Part 5 Usability and Security Cognitive Errors, Usability vs. - - PowerPoint PPT Presentation

Phd course on

Formal modelling and analysis of interactive systems

Part 5 Usability and Security

Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology Macau SAR China email: antonio@iist.unu.edu web: www.iist.unu.edu

• A. Cerone, UNU-IIST – p.1/52

Contents

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• 1. Cognitive Errors
• 2. Usability and Security
• 3. Groupware Case Study
• 4. References
• A. Cerone, UNU-IIST – p.2/52

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive Errors

• A. Cerone, UNU-IIST – p.3/52

Cognitive Errors

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Postcompletion Error

closure due to goal accomplishment results in failing to complete outstanding tasks

• A. Cerone, UNU-IIST – p.4/52

Cognitive Errors

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Postcompletion Error

closure due to goal accomplishment results in failing to complete outstanding tasks

• Expectation Failure

existing mental models lead to faulty expectations

• A. Cerone, UNU-IIST – p.4/52

Cognitive Errors

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Postcompletion Error

closure due to goal accomplishment results in failing to complete outstanding tasks

• Expectation Failure

existing mental models lead to faulty expectations

• Habituation-induced Error

decrease in response to a stimulus after repeated presentations leads to wrong response

• A. Cerone, UNU-IIST – p.4/52

Cognitive Errors

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Postcompletion Error

closure due to goal accomplishment results in failing to complete outstanding tasks

• Expectation Failure

existing mental models lead to faulty expectations

• Habituation-induced Error

decrease in response to a stimulus after repeated presentations leads to wrong response = ⇒ may sometimes be prevented using design principles

• A. Cerone, UNU-IIST – p.4/52

Postcompletion Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: closure due to goal accomplishment results in failing to complete

• utstanding tasks
• A. Cerone, UNU-IIST – p.5/52

Postcompletion Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: closure due to goal accomplishment results in failing to complete

• utstanding tasks

It emerges because of a rule allowing the user to stop once the goal is achieved

• A. Cerone, UNU-IIST – p.5/52

Postcompletion Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: closure due to goal accomplishment results in failing to complete

• utstanding tasks

It emerges because of a rule allowing the user to stop once the goal is achieved Design Principle: goal should always be accomplished through the last task in a sequence of tasks

• A. Cerone, UNU-IIST – p.5/52

Postcompletion Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: closure due to goal accomplishment results in failing to complete

• utstanding tasks

It emerges because of a rule allowing the user to stop once the goal is achieved Design Principle: goal should always be accomplished through the last task in a sequence of tasks Error is still present if a warning after goal achieved remind the user to do the completions tasks

• A. Cerone, UNU-IIST – p.5/52

Expectation Failure

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: existing mental models lead to faulty expectations

• A. Cerone, UNU-IIST – p.6/52

Expectation Failure

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: existing mental models lead to faulty expectations It emerges because of the user’s response to the failed expectation is in dissonance with the required interaction

• A. Cerone, UNU-IIST – p.6/52

Expectation Failure

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: existing mental models lead to faulty expectations It emerges because of the user’s response to the failed expectation is in dissonance with the required interaction Design Principle: no assumption should be made

• n user’s expectations
• A. Cerone, UNU-IIST – p.6/52

Expectation Failure

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: existing mental models lead to faulty expectations It emerges because of the user’s response to the failed expectation is in dissonance with the required interaction Design Principle: no assumption should be made

• n user’s expectations

Error may still arise if a message informs the user about the actual required interaction

• A. Cerone, UNU-IIST – p.6/52

Habituation-induced Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: decrease in response to a stimulus after repeated presentations leads to wrong response

• A. Cerone, UNU-IIST – p.7/52

Habituation-induced Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: decrease in response to a stimulus after repeated presentations leads to wrong response It emerges because of the user responds in an automatic way to the stimulus explicitly aiming to arouse attention

• A. Cerone, UNU-IIST – p.7/52

Habituation-induced Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: decrease in response to a stimulus after repeated presentations leads to wrong response It emerges because of the user responds in an automatic way to the stimulus explicitly aiming to arouse attention No General Design Principle!

