CAFAI Liens en Vrac 18/11/2014
Having empathy with people unlike one's self is hard — especially when trying to understand the world enough from their perspective that the design choices you make will serve them well.  Nowhere is this more true or higher stakes than the design of security systems.  I've talked about changing our thinking in security from a focus on assurance to a focus on outcomes, and empathy with the user and an understanding of what they're trying to do is a key part of this.

In this essay, I'm going to present a set of use cases or user outcome scenarios.  I'm going to try to make them as human as possible — this by @SwiftOnSecurity is an amazing example of this — but I'm going to look at some slightly more specific cases and put a bit more emphasis on how actual technical countermeasures may be used by real users.  I'm also concentrating somewhat more on specifically-targeted users than she did.  For some great thinking on how one understands a scenario like this and moves toward applying it practically, this piece from Andie Nordgren at Alibis for Interaction on moving from user focus to participation design is really excellent.  I'm going to focus mostly on small adversaries here, because as Quinn Norton states in her talk on them, they're much more common, often much more practically dangerous, and heavily overlooked by the security community.  Eventually, I'm interested in exploring more how we can model adversaries, develop richer and more easily-empathized with and understood user personas, and how we can integrate that kind of rich knowledge of the world into threat modeling efforts.  For now, though, we'll jump straight to some stories.
(Permalink)