IFD:Nutzerstudien WiSe1314/Sicherheit (security): Difference between revisions

From Medien Wiki
 
(48 intermediate revisions by 5 users not shown)
Line 1: Line 1:
==Aims of data gathering==
==Aims of data gathering==


… are to improve the design and/or functions in Chat-Secure, regarding the security-problem.
We wanted to know how to improve the design and/or functions in Chat-Secure, regarding the security-problem. People should immediatly see that it's a secure chat through its interface. So we searched for possible symbols that provide security and tried out some designs to improve the current look of the chat.
 
<!--
<div style="color:darkgreen">
could you specify what you mean with "security problem"? What poses a possible problem? ("security problem" could as well be a exploit, a bug that enables an attack or the like) --[[User:JanD|JanD]] 10:17, 13 December 2013 (CET)
</div>
-->
<div style="color:brown">Developing a clear, concise scheme for representing the states of messages in ChatSecure is a very valuable problem to solve.  If the user does not understand when things are private or not, they could easily leak private information.  Keep in mind all manner of design treatments: font, color, iconography, etc.  I think that finding well known metaphors could likely produce good results here, but a very simple abstract scheme could also work.  One of my favorite ideas here is relying on the default look.  ChatSecure should provide private/secure messaging by default.  If the messages are not private/secure, then that is a warning/error condition and should be represented as such.</div>--[[User:Hans|Hans]] 21:40, 18 December 2013 (CET)


<p style="color:darkgreen">what did you ask? Where there any outlines? A more specific focus?</p>--[[User:JanD|JanD]] 09:33, 12 December 2013 (CET)


== Data Gathering: Interviews/Observation ==
== Data Gathering: Interviews/Observation ==
=== Student 1 ===


Interviewed 3 students (one media science, one computer science, one business economics). Main questions: Are you feeling secure in your currently used chat programs? What are the limits of effort you would accept to feel safer in a chat?
We interwiewed ten people of these courses of studies below. Since we all studies something similar we had an easy access to them. We asked them about their chat behavior in general and especially how they think about security.
 
{| class="wikitable"
|-
! Number
! Age class
! Course of studies
|-
| 1
| <20
| Media Science
|-
| 2
| 20-25
| Computer Science
|-
| 3
| 20-25
| Business Economics
|-
| 4
| 20-25
| Computer Science
|-
| 5
| 20-25
| Computer Science
|-
| 6
| 20-25
| Computer Science
|-
| 7
| 20-25
| Computer Science and Media
|-
| 8
| 20-25
| Computer Science and Media
|-
| 9
| 20-25
| Media Arts/Media Design
|-
| 10
| 25-30
| Game Design
|}


=== Student 2 ===


Interviewed 3 students (all students of computer science) about their chat behavior and thinking about the security.
Main questions: <!--(doppelte werden gelöscht) -->
=== Student 3 ===


Interviewed 4 students (media art & design, game design, 2x computer science and media) on their favorite chat tools and how they use them. Other focal points where design and impression of the interface, security concerns and important software features.
* What chats do you use?
* Are you happy with them or would you want to improve something?
* Which functions are important for you?
* Have you ever think about the security in the chat programs?
* Are you feeling secure in your currently used chats? If no, did you restrict yourself in some way and how far? 
* What are the limits of effort you would accept to feel safer in a chat?
* Have you ever been attacked before?


== Data Analysis ==
== Data Analysis ==
How we analysed the data: We searched for specific answers in the interviews and looked how it could help to spot a problem. Then we put all our results together and created a notice board.
How we analysed the data: We searched for specific answers in the interviews and looked how it could help to spot a problem. Then we put all our results together and created an affinity diagramm.
 
<div style="color:brown">I'd like to see more discussion of your approach here.  How did you choose your people?  What criteria did you use to develop your questions?</div>--[[User:Hans|Hans]] 21:43, 18 December 2013 (CET)
 
We chose them, because they are part of our social environment. We thought about what would be important for ourselves to develop the questions. Since we`re in the security-group we tried to focus especially on that topic.


==Main Results Data Analysis==
==Main Results Data Analysis==
What we learned from our user research: We got a lot of information about the requirements and the possible use of a chat application. The most important features people wanted to be part of such an application where group chat functionality, image transfer, smileys and an easy to use but appealing interface. It was also interessting for us to find out that the main percentage of the users know about possible security issues of the used software but did not try to find an alternative. Related to this we also find out that people using chat software for business had much more concerns about their personal information and especially the topic and content of the talk then the private users.