• A. Cerone, UNU-IIST – p.7/52

Habituation-induced Error

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Cognitive cause: decrease in response to a stimulus after repeated presentations leads to wrong response It emerges because of the user responds in an automatic way to the stimulus explicitly aiming to arouse attention No General Design Principle! But

• Context Specific Priciples (e.g. warnings

should be used only when needed)

• Principle of Commensurate Effort may reduce

the severity of the error consequences but does not reduce error likelihood

• A. Cerone, UNU-IIST – p.7/52

Unavoidable Subsidiary Tasks I

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• A. Cerone, UNU-IIST – p.8/52

Unavoidable Subsidiary Tasks II

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• A. Cerone, UNU-IIST – p.9/52

Closure: Exercise

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

How do you define the closure when you have more than one goal? Model actions and closure for an ATM that allows to choose between

• cash withdrawal, and
• statements printing
• A. Cerone, UNU-IIST – p.10/52

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Relations between Usability and Security

• A. Cerone, UNU-IIST – p.11/52

Usability: Def. and Aims

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The ease of use and learnability of a human-made object.

[Wikipedia] (accessed in 2010)

• A. Cerone, UNU-IIST – p.12/52

Usability: Def. and Aims

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The ease of use and learnability of a human-made object.

[Wikipedia] (accessed in 2010)

Should also aim to prevent user errors

• A. Cerone, UNU-IIST – p.12/52

Usability: Def. and Aims

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The ease of use and learnability of a human-made object.

[Wikipedia] (accessed in 2010)

Should also aim to prevent user errors Or at least to decrease likelihood or severity of user errors

• A. Cerone, UNU-IIST – p.12/52

Usability: Def. and Aims

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The ease of use and learnability of a human-made object.

[Wikipedia] (accessed in 2010)

Should also aim to prevent user errors Or at least to decrease likelihood or severity of user errors, which may lead to

• system failure
• catastrophic consequences
• A. Cerone, UNU-IIST – p.12/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• Secure Usability
• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• Secure Usability
• poor usability decrease security
• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• Secure Usability
• poor usability decrease security
• usability should increase security
• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• Secure Usability
• poor usability decrease security
• usability should increase security
• usability may decrease security
• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• Secure Usability
• poor usability decrease security
• usability should increase security
• usability may decrease security

= ⇒ security mechanisms may decrease usability = ⇒ poor usability = ⇒ decrease security

• A. Cerone, UNU-IIST – p.13/52

Usability vs. Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Usable Security
• security mechanisms may decrease

usability

• Secure Usability
• poor usability decrease security
• usability should increase security
• usability may decrease security

= ⇒ security mechanisms may decrease usability = ⇒ poor usability = ⇒ decrease security = ⇒ security mechanisms may decrease security

• A. Cerone, UNU-IIST – p.13/52

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Groupware Case Study

• A. Cerone, UNU-IIST – p.14/52

Groupware

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Term for applications written to implement

• Computer-supported cooperative work

(CSWC)

• A. Cerone, UNU-IIST – p.15/52

Groupware

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Term for applications written to implement

• Computer-supported cooperative work

(CSWC) HCI = ⇒ single user multidisciplinary around axis psychology–computing

• A. Cerone, UNU-IIST – p.15/52

Groupware

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Term for applications written to implement

• Computer-supported cooperative work

(CSWC) HCI = ⇒ single user multidisciplinary around axis psychology–computing CSWC = ⇒ group of users multidisciplinary around axis sociolology–computing

• A. Cerone, UNU-IIST – p.15/52

Groupware

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Term for applications written to implement

• Computer-supported cooperative work

(CSWC) HCI = ⇒ single user multidisciplinary around axis psychology–computing CSWC = ⇒ group of users multidisciplinary around axis sociolology–computing = ⇒ security issues

