[SOUND]. This week, we're going to see the first part of an interview with Lorrie Cranor. She's a professor at Carnegie Mellon University and one of the leaders in the field of usable security and privacy. I'm going to talk to her this week about some general things with respect to usable security, and specifically about the SSL Warning study that we have looked at in class. We will see the second part of this interview, later in the term. >> Yeah so the usable privacy and security field covers kind of a wide range of areas of even factors related to security and privacy both I think traditional secures systems people will think about like passwords and access control but also in the privacy space looking at things like making privacy policies more usable and consumer privacy tools and things like that. No I think that for the most part the security community still has a mindset that their focus is on the security and the back end algorithms and that somebody else should, should worry about the usability. Yeah, so that paper actually grew out of a class project in my usable security class. And the students were interested in first of all demonstrating that the SSL Warnings were not working, and second, trying to come up with some alternative designs. And I think, you know, in their preliminary pilot studies they found that, that people were, were basically just saying, I've seen this before, I, it's never been important before, I'm just going to click through it. Without actually focusing and paying any attention to it. And so the students started thinking about, well, what can we do to break that? And the few ideas that they came up with were one was to make it look really different. So make it red. All right? And then the other is to force an interaction where you can't just click the button, you have to answer a question. And so those were the two ideas that they wanted to test and, and then that's what we ended up implementing. Well I, I think it shows that, that the the interface is do, do in fact [INAUDIBLE] behavior. That when, when the interface looks like something you've seen before you're just going to keep behaving the way you've always behaved and if you change the interface, you can at least temporarily get, get a change of behavior. And, and actually we, we showed in that paper, that it was quite temporary, and that e, even the second time around some users were on to us, and, and, realized what was going on and [LAUGH] and, and then did not do the most secure thing. Subsequently we've actually been exploring that habituation effect more in other papers. Yeah, yeah. So I think for security systems especially since most users are not using them because they want to do. Security you know, except for the, you know security administrators but most people, you know, they're busy doing whatever their primary task is with their system and the security system is, is you know, mostly an annoyance. It's a thing they kind of have to live with but they don't really want to. So they want to get through it, kind of as fast as they can. And if you build a system that is cumbersome and is going to require a lot of focus and mental energy you know, you're, you're probably not going to have good results. [LAUGH] You know, people are going to try to find a way of routing around it. Whereas if you think about what the users are doing, what their work flow is, and try to find ways of fitting it in to what the users are naturally doing. And where you need to actually get their attention you kind of make it, as, as as rare an event as possible but, but really grab their attention in those events I think you'll have more success.
