In this episode, O’Reilly Media’s Mac Slocum talks with Scout Brody, executive director of Simply Secure. They discuss building systems that help humans, designing better tools through user studies, and balancing the demands of shipping software with security.
Here are some highlights:
Building systems that help humans
We tend to think of security as a technical problem and the user as the impediment to our perfect solution. That's why I try to bring the human perspective to the community. I think of human beings as the real end-goal of the system. Ultimately, if we aren't building systems that are meeting the needs of humans, why are we building systems at all? It's very important for us to get out and talk to people, to engage with users and understand what their concerns are.
Designing better tools through user studies
A powerful tool you can adopt when talking to users is cognitive walkthrough. In essence, you ask them to tell you what they're thinking as they're thinking it. So, if you're going to do a cognitive walkthrough for an encryption program, you might say, ‘I'd like you to encrypt this email message. Please tell me what you're doing as you're doing it and all of the thoughts that occur to you.’ You might hear someone say, ‘Oh, wow, okay, so I'm going to encrypt. I don't really know what I'm doing. I'm going to start by pushing this button because that looks good. That's green. I'm going to push that.’ You can really hear the thought process that people are going through.
If you're in a more formal user study context, it can be useful to get the user's consent to videotape—not necessarily the person, but the screen—and see what they're doing because then you can play it for your colleagues. This is one of the most convincing ways you can make a case that your tool has problems or your tool needs improvement. Thus, just by videotaping people trying to use a tool and showing the challenges they face, you can identify ways to improve the user experience.
Balancing security with shipping software
Given my human orientation, I view software as a process, not a product. So, what are the human processes you can build in to make sure the security goals are met? To that end, you should be thinking about your developers and thinking about the people who are trying to get your software out the door. As human beings, what are the psychological components that you, as an engineering manager or a security advocate within your organization, can instrument to try to incentivize them to focus on security? It's a continuous effort, which makes it hard. It's challenging. But just like any kind of technical debt, if you don't chip away at it little bit by little bit, over time it will grow until it's a mountain.