[148336] in cryptography@c2.net mail archive
Re: [Cryptography] Explaining PK to grandma
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Wed Dec 4 00:53:01 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <E1Vnkpv-0000U7-Aj@login01.fos.auckland.ac.nz>
Date: Tue, 3 Dec 2013 20:29:43 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Jerry Leichter <leichter@lrw.com>,
"Wendy M. Grossman" <wendyg@pelicancrossing.net>,
Ralf Senderek <crypto@senderek.ie>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1673190115491689289==
Content-Type: multipart/alternative; boundary=047d7ba98398fccc3404ecab587f
--047d7ba98398fccc3404ecab587f
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Dec 3, 2013 at 2:56 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>wrote:
> "Wendy M. Grossman" <wendyg@pelicancrossing.net> writes:
>
> >P.S. I am really fed up with elderly females always being the go-to
> example
> >of the clueless user.
>
> They're not being used as examples of clueless users, they're
> representative
> personas. Geeks have a really bad problem of design-for-the-self, creating
> software that's designed for people like themselves. The best way to
> combat
> this is through usability testing, except that few developers will ever do
> that.
I disagree. I have looked at a lot of security usability studies and most
are utter junk. The problem is that the usability field is really about how
to sell stuff to people and focuses on the fifteen minutes or so evaluation
that a prospective buyer makes. That has little to do with long term
usability.
Test subjects are completely aware that they are in an artificial lab
setting. So they are far more accepting of errors etc. thinking that they
are accidental rather than part of the test.
I think that usability by comparison is a better approach. First take the
existing scheme that the user has and examine the number of steps taken to
do each operation and the information required to make a decision. Then
provide a secure scheme that never requires more effort than the existing
one in terms of number of mouse clicks, amount the user is expected to
remember, complexity of decisions etc.
Secure systems really do have to be that good for users to actually make
use of them.
Not that testing the end results on users wouldn't hurt. But the approach
is used as an excuse for inaction.
Every time we try to improve usability in IETF there is some idiot who will
try to TALK US OUT OF IT by saying that we shouldn't try to do anything
like that without being Pavlov first.
Demanding testing becomes another way to filibuster progress.
--
Website: http://hallambaker.com/
--047d7ba98398fccc3404ecab587f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Dec 3, 2013 at 2:56 AM, Peter Gutmann <span dir=3D"ltr"><=
;<a href=3D"mailto:pgut001@cs.auckland.ac.nz" target=3D"_blank">pgut001@cs.=
auckland.ac.nz</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">"Wendy M. Grossman&qu=
ot; <<a href=3D"mailto:wendyg@pelicancrossing.net">wendyg@pelicancrossin=
g.net</a>> writes:<br>
<br>
>P.S. I am really fed up with elderly females always being the go-to exa=
mple<br>
>of the clueless user.<br>
<br>
</div>They're not being used as examples of clueless users, they're=
representative<br>
personas. =A0Geeks have a really bad problem of design-for-the-self, creati=
ng<br>
software that's designed for people like themselves. =A0The best way to=
combat<br>
this is through usability testing, except that few developers will ever do<=
br>
that. =A0</blockquote><div><br></div><div>I disagree. I have looked at a lo=
t of security usability studies and most are utter junk. The problem is tha=
t the usability field is really about how to sell stuff to people and focus=
es on the fifteen minutes or so evaluation that a prospective buyer makes. =
That has little to do with long term usability.</div>
<div><br></div><div>Test subjects are completely aware that they are in an =
artificial lab setting. So they are far more accepting of errors etc. think=
ing that they are accidental rather than part of the test.</div><div><br>
</div><div><br></div></div><div>I think that usability by comparison is a b=
etter approach. First take the existing scheme that the user has and examin=
e the number of steps taken to do each operation and the information requir=
ed to make a decision. Then provide a secure scheme that never requires mor=
e effort than the existing one in terms of number of mouse clicks, amount t=
he user is expected to remember, complexity of decisions etc.</div>
<div><br></div><div>Secure systems really do have to be that good for users=
to actually make use of them.=A0</div><div><br></div><div><br></div><div>N=
ot that testing the end results on users wouldn't hurt. But the approac=
h is used as an excuse for inaction.</div>
<div><br></div><div>Every time we try to improve usability in IETF there is=
some idiot who will try to TALK US OUT OF IT by saying that we shouldn'=
;t try to do anything like that without being Pavlov first.</div><div><br>
</div><div>Demanding testing becomes another way to filibuster progress.=A0=
</div><div><br></div><div><br></div>-- <br>Website: <a href=3D"http://halla=
mbaker.com/">http://hallambaker.com/</a><br>
</div></div>
--047d7ba98398fccc3404ecab587f--
--===============1673190115491689289==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1673190115491689289==--
