IFD:Nutzerstudien WiSe1314/Sicherheit endpresentation (security): Difference between revisions

We concentrated on the interface of the message window. First, it should be easy to handle, of course. It should provide an uncomplicated and plain interface, where you can figure out the functions fast and remember them for the next time. It’s essential to spare symbols that confuses the user or that are barely necessary by themselves. So we searched for some design ideas to answer the questions:

• What can I do to guarantee a conveniant handling in the message window?
• How can we improve the interface for the functions of secure, unsecure and verified messaging?

Könntet ihr die Ideenfindung in den Prozess einordnen? Wann und warum habt ihr das gemacht? Es sieht wie Lösungsideen für Probleme aus, die nach der Nutzerfoschung festgestellt wurden. Sollte der Abschnitt hier drinnen sein, weil im Arbeitsbuch ein solcher Abschnitt ist: In dem Arbeitsbuch ging es um erste Ideen, zu denen man forschen könnte (tut mir leid, wenn das nicht klar war, schreibt mir gerne dazu, dann kann ich es verbessern) We searched for possible symbols that provide security and tried out some designs to improve the current look of the chat. Examples had been locks and shields in many variations. We also tried out various colors to make clear the differences between functions.

We discussed our ideas and criticized them. The diffrent colors are feedback from the group.
Green: the group liked the idea
Blue: neutral / comments
Red: problems of the idea

For our interviews, we tried to choose open questions that don’t require a yes or no, but longer answers. So we would find out more about what our test subjects like or not.

Main questions have been:

• What chats do you use?
• Are you happy with them or would you want to improve something?
• Which functions are important for you?
• Have you ever think about the security in the chat programs? Why?
• Are you feeling secure in your currently used chats? If no, did you restrict yourself in some way and how far?
• What are the limits of effort you would accept to feel safer in a chat?
• Have you ever been attacked before?

We interwiewed ten people of these courses of studies below. Since we all studies something similar we had an easy access to them. Warum habt ihr Studierende ausgewählt? (es ist auch o.k. Personen auszuwählen, weil man einfachen Zugang hat – solange ihr schreibt, warum, z.B, weil auch diese einen Chat-Client benutzen und ihr so mehr Erfahrung im Interviewen sammeln könnt…)

Student 1:

The preparatioin was quite easy for me, because I’ve already known the test subjects. It was fast done to find a fixed date. During the interviews II realized that I sometimes had to look between the lines to filter what my interview partner really thinks. So I got the most usable answers by questioning their answers (“Why do you think so?”) or ask a question like “So, do you think it’s like…?” I used pen and paper, I haven’t had audio equipment, but the written answers had been useful.

Student 2:

Before the interviews I prepared a list of questions. This was helpful, to keep the focus in the talks and don't ask yes or no questions. I also used pen and paper or the computer to make notes while the interview. I made short notes, because they are written down quickly. After the interview I've formulate this notes and add more informations.

Student 3:

Before doing the interview I looked up our last topic and / or problems of the course. Based on these information I made some notes and put them into possible questions. Afterwards I arraged them to fit a better order for the talk. Because writing, asking and thinking is to much at the same time, i decided to use a audio recorder with the permission of the test subjects. This made it possible to keep the talk running. In my opinion it's more polite to concentrate on the interview partner instead writing everything down. This way of interviewing enables you rewind the whole interview and maybe check for a certain aspect as often as you wish. After all things were done I wrote down the findings for documentation and share purpose.

Student 1:

• Test subject 1: She is not quite satisfied with her current chat programs. Sometimes she holds back her opinion about political references and don’t give an access to her adress, e.g. in facebook. She’d like to have a chat that’s secure, but she only uses it, if all of her friends would use it, too.

• Test subject 2: She knows about the dangers of someone that could spy out her messages, but it doesn’t bother her at all. As long as it isn’t someone that she knows and it could have consequences for her, she not interested in a secure chat. For her functions and look is more impotant.

• Test subject 3: She is a quite cautios person that feels insecure all the time when being in the internet. She don’t hold back with her opinion, but writes messages with the perpetual feeling of “I can be watched now.” She would appreciate a chat that is secure, but one that is instinctively and simple to handle, because she gives up pretty fast and changes the app when she needs a longer time to figure out the single functions.

Student 2:

• Test subject 1: Person one preferred messages to plan things, if they aren't complicated. Because he is working in the IT business, he have thinked about the security of his messages, how the data is encoded and how the password is saved. The scope of functions in ChatSecure is okay, but the registration through a third party isn't comfortable. The person doesn't liked the design of ChatSecure at this time, because the contact view is very confused.

• Test subject 2: Person two wasn't realy interested in the security of his messages. He had heard about some vulnerabilities in Facebook but he think he can't do something against. The scope of functions in ChatSecure is okay, but it could be more color in the design.

• Test subject 3: The third person have also think about the security of his messages because of the news in the media. But he would not change his chat program, because of the amount of people in programs like WhatsApp.

Student 3:

• Test subject 1: He is a person who uses instand-chat only for some basic talks about dispensable topics with friends. In the first part of the interview he answered the questions not containing security issues. This gave a good impression of the persons thoughts about this kind of software and security in general. In the second part he answered questions directly linked to the security topic. By direcly asking him about security problems and concerns, he gave some interesting answers. The main statement of this talk was: Don't think about it, or you will panic.

