#Cognition #Clash in the #IoT #SXSW

Thank you to everyone who attended our (Karl Smith and Thom Heslop) talk at SXSW, it’s the start of a long road into a really complex and contextual problem. But being silent in the crowd as the King walks by with no clothes on is not an option, peoples lives, futures and prosperity is at risk, not to mention the risk of multi-trillion dollar lawsuits that can follow by knowingly distracting people who are engaged in critical tasks.

Cognition Clash in the IoT at SXSW16
Cognition Clash in the IoT at SXSW16

The IoT – Internet of Things (Ubiquity) is the next great opportunity for commerce to engage with business enterprises and customers. However, there is no unified approach to the mental load between physical interaction, mental interaction and digital interaction. This cognitive landscape is inhabited by associated experiences that gel human behaviour and machine interfaces through, touch, mouse and keyboard. The usage of sight, voice and thought create new complexities and risks which have until recently been the subject of defence technologies (battlefield and strategic), where clear outcomes and prescribed mental models exist.

IoT clash girl dies
IoT clash girl dies

The diversification of these touch points and multi-point human logic models clash and derail human thinking patterns.

We are looking for people and their knowledge to help create an Ubiquity Open Standard. We are doing this because no one else has noticed this fundamental error in thinking, the hoping that product based companies will work together in creating common standards that are driven by an understanding of human thinking capabilities, cognitive models, relational thinking and machine interactions is unlikely.

While product manufactures continue with supremacy attitude to other ecosystem products and services,

“the human voice and our needs and desires are subjugated to simply another component”

albeit the one that is constantly paying for everything without any input on how it works.

Some Foundations (the rest will go in a technical paper)

Distributed Cognition studies the ways that memories, facts, or knowledge is embedded in the objects, individuals, and tools in our environment. According to Zhang & Norman (1994), the distributed cognition approach has three key components: Embodiment of information that is embedded in representations of interaction Coordination of enaction among embodied agents. Ecological contributions to a cognitive ecosystem.

In Embodied Interaction Dourish -everyday human interaction is embodied; non-rationalising, intersubjective and bodily active.  User, not designers, create and communicate meaning and manage coupling. Not just concerned with what people do, but also with what they mean by what they do and how that is meaningful to them. It reflects the sets of meanings that can be ascribed to objects and actions over those objects as part of a larger task or enterprise

Cognition the key to the mind, how people understand what they can do is by comparison a Diagnostic Methodology (goals, adaptations, conventions) with what they already know by accessing the Active Narrative patterns they have created in their own minds according to Smith (2005).

Cognition Patterns Cognition Clash in the IoT different people think differently
Cognition Patterns Cognition Clash in the IoT different people think differently

Cognition Groups create a communication paradigm, they carry intention, meaning, risks and benefits.

  • Some Cognition patterns are common, shopping basket etc.
  • Some Cognition Patterns are social by Family, Sports Team etc.
  • Some Cognition Patterns change without notice

Guided Interaction, existing websites offer guided interaction – simplified cognitive pattern encapsulating a plethora of interacting technology and data systems: Shopping Basket – This representation allows for distributed cognition > appropriation > cognitive pattern forming understand– once a user has used a shopping basket they will understand how to use them and generalize: transferable cognitive pattern

Some of the issues with the IoT

  • There is no standard of interactivity for humans in the IoT – not a problem if passive background machine-to-machine. A very big problem if actively interacting with humans, who are all different and can create their own meanings for example LOL.
  • How does a user form any cognitive patterns from an invisible system?
  • IoT combines known patterns as hidden machine-to-machine communications that can create mistrust and security fears
  • Detailed component view we have constructed around daily interactions is no longer valid

Some of our initial research

IoT Design Principals

  • What is device / service for?
  • Where will it be situated?
  • When will it be triggered?
  • What other devices will it be interacting with?
  • Where can it clash?
  • Security? – * Lack of security – Shodan
  