the cups blog


Survey and classification of potential security UX conventions

Rob Reeder
Senior Security Program Manager

Our story is we have been tasked to make our security advice and requirements more specific. For example, we get questions like:

  • What icon should I use?
  • How big should the icon be?
  • Can you give me a generic sentence to insert?

So, we will assume these conventions are beneficial, and our next steps are to create these conventions.

We discovered ANSI Z535.4 2007, a standard for more general safety and product warnings, in our search, and will be interleaving this work throughout the talk today.

What are the properties of a good (security) convention?

  • Intuitive to users
  • Consistently applied
    • Doesn’t interfere with other uses of technique
    • e.g., bold font is used for other things
  • Studied & tested
  • Resistant to spoofing (this is obviously very difficult)
  • Easy to implement
  • Easy to localize
    • any word that needs to be changed has to undergo a localization process, being translated into dozens of different languages
    • could make translation tables to solve this
  • Easy to enforce usage across company/industry
    • easy to tell when it is being used correctly or incorrectly
  • Portable to different devices
  • Accessible
  • [bonus] Already in use!

Final Thoughts: There are many challenges to getting good conventions, including industry advantage, spoofing of elements, gaining widespread use, but the ANSI standard, and their clear and useful standards give me hope.