Fundamentals of Human-Computer Interaction: users, usability, tasks, and cognitive models

What is Human Computer Interaction?

“HCI is a study of how humans interact with the computers.”

• It is important to keep in mind how humans interact with the machines.
• Cybersecurity experts, designers etc. should always consider HCI element as the major proponent for design and security infrastructure.
• HCI involves knowing the users, tasks, context of the tasks.
• Evaluation of how easy/difficult it is to use the system.

Usability

“It is a measure of how easy it is to use a system for a user.”

Measuring Usability

• Speed
  • How quickly can the task be accomplished.
• Efficiency
  • How many mistakes are made in accomplishing the task.
• Learnability
  • How easy is it to learn to use the system.
• Memorability
  • Once learned, how easy is it to remember how to use the system.
• User Preference
  • What do users like?

How do we measure Usability?

• Speed – timing
• Efficiency – counting error
• Learnability, Memorability and User Preference don’t have straight forward measurement tools.

Tasks and Task analysis

“Tasks are goals that users have when interacting with the system.”

Common errors in task creation

• Leading or too descriptive

  Click on the username box at the upper right of the screen and enter your username, then click on the password box underneath and enter your password. Click submit…

• Specific questions?

  What is the third headline on CNN.com?

• Directing users towards things you want to tell them, not what they want to know.

  What are the names of the members of the website security team?

Chunking Information

“Breaking a long list of pieces of information into smaller groups.” “Aggregating several pieces of information into coherent groups to make them easier to remember.”

• When designing systems, the most important thing to consider is human memory, as it is very volatile.
• Working memory’s limitations should be kept in mind.
• For design technology products, we should not expect user to remember more than 3 things at a time in his/her working memory.

Mental Models

Number of factors affecting mental models;

• Affordance

  • Mapping

    

  • Visibility

    

  • Feedback

    The user sees some visual change when they click a button.

  • Constraints

    A user should not be allowed to perform a task until certain conditions are met.

  • Conventions

    There are some conventions in place, for cross culture usability.

Design: design methodology, prototyping, cybersecurity case study

Intro to Design

• Have the insight of the users who are they.
• To include children or not.
• Testing your design with users.
• Involving the users from the very start of your design.
• What other people are doing in your niche, and you should probably design something similar for familiarity reasons of mental models
• Define your goal, is it an innovative idea, or something already existing but adding a value over it.
• Don’t wait until your product is finished, take input from the users from the very first stage of design.

Design Methodologies

Design Process

The Golden rule is;

• Know Your User.
• Where do ideas come from?
• Many processes;

  • Iterative design

    

• System centered design

  • What can be built easily on this platform?
  • What can I create from the available tools?
  • What do I as a programmer find interesting to work on?

• User centered design

  • Design is based upon a user’s
    • Abilities and real needs
    • Context
    • Work
    • Tasks

• Participatory design

  • Problem
    • intuitions wrong
    • interviews etc. not precise
    • designer cannot know the user sufficiently well to answer all issues that come up during the design
  • Solution
    • designers should have access to a pool of representative users. That is, END users, not their managers or union reps!

• Designer centered design

“It’s not the consumers’ job to know what they want.”

— Steve Jobs

Case Study: SSL Warnings – example user

• User knows something bad is happening, but not what.
  • User has good general strategies (worry more about sites with sensitive info)
  • Error message relies on a lot of information users don’t understand

Evaluation: usability studies, A/B testing, quantitative and qualitative evaluation, cybersecurity case study

Quantitative Evaluation

Cognitive Walkthrough

Requirements;

• Description or prototype of interface
• Task Description
• List of actions to complete task
• Use background

What you look for; (A mobile Gesture prototype)

• Will users know to perform the action?
• Will users see the control
• Will users know the control does what they want?
• Will users understand the feedback?

Heuristic Analysis

• Follow ‘rules of thumb’ or suggestions about good design.
• Can be done by experts/designers, fast and easy.
• May miss problems users would catch.