• A. Cerone, UNU-IIST – p.15/52

Case Study: Web Interface

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

A conference support web-basd tool that

• provides information on the event
• establishes a community via registration
• enables users to share their ideas, interests,
• etc. via discussion forum
• facilitates communication between users via

creation of personal profiles

• A. Cerone, UNU-IIST – p.16/52

Web Design

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Home Forum User Profiles Message Profile

• A. Cerone, UNU-IIST – p.17/52

Web Pages

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• Home to provide general information and

materials about the conference and to set up

• wn profile
• Forum to browse posted messages and to

post new messages

• Message to analyse a posted message

(possibly looking at the sender’s profile), and post a reply to it

• User Profiles to browse users’ profiles
• Profile to analyse other users’profiles

(possibly looking at the messages they sent), and contact matching users

• A. Cerone, UNU-IIST – p.18/52

Web Interface

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile

• A. Cerone, UNU-IIST – p.19/52

User Privileges

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

OutUser InUser Member

login p r

• fi

l e logout no-profile l

• g
• u

t setup-profile read-message read-profile read-message read-profile post reply contact

• A. Cerone, UNU-IIST – p.20/52

Interface

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

OutUser

no-profile profile enter read-message read-profile post reply logout contact setup-profile

Entry

forum home users back-to-users back-to-forum

OutUser Entry

• A. Cerone, UNU-IIST – p.21/52

User Behaviour

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

User: A conference participant Scenario: The persona tries to

• gather information
• find/contact other users
• express his/her ideas

using the website.

• A. Cerone, UNU-IIST – p.22/52

User Goal

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Gather In- formation

Goals

Establish Contact Goal Achieved Express Ideas gather login establish express achieved achieved achieved

• A. Cerone, UNU-IIST – p.23/52

User Goal

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Gather In- formation

Goals

Establish Contact Goal Achieved Express Ideas gather login establish express achieved achieved achieved gather establish express logout

• A. Cerone, UNU-IIST – p.23/52

User Goal

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Gather In- formation

Goals

Establish Contact Goal Achieved Express Ideas gather login establish express achieved achieved achieved gather establish express logout Unauthorised unattended short-delay long-delay unattended

• A. Cerone, UNU-IIST – p.23/52

Establish Contact

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Goals

Establish Contact Goal Achieved g a t h e r l

• g

i n establish e x p r e s s logout g a t h e r express Unauthorised unattended short-delay long-delay establish achieved unattended

• A. Cerone, UNU-IIST – p.24/52

Establish Contact

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Goals

Establish Contact Goal Achieved g a t h e r l

• g

i n establish e x p r e s s logout g a t h e r express Unauthorised unattended short-delay long-delay establish read-message read-profile contact achieved failure unattended logout

• A. Cerone, UNU-IIST – p.24/52

The Overall System

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

OutUser

no-profile profile enter read-message read-profile post reply logout contact setup-profile

Entry

forum home users back-to-users back-to-forum login read-message read-profile post reply logout contact failure

Goals

gather establish express leave short-delay long-delay SYSTEM = ( OutUser [| ... |] Entry ) [| { login , ... , failure } |] Goals

• A. Cerone, UNU-IIST – p.25/52

Group of Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Interaction Aspects

• local group of users

interacting with a single shared interface rather than distributed group of users interacting among each other through the system

• A. Cerone, UNU-IIST – p.26/52

Group of Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Interaction Aspects

• local group of users

interacting with a single shared interface rather than distributed group of users interacting among each other through the system

• sequence of users
• A. Cerone, UNU-IIST – p.26/52

Group of Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Interaction Aspects

• local group of users

interacting with a single shared interface rather than distributed group of users interacting among each other through the system

• sequence of users

Security Aspects

• distinct users may have different privileges
• A. Cerone, UNU-IIST – p.26/52

Group of Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Interaction Aspects

• local group of users

interacting with a single shared interface rather than distributed group of users interacting among each other through the system

• sequence of users

Security Aspects

• distinct users may have different privileges
• users may act as authorised or unauthorised
• A. Cerone, UNU-IIST – p.26/52