<p style="color:darkgreen">What were the security issues the people knew about? What was their concept of 'security'?</p>
<p style="color:darkgreen">What were the users aims in using a group chat, an image transfer etc.?</p>
--[[User:JanD|JanD]] 09:33, 12 December 2013 (CET)


==What specifc problem we want to solve==
'''Results:'''
In our opinion the interface should communicate security to the user. Therefor we want to improve the interface of ChatSecure in a way, that everyone is possible to understand what is meant with the symbols.
* Most people use chat programs that are unsafe. The amount of friends that use a specific chat is more important <div style="color:brown">did the users know that the apps they use were unsafe?</div>--[[User:Hans|Hans]] 21:44, 18 December 2013 (CET)
Yes, they do, but it doesn`t bother them.
* Standard functions like Smileys and data/picture transfer should be offered
* There should be a function to create a group discussion
* Chats are used for job messages as for private ones
* User want to see (e.g. by a lock-symbol), if a program or message is secure or not
* Open Source programs provide trust
* The design should be functional AND appealing
 
What we learned from our user research: We got a lot of information about the requirements and the possible use of a chat application. The most important features people wanted to be part of such an application where group chat functionality, image transfer, smileys and an easy to use but appealing interface. People often want to plan parties in a chat, so the group function could be necessary and image transfer is also an important factor of communication for most people.
 
It was also interesting for us to find out that the main percentage of the users know about possible security issues:
* fear of being in a computer surveillance/being watched in general
* fear of theft of an account/a mobile device
* e.g. personal messages were posted on the pinboard because of a Facebook bug
However, they did not try to find an alternative. Related to this we also found out that people using chat software for business had much more concerns about their personal information and especially the topic and content of the talk then the private users.
 
<div style="color:brown">You bring up a lot of valuable points here, and the bullet points provide a quick summary, but I'd love to hear more about all of the topics.  In particular, I think the core issue is why people don't find more secure/private alternatives to the apps that they use.  Is it social (everyone I know uses Xapp)?  Is it usability (private apps are hard to use)? Or something else entirely?</div>--[[User:Hans|Hans]] 21:50, 18 December 2013 (CET)
 
Since insecurity in their currently chats doesn`t bother them much, they just haven`t thought about a secure alternative yet. Most important thing has always been, that all friends use the app/chat. They would change to a secure chat, where all friends are logged in, though.
 
==What specific problem we want to solve==
 
The interface should communicate security to the user. Therefore we want to improve the interface of ChatSecure in a way, that everyone is able to understand what is meant with the symbols.
To create such a design, we drew some of our own design-ideas on a paper. It showed the message window and some applications and icons we added to it, e.g. the lock symbol next to the Accountname and in the speech bubbles itself. These things intensify the security-feeling. Then we discussed those ideas, made a prototype and tested it on a comrade who wasn`t in our working group.
 
 
[[image:IFD-NuSt security-mockup.jpg|1000px]]
 
<div style="color:brown">Its good to see the mockups, this gets the process rolling.  About the prompt for sending messages insecurely, this would work well for people in very sensitive situations, but I think most users would get annoyed once they've seen a pop-up like this more than 5 or 10 times.  I think that it is possible to achieve the same results security-wise with less annoyance on the user by integrating this warning more.  For example, the Send button should change color like you have already but maybe instead of the yes/no/later prompt, the user would have to press the send button twice, and it would change color on each press.  For more security, there could be an enforced delay on the second press, so they would have to wait a second or two before clicking it the second time.  Or mybe it would be enough if the whole interface was shouting out that the message would be sent insecurely, something like every aspect of the UI turning red, and getting a different font.</div>--[[User:Hans|Hans]] 21:56, 18 December 2013 (CET)
 
 
<!--
<div style="color:darkgreen">Please include a sketch or photo; otherwise it is hard to understand that you refer to. --[[User:JanD|JanD]] 10:19, 13 December 2013 (CET)</div>
-->


==Plans – how we want to solve the problem(s)==
==Plans – how we want to solve the problem(s)==
In our opinion the interface should communicate security to the user. Therefor we want to improve the interface of ChatSecure in a way, that everyone is possible to understand what is meant with the symbols.
The ideas of last week worked quite well, but not properly understandable. The problem of the red color we`d chosen for the Send-Button for an insecure message didn't work out. Our test subject thought the button couldn't be clicked at all. 
<p style="color:darkgreen">Could you provide any Mothods how you want to archive this? E.g. Analysis of competition, tests etc? Is your concern only directed at the icons? And what is bad about the current ones than?</p>
So, in the next week, we would look for similiar applications and how they deal with authentification and security methaphors. After that, we would improve our prototype with the results of the last weeks and try out different approaches to solve our problems, regarding the prototype itself, the layout and the colours. Then we would test it again.
 
<!--
<p style="color:darkgreen">Could you provide any Methods how you want to archive this? E.g. Analysis of competition, tests etc? Is your concern only directed at the icons? And what is bad about the current ones than?</p> --[[User:JanD|JanD]] 09:38, 12 December 2013 (CET)
-->


==Images==
==Images==

Latest revision as of 12:23, 21 December 2013

Aims of data gathering

We wanted to know how to improve the design and/or functions in Chat-Secure, regarding the security-problem. People should immediatly see that it's a secure chat through its interface. So we searched for possible symbols that provide security and tried out some designs to improve the current look of the chat.

Developing a clear, concise scheme for representing the states of messages in ChatSecure is a very valuable problem to solve. If the user does not understand when things are private or not, they could easily leak private information. Keep in mind all manner of design treatments: font, color, iconography, etc. I think that finding well known metaphors could likely produce good results here, but a very simple abstract scheme could also work. One of my favorite ideas here is relying on the default look. ChatSecure should provide private/secure messaging by default. If the messages are not private/secure, then that is a warning/error condition and should be represented as such.

