Wednesday, February 13, 2013

Cybersecurity, Human Factors & User Experience

Cybersecurity, Human Factors & User Experience is a multi-part series examining the impact of User Experience Design on cybersecurity written by Stephen Ruiz. Over the next few months we'll be addressing the following:

Part 1 - Cyber War and Human Error
Part 2 - Information Disasters (Tufte, Space Shuttles & Design Lessons that Save Lives)
Part 3 - The Iceberg Principle
Part 4 - A Common Visual Vocabulary
Part 5 - The Peaceful Data Warrior (Designing for Healthcare, Finance & Cybersecurity) 


 Part 1 - Cyber War and Human Error


"Far from being an alternative to conventional war, cyber war may actually increase the likelihood of the more traditional combat with explosives, bullets, and missiles. If we could put this genie back in the bottle, we should—but we can't. Therefore, we need to understand what cyber war is, to learn how and why it works, to analyze the risks, to prepare for it, and to think about how to control and deter it."

- Richard A. Clarke, Counter-terrorism adviser to Presidents Bill Clinton and George W. Bush.

Besides the usual rhetoric of "the need for peace talks" and "a long-term solution to the problem," the most recent flare-up in the decades old conflict between Israel and Hamas this past November may have broken new ground in its use of cyber war tactics. While cyber war is not a new topic in the nation's zeitgeist, the number of reported incidents has grown exponentially over the past few years. This video from CNN describes the incidents of cyber attacks that relate to the conflict.

   



With some security analysts predicting that 2013 is the year nation-sponsored cyber-warfare will go mainstream, it's no wonder that leaders from several western nations have made cybersecurity a top priority within their governing agendas. In his 2013 State of the Union address, President Barack Obama outlined his executive order addressing cybersecurity: Improving Critical Infrastructure Cybersecurity. This is no longer just an issue for those in the industry. The topic has moved from the realm of tech-savvy people and digital professionals and onto our national stage. Cybersecurity has gone mainstream.

Now that cybersecurity is an integral part of Homeland Security's focus along with the vulnerability of critical infrastructure (power, water, and nuclear systems), two things have become abundantly clear. One is that with the increase in attacks (along with the proliferation of connected devices like smart phones, tablets, computers and even household appliances), the responsibility of keeping data and systems secure will require more and more input from people who are not technical professionals. The second is that we need to place a greater emphasis on User Centered Design, not just for ease of use but for the sake of our safety. 

The very real (and very scary) truth is that is human error accounts for a staggering number of security breeches. Here are some frightening statistics from a chiefexecutive.net article from 2011:
  • In October 2010, Microsoft blamed human error after two computers on its network were hacked and then misused by spammers to promote more than 1000 questionable online pharmaceutical websites. 
  • In April 2011, the State of Texas discovered that the personal and confidential data of 3.5 million teachers, state workers, retirees and recipients of unemployment checks had been left unprotected on the Internet nearly one year. According to Gartner, Inc., more than 99 percent of firewall breaches are caused by misconfigurations rather than firewall flaws. 
  • The State Department’s 2008 breach of the passport system was a result of under-configured access control and a defendant’s “idle curiosity” peaked by the simple discovery that he 'could'."

Hypothetically, one could have the most sophisticated technology imaginable, but if it isn't intuitive or designed to account for human error, then it simply would not be effective. So, what can public and private-sector organizations do to address the problem of human error? The first step is to design for humans.

As we'll see in the next installment, Part 2 - Information Disasters (Tufte, Space Shuttles & Design Lessons that Save Lives), smart, user-focused design can literally mean life or death.