• Test subject 2: He is a person with high skills in electronic and computer technics. His attitude towards security and secure chat software were very negative. One big problem of secure systems is that they are not quite secure or that they are to complex to use, he said. In his opinion it would be good if programs inform the user about security issues and everything else should be done automatically.

• Test subject 3: She is a person with also good knowledge on computers and software. Chat-software is for her a good medium for fast message transport. She says unfortunately oneself has no chance to check if the security promises of the companies are right. In her opinion the best way to secure own data is to publish only the data you are quite shure to publish.

We searched for specific answers in the interviews and looked how it could help to spot a problem. Then we put all our results together and created an affinity diagramm.

Results:

• Most people use chat programs that are unsafe. The amount of friends that use a specific chat is more important. They know about the danger in these chats, but it doesn’t bother them enough to change to another one. Related to this we also found out that people using chat software for business had much more concerns about their personal information and especially the topic and content of the talk then the private users.
• Standard functions like Smileys and data/picture transfer should be offered
• There should be a function to create a group discussion
• Chats are used for job messages as for private ones
• User want to see (e.g. by a lock-symbol), if a program or message is secure or not
• Open Source programs provide trust
• The design should be functional AND appealing

What we learned from our user research:

We got a lot of information about the requirements and the possible use of a chat application. The most important features people wanted to be part of such an application where group chat functionality, image transfer, smileys and an easy to use but appealing interface. People often want to plan parties in a chat, so the group function could be necessary and image transfer is also an important factor of communication for most people. Für den Kurs nicht essentiell, aber bei wissenschaftlichen Studien sehr wichtig: Über wen sagen die Daten das aus? "observed/interviewed students" ist vermutlich besser als "most people" – speziell wenn ihr mal ein Paper oder so schreibt.

It was also interesting for us to find out that the main percentage of the users know about possible security issues:

• fear of being in a computer surveillance/being watched in general
• fear of theft of an account/a mobile device
• e.g. personal messages were posted on the pinboard because of a Facebook bug

Prototype 1

This prototype is for informing the user what is going on, if the message can't be encrypted. Warum habt ihr dieses Thema ("informing the user what is going on, if…") gewählt? Nutzerforschung? Vortest? Heuristik?

Testing it / Results

When testing it, we found out that the colors had been irritating for our testperson.

Protoype 2a)

To make the user keep an eye on the current security level, we added colour to the send button. This means the button has the same colour as the bar with the names of the contacts.

Protoype 2b)

A next question was how we could show that the message is not encryped. This also included the problem how one could start encryption. Warum habt ihr dieses Thema ("informing the user what is going on, if…") gewählt? Nutzerforschung? Vortest? Heuristik? Logische begründung, denn… (eure Erklärung)

The idea was to show a litte exclamation mark sign beside the message on which one could touch. Then some actions should be possible. For example swipe left to send even if it is unsecure.

We discussed this idea in the group and decided that this would not be easy to understand. So we gave up this idea.

Protoype 2c)

We added a pop up, which appears when the user tries to start an unsecure chat or to remind the user to verify himself and/or his contact person.

Prototype 2d)

If the message is secure (In the speechbubble in the middle picture is written: “start secure messaging”, because one problem was that user don’t know what OTR means.)

If the message is not secure, a pop-up comes out to tell the user what is going on and if he wants to continue or to cancel the message-sending:

We tested it and our testperson went through it without problems.

Prototype 2e)

Because some of our test persons expressed concerns about the many buttons needed to start a secure chat and especially about their labels, we decided to bring everything to one switch.

We gave up this idea, because a switch is not much more easy as we thought. Since ChatSecure is a chat where people want to chat secure obviously, we thought it would be a better idea to start the security function automatically.

Schön, dass ihr eure Vortragsthemenund Erkenntnisse dazu nochmal zusammenfasst! Student 1:

My topic had been security and usability of passwords. It was really interesting to inform myself about that. The gap between easy understanding (usability) and security of password-protected websites was one theme. In my presentantion I explained that system builder to think out of the perspective of the user.
However, what I liked the most in my research had been the studies about what passwords other people choose and how they choose them. I was quite surprised about how easy people's passwords can be encrypted and that hacker go social ways more than mathematical ones to crack them.

Student 2:

My presentation was about prototyping. It was interesting, how many types of prototypes are existing. There are many ways to test new ideas. You have to choose, which type of prototyp is the best for your product.

Student 3:

My talk was about designing interfaces for secure or security based systems. The main statement of these paper was, that the most of the classical rules of design does not meet the requirements of such an interface. The authors based their thesis upon user tests with the e-mail encryption tool pgp. It was also interesting to read how a test should be organised and which aspects of the test subjects should be kept in mind. All in all it was a very interesting topic for me and i could recommend this paper to everyone.

Ich habe mich sehr gefreut, eure Dokumentation zu lesen. Leider endet sie etwas abrupt. Es würde bei mir als Leser und vermutlich auch unseren Mentoren einen sehr guten letzten Eindruck hinterlassen, wenn hier noch eine Zusammenfassung der wichtigsten Erkenntnisse und Vorschläge zu lesen wäre; Sinnigerweise mit einer Übersicht in Bild- oder Grafikform (siehe Mail)