the late 1990s and early 2000s, and many of these operated in a similar manner as Melissa. One of Microsoft’s reactions was to add a warning pop-up when users tried to launch a document with a macro: “The document you are opening contains macros or customizations. Some macros may contain viruses that could harm your computer.” That pop-up proved to be rather effective at preventing the transmission of macro malware, and by the mid-2000s, instances of Microsoft Office macro malware had become rare.

With Office 2010, Microsoft changed the way that users were warned about macros. Instead of an advance pop-up, a notice would appear in a notification bar after a macro was opened: “SECURITY WARNING. Macros have been disabled.” This message was confusing to many users, and it did not inform them about the dangers associated with macros. By the time Microsoft Office 2013 came along, there was a button that allowed users to “Enable Content.” This “content” could include macros. This simple UI change enabled a new resurgence of Microsoft Office macro malware.

Solving Endpoint UX Problems

Researcher Tom Vogt says that UX designers should lead users towards using their computing devices in secure ways.

Users are typically overwhelmed by how many passwords they use these days. Enforcing complexity in password policy illustrates the usability versus security problem. Vogt suggests that we should find alternatives to passwords for secure authentication. For example, incorporating biometric authentication more often.

Confirmation dialogues, such as pop-ups for UAC (User Account Control) in Windows, are a poor design choice. If they’re very frequent, users quickly click on “OK” on any pop-up before reading it.

UIs should be unobtrusive. Developers need to think about human nature and psychology when designing interfaces. Not overwhelming users with actions and allowing the intuitive flow between secure sites needs to be a focus of UI design.

In computing, information security professionals and UX design professionals need to work together to create systems and interfaces that support the user experience and secure your site or a network from potential threats.