Nielsen’s Heuristics

• Simple and natural dialog
• Speak the users’ language
• Minimize user memory load
• Consistency
• Feedback
• Clearly marked exits
• Shortcuts
• Prevent errors
• Good error messages
• Providing help and documentation

Personas

• A fictitious user representing a class of users
• Reference point for design and analysis
• Has a goal or goals they want to accomplish (in general or in the system)

Running Controlled Experiments

• State a lucid, testable hypothesis.
• Identify independent and dependent variables
• Design the experimental protocol
• Choose the user population
• Run some pilot participants
• Fix the experimental protocol
• Run the experiment
• Perform statistical analysis
• Draw conclusion
• Communicate results

Analysis

• Statistical comparison (e.g., t-test)
• Report results

Usability Studies

Testing Usability of Security

• Security is rarely the task users set out to accomplish.
• Good Security is a seamless part of the task.

Usability Study Process

• Define tasks (and their importance)
• Develop Questionnaires

Selecting Tasks

• What are the most important things a user would do with this interface?
• Present it as a task not a question
• Be specific
• Don’t give instructions
• Don’t be vague or provide tiny insignificant tasks
• Choose representative tasks that reflect the most important things a user would do with the interface

Security Tasks

• Security is almost never a task

Pre-Test Questionnaires

• Learn any relevant background about the subject’s
• Age, gender, education level, experience with the web, experience with this type of website, experience with this site in particular.
• Perhaps more specific questions based on the site, e.g., color blindness, if the user has children, etc.

Post-Test Questionnaires

• Have users provide feedback on the interface.

Evaluation

• Users are given a list of tasks and asked to perform each task.
• Interaction with the user is governed by different protocols.

Observation Methods

• Silent Observer
• Think Aloud
• Constructive Interaction

Interview

• Ask users to give you feedback
• Easier for the user than writing it down
• They will tell you, things, you never thought to ask

Reporting

• After the evaluation, report your results
• Summarize the experiences of users
• Emphasize your insights with specific examples or quotes
• Offer suggestions for improvement for tasks that were difficult to perform

A/B Testing

• Doesn’t include any Cognitive or psychological understanding or model of user behavior.
• You give two options, A or B, and measure how they perform.

How to Run A/B Test

• Start with a small percentage of visitors trying the experimental conditions.
• Automatically stop testing if any condition has very bad performance.
• Let people consistently see the same variation so, they don’t get confused.

Strategies for Secure Interaction Design: authority, guidelines for interface design

Strategies for Secure Interaction Design: authority, guidelines for interface design

• It’s the user who is making security decision, so, keep user in mind when designing security systems.

Authority Guidelines

• Match the easiest way to do a task with the least granting of authority.
  • What are typical user tasks?
  • What is the easiest way for the user to accomplish each task?
  • What authority is granted to software and other people when the user takes the easiest route to completing the task?
  • How can the safest ways of accomplishing the task be made easier and vice versa?
• Grant authority to others in accordance with user actions indicating consent.
  • When does the system give access to the user’s resources?
  • What user action grants that access?
  • Does the user understand that the action grants access?
• Offer the user ways to reduce other’s authority to access the user’s resources.
  • What kind of access does the user grant to software and other users?
  • Which types of access can be revoked?
  • How can the interface help the user find and revoke access?

Authorization and Communication Guidelines

• Users should know what authority other’s have.
  • What kind of authority can software and other users hold?
  • What kind of authority impact user decisions with security consequences?
  • How can the interface provide timely access to information about these authorities?
• User should know what authority they themselves have.
  • What kind of authority does the user hold?
  • How does the user know they have that authority?
  • What might the user decide based on their expectation of authority?
• Make sure the user trust the software acting on their behalf.
  • What agents manipulate authority on the user’s behalf?
  • How can users be sure they are communicating with the intended agent?
  • How might the agent be impersonated?
  • How might the user’s communication with the agent be corrupted/intercepted?