--Hans 21:40, 18 December 2013 (CET)


Data Gathering: Interviews/Observation

We interwiewed ten people of these courses of studies below. Since we all studies something similar we had an easy access to them. We asked them about their chat behavior in general and especially how they think about security.

Number Age class Course of studies
1 <20 Media Science
2 20-25 Computer Science
3 20-25 Business Economics
4 20-25 Computer Science
5 20-25 Computer Science
6 20-25 Computer Science
7 20-25 Computer Science and Media
8 20-25 Computer Science and Media
9 20-25 Media Arts/Media Design
10 25-30 Game Design


Main questions:

  • What chats do you use?
  • Are you happy with them or would you want to improve something?
  • Which functions are important for you?
  • Have you ever think about the security in the chat programs?
  • Are you feeling secure in your currently used chats? If no, did you restrict yourself in some way and how far?
  • What are the limits of effort you would accept to feel safer in a chat?
  • Have you ever been attacked before?

Data Analysis

How we analysed the data: We searched for specific answers in the interviews and looked how it could help to spot a problem. Then we put all our results together and created an affinity diagramm.

I'd like to see more discussion of your approach here. How did you choose your people? What criteria did you use to develop your questions?

--Hans 21:43, 18 December 2013 (CET)

We chose them, because they are part of our social environment. We thought about what would be important for ourselves to develop the questions. Since we`re in the security-group we tried to focus especially on that topic.

Main Results Data Analysis

Results:

  • Most people use chat programs that are unsafe. The amount of friends that use a specific chat is more important
    did the users know that the apps they use were unsafe?
    --Hans 21:44, 18 December 2013 (CET)

Yes, they do, but it doesn`t bother them.

  • Standard functions like Smileys and data/picture transfer should be offered
  • There should be a function to create a group discussion
  • Chats are used for job messages as for private ones
  • User want to see (e.g. by a lock-symbol), if a program or message is secure or not
  • Open Source programs provide trust
  • The design should be functional AND appealing

What we learned from our user research: We got a lot of information about the requirements and the possible use of a chat application. The most important features people wanted to be part of such an application where group chat functionality, image transfer, smileys and an easy to use but appealing interface. People often want to plan parties in a chat, so the group function could be necessary and image transfer is also an important factor of communication for most people.

It was also interesting for us to find out that the main percentage of the users know about possible security issues:

  • fear of being in a computer surveillance/being watched in general
  • fear of theft of an account/a mobile device
  • e.g. personal messages were posted on the pinboard because of a Facebook bug

However, they did not try to find an alternative. Related to this we also found out that people using chat software for business had much more concerns about their personal information and especially the topic and content of the talk then the private users.

You bring up a lot of valuable points here, and the bullet points provide a quick summary, but I'd love to hear more about all of the topics. In particular, I think the core issue is why people don't find more secure/private alternatives to the apps that they use. Is it social (everyone I know uses Xapp)? Is it usability (private apps are hard to use)? Or something else entirely?

--Hans 21:50, 18 December 2013 (CET)

Since insecurity in their currently chats doesn`t bother them much, they just haven`t thought about a secure alternative yet. Most important thing has always been, that all friends use the app/chat. They would change to a secure chat, where all friends are logged in, though.

What specific problem we want to solve

The interface should communicate security to the user. Therefore we want to improve the interface of ChatSecure in a way, that everyone is able to understand what is meant with the symbols. To create such a design, we drew some of our own design-ideas on a paper. It showed the message window and some applications and icons we added to it, e.g. the lock symbol next to the Accountname and in the speech bubbles itself. These things intensify the security-feeling. Then we discussed those ideas, made a prototype and tested it on a comrade who wasn`t in our working group.


IFD-NuSt security-mockup.jpg

Its good to see the mockups, this gets the process rolling. About the prompt for sending messages insecurely, this would work well for people in very sensitive situations, but I think most users would get annoyed once they've seen a pop-up like this more than 5 or 10 times. I think that it is possible to achieve the same results security-wise with less annoyance on the user by integrating this warning more. For example, the Send button should change color like you have already but maybe instead of the yes/no/later prompt, the user would have to press the send button twice, and it would change color on each press. For more security, there could be an enforced delay on the second press, so they would have to wait a second or two before clicking it the second time. Or mybe it would be enough if the whole interface was shouting out that the message would be sent insecurely, something like every aspect of the UI turning red, and getting a different font.

--Hans 21:56, 18 December 2013 (CET)


Plans – how we want to solve the problem(s)

The ideas of last week worked quite well, but not properly understandable. The problem of the red color we`d chosen for the Send-Button for an insecure message didn't work out. Our test subject thought the button couldn't be clicked at all. So, in the next week, we would look for similiar applications and how they deal with authentification and security methaphors. After that, we would improve our prototype with the results of the last weeks and try out different approaches to solve our problems, regarding the prototype itself, the layout and the colours. Then we would test it again.


Images