Authorised vs. Unauthorised

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Actions are attempted and may result in

• either success
• or failure
• A. Cerone, UNU-IIST – p.27/52

Authorised vs. Unauthorised

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Actions are attempted and may result in

• either success
• or failure

Authorised User

• is supposted to result in success

Unauthorised User

• is supposted to result in failure
• A. Cerone, UNU-IIST – p.27/52

User Goal

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Gather In- formation

Goals

Establish Contact Goal Achieved Express Ideas gather login establish express achieved achieved achieved gather establish express logout Unauthorised unattended short-delay long-delay unattended

• A. Cerone, UNU-IIST – p.28/52

Strong Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The property of strong security is expressed as follows If the goal is achieved then user actions

• either never result in success (unauthorised

user)

• or do not result in success until the user

establish a new goal or performs a logout (authorised user)

• A. Cerone, UNU-IIST – p.29/52

Strong Security

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The property of strong security is expressed as follows If the goal is achieved then user actions

• either never result in success (unauthorised

user)

• or do not result in success until the user

establish a new goal or performs a logout (authorised user) ✷achieved → (¬successW (goal ∨ logout))

• A. Cerone, UNU-IIST – p.29/52

Authorised

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Gather In- formation

Authorised User

Establish Contact Goal Achieved Express Ideas login g a t h e r g

• a

l establish express achieved achieved achieved gather establish express l

• g
• u

t Unauthorised unattended short-delay long-delay unattended

• A. Cerone, UNU-IIST – p.30/52

Unauthorised User

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

User Unauthorised

unattended short-delay long-delay logout success failure read-message read-profile post reply contact

• A. Cerone, UNU-IIST – p.31/52

Non Expert User

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

NonExpert back-to-forum back-to-users home users forum unattended logout achieved unattended logout

• A. Cerone, UNU-IIST – p.32/52

NonForgetful Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

NonExpert back-to-forum back-to-users home users forum unattended logout achieved unattended logout NonForgetful achieved logout logout

• A. Cerone, UNU-IIST – p.33/52

NonForgetful Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

NonExpert back-to-forum back-to-users home users forum unattended logout achieved unattended logout NonForgetful achieved logout logout

( SYSTEM NonExpert ) [| { achieved, logout, unattended } |] NonForgetful

• A. Cerone, UNU-IIST – p.33/52

NonForgetful Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

NonExpert back-to-forum back-to-users home users forum unattended logout achieved unattended logout NonForgetful achieved logout logout

( SYSTEM NonExpert ) [| { achieved, logout, unattended } |] NonForgetful

• The property does not hold!
• A. Cerone, UNU-IIST – p.33/52

Web Interface

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile

• A. Cerone, UNU-IIST – p.34/52

Expertise

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Expert back-to-forum back-to-users home users forum unattended logout achieved unattended logout back-to-users back-to-forum home home logout ( SYSTEM Expert )

• A. Cerone, UNU-IIST – p.35/52

Expertise

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

NonExpert back-to-forum back-to-users home users forum unattended logout achieved unattended logout ( SYSTEM NonExpert )

• A. Cerone, UNU-IIST – p.35/52

Web Interface

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile

• A. Cerone, UNU-IIST – p.36/52

Web Interface 1

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout home users home forum forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile

• A. Cerone, UNU-IIST – p.37/52

Web Interface 1

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users home forum forum users read-profile read-message back-to-forum read-profile read-message post reply contact setup-profile back-to-users home

• A. Cerone, UNU-IIST – p.37/52

Web Interface 2

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile logout logout

• A. Cerone, UNU-IIST – p.38/52

Web Interface 2

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile logout logout

The property

• holds on ( ( SYSTEM NonExpert ) [| ... |] NonForgetful )
• does not hold on ( SYSTEM NonExpert )
• A. Cerone, UNU-IIST – p.38/52

Web Interface 3

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message post reply contact setup-profile long-delay timeout logout short-delay short-delay short-delay short-delay