Interface Guidelines for Usable Security

• Enable the user to express safe security policies that fit the user’s task.
  • What are some examples of security policies that users might want enforced for typical tasks?
  • How can the user express these policies?
  • How can the expression of policy be brought closer to the task?
• Draw distinction among objects and actions along boundaries relevant to the task.
  • At what level of details does the interface allow objects and actions to be separately manipulated?
  • What distinction between affected objects and unaffected objects does the user care about?
• Present objects and actions using distinguishable, truthful appearances.
  • How does the user identify and distinguish different objects and actions?
  • In what ways can the means of identification be controlled by other parties?
  • What aspects of an object’s appearances are under system control?
  • How can those aspects be chosen to best prevent deception?

Usable Authentication: authentication mechanisms, biometrics, two-factor authentication

Password Authentication

Password Attacks

• Human
• Brute force
• Common word
• Dictionary word

Two-Factor Authentication

• Password & one time unique code
  • Generated by
    • Device
    • Email
    • Text
    • App

Security of TFA

• More secure
• Stops most hacking attacks
• Users perceive it as more secure

Usability of TFA

• Research says:
  • Speed: Slower
  • User Preference;
    • Felt less usable
    • Less convenient
    • Harder to use

Biometric Authentication

• Fingerprints, voice and facial scan etc.

Usability of Biometrics

• Voice Recognition
  • Speed: medium
  • Efficiency: medium
  • Learnability: easy
  • Memorability: easy
• Facial Recognition
  • Speed: medium
  • Efficiency: medium
  • Learnability: easy
  • Memorability: easy
• Fingerprint Recognition
  • Speed: fast
  • Efficiency: good
  • Learnability: easy
  • Memorability: easy

Analyzing Security

• Who can access the device?
• How easily can they replicate the biometrics input?

Gesture-based Authentication

• Keypad Gestures
• Free Gestures
• Draw your Signatures
• Multi-touch

Benefits

• Gestures users enjoy tend to be more secure
• Users prefer gestures to passwords
• Faster than passwords, less error-prone

Usable Privacy: privacy settings, personal data sharing, data inference

Usable Privacy Basics

• Privacy is a kind of security;
  • Users want to protect their information.
  • Should have the right to understand what happens with their data.
  • Should have as much control as possible over how it is used.
• Privacy Policies;
  • Tell a user everything they need to know about how their data is collected, used, and shared.
  • Can be analyzed for usability.
• Privacy Controls
  • Should data be collected or not?
  • Who has permission to see it?
• Going forward
  • Privacy and security are part of the same issue.
  • Analyzing usability is done the same way with privacy.
  • Keep the user in mind first.

Privacy Policies and User Understanding

For user to control their privacy, they must understand privacy policies. Do they?

• What we know:
  • Most people don’t read privacy policies.
  • When people do read them, they don’t necessarily understand them.
• How to learn?
  • Read privacy policies.
  • Discover through other sources.
• Implications
  • Privacy policies are boring and hard to read
• Poor usability
  • They are really important.
  • Are there more usable ways to convey the information in a privacy policy?

Informed Consent for Privacy

• User understand what data is being collected and shared, and they consent to how it is used.
• Six components
  • Disclosure
  • Comprehension
  • Voluntariness
  • Competence
  • Agreement
  • Minimal distraction

5 Pitfalls of Privacy

• Understanding
  • Obscuring potential information flow.
  • Obscuring actual information flow.
• Action
  • Emphasizing configuration over action.
• Privacy management should be part of natural workflow
  • Lacking coarse-grained control.
• Have an obvious, top-level control to turn sharing on and off
  • Inhibiting established practice.
• What users expect from other experiences?
  • Let them have it here too.
• Mental models, conventions

Information Flow

• Types of information
• Kinds of observers
• Media through which info is conveyed
• Length of retention
• Potential for unintended disclosure
• Collection of metadata