• A. Cerone, UNU-IIST – p.39/52

Quick Timeout

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Assumption: No authorised user may enter an unattended session within a time period shorter (short-delay) than the delay (long-delay) that triggers the timeout

• A. Cerone, UNU-IIST – p.40/52

Quick Timeout

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Assumption: No authorised user may enter an unattended session within a time period shorter (short-delay) than the delay (long-delay) that triggers the timeout

Quick Timeout back-to-forum back-to-users home users forum logout long-delay timeout logout

• A. Cerone, UNU-IIST – p.40/52

Quick Timeout

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Assumption: No authorised user may enter an unattended session within a time period shorter (short-delay) than the delay (long-delay) that triggers the timeout

Quick Timeout back-to-forum back-to-users home users forum logout long-delay timeout logout

The property

• holds on ( ( SYSTEM NonExpert ) [| ... short-delay ... |]

QuickTimeout )

• does not hold on ( SYSTEM NonExpert )
• A. Cerone, UNU-IIST – p.40/52

Violation Prevention

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Previous safeguards just reduce the likelihood of security violations

• A. Cerone, UNU-IIST – p.41/52

Violation Prevention

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Previous safeguards just reduce the likelihood of security violations Can we introduce a mechanism to prevent any unauthorised user entering an unattended session from performing interactions with the system?

• A. Cerone, UNU-IIST – p.41/52

Violation Prevention

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Previous safeguards just reduce the likelihood of security violations Can we introduce a mechanism to prevent any unauthorised user entering an unattended session from performing interactions with the system? What about avoiding

• masquerading threats
• A. Cerone, UNU-IIST – p.41/52

Violation Prevention

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Previous safeguards just reduce the likelihood of security violations Can we introduce a mechanism to prevent any unauthorised user entering an unattended session from performing interactions with the system? What about avoiding

• masquerading threats
• confidentiality threats
• A. Cerone, UNU-IIST – p.41/52

Violation Prevention

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Previous safeguards just reduce the likelihood of security violations Can we introduce a mechanism to prevent any unauthorised user entering an unattended session from performing interactions with the system? What about avoiding

• masquerading threats
• confidentiality threats
• both masquerading and confidentiality threats
• A. Cerone, UNU-IIST – p.41/52

Web Interface 4

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Entry Home Forum User Profiles Message Profile

enter logout users forum home home forum users read-profile read-message back-to-users back-to-forum read-profile read-message setup-profile contact authenticated success failure r e p l y a u t h e n t i c a t e d s u c c e s s failure post authenticated s u c c e s s f a i l u r e

• A. Cerone, UNU-IIST – p.42/52

More Security Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Does the previous property guarantee the absence of masquerading and/or confidentiality threats?

• A. Cerone, UNU-IIST – p.43/52

More Security Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Does the previous property guarantee the absence of masquerading and/or confidentiality threats? Yes!! Does it hold on System 4?

• A. Cerone, UNU-IIST – p.43/52

More Security Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Does the previous property guarantee the absence of masquerading and/or confidentiality threats? Yes!! Does it hold on System 4? No! Why?

• A. Cerone, UNU-IIST – p.43/52

More Security Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Does the previous property guarantee the absence of masquerading and/or confidentiality threats? Yes!! Does it hold on System 4? No! Why? Too strong!

• A. Cerone, UNU-IIST – p.43/52

More Security Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Does the previous property guarantee the absence of masquerading and/or confidentiality threats? Yes!! Does it hold on System 4? No! Why? Too strong!

• masquerading prevention

✷(unattended → ¬ (set-up ∨ contact ∨ post ∨ reply)W logout)

• A. Cerone, UNU-IIST – p.43/52

More Security Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Does the previous property guarantee the absence of masquerading and/or confidentiality threats? Yes!! Does it hold on System 4? No! Why? Too strong!

• masquerading prevention

✷(unattended → ¬ (set-up ∨ contact ∨ post ∨ reply)W logout)

• confidentiality

✷(unattended → ¬ (read-profile ∨ read-message)W logout)

• A. Cerone, UNU-IIST – p.43/52

Authentication

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Assumption: Only authorised users can be authenticated

• A. Cerone, UNU-IIST – p.44/52

Authentication

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Assumption: Only authorised users can be authenticated

Authorised UnAuthorised leave logout failure authenticated failure

( ( SYSTEM NonExpert ) Authorised )

• The following property holds

✷(achieved → ¬successU (goal ∨ logout))

• A. Cerone, UNU-IIST – p.44/52

Authentication

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Assumption: Only authorised users can be authenticated

Authorised UnAuthorised leave logout failure authenticated failure

( ( SYSTEM NonExpert ) Authorised )

• If authentication is on read-message and read-profile then the

following property holds

✷(unattended → ¬ (read-profile ∨ read-message)W logout)

• A. Cerone, UNU-IIST – p.44/52

Strong Property

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Expertise NonForgetful Quick Timeout (User) (User) (Web Interface) Interface 1 + NonExpert FALSE FALSE + Expert FALSE TRUE Interface 2 - logout + NonExpert FALSE TRUE + Expert FALSE TRUE Interface 3 - timeout + NonExpert FALSE TRUE + Expert FALSE TRUE

• A. Cerone, UNU-IIST – p.45/52

Other Properties

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

never-masquerading confidentiality Interface 4 - contact, post, reply FALSE FALSE + Authorised TRUE FALSE (!) Interface 5 - read-message, read-profile FALSE FALSE + Authorised FALSE (!) TRUE Interface 6 - all above actions FALSE FALSE + Authorised TRUE TRUE

✷(unattended → ¬ (set-up ∨ contact ∨ post ∨ reply)W logout) ✷(unattended → ¬ (read-profile ∨ read-message)W logout)

• A. Cerone, UNU-IIST – p.46/52

Intrusion

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals
• A. Cerone, UNU-IIST – p.47/52

Intrusion

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals

Cleaner approach

• intrusion goal (dishonest goal)
• A. Cerone, UNU-IIST – p.47/52

Intrusion

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals

Cleaner approach

• intrusion goal (dishonest goal)
• masquerading goal
• breaking confidentiality goal
• A. Cerone, UNU-IIST – p.47/52

Intrusion

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals

Cleaner approach

• intrusion goal (dishonest goal)
• masquerading goal
• breaking confidentiality goal
• environment process to describe the initial

state as regular session or unattended session

• A. Cerone, UNU-IIST – p.47/52

Multiple Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals
• A. Cerone, UNU-IIST – p.48/52

Multiple Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals

Cleaner approach

• several user
• A. Cerone, UNU-IIST – p.48/52

Multiple Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals

Cleaner approach

• several user
• maybe partitioned in honest and dishonest
• A. Cerone, UNU-IIST – p.48/52

Multiple Users

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

The user model is based that

• single user view
• only honest goals

Cleaner approach

• several user
• maybe partitioned in honest and dishonest
• no need of environment process
• A. Cerone, UNU-IIST – p.48/52

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

References

• A. Cerone, UNU-IIST – p.49/52

[Cranor and Garfinkel 05]

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

Lorrie Faith Cranor and Simson Garfinkel (eds.). Security and Usability — Designing Secure systems That People Can Use. O’Really, 2005. Edited Book Collection of 34 essays from leading security and human-computer interaction researchers aiming at usable security.

• A. Cerone, UNU-IIST – p.50/52

[Cerone and Elgegbyan 07]

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

• A. Cerone and N. Elgegbyan.

Model-checking Driven Design of Interactive Systems. ENTCS 183, Elsevier, 2007, pages 3–20. Formal Methods Paper Use of model-checking to improve the interface design with respect to security properties.

• A. Cerone, UNU-IIST – p.51/52

FMAIS 5 — Pisa, Italy, 21 December 2010 Contents | Cognitive Errors | Usability and Security | Groupware | References

End

• A. Cerone, UNU-IIST – p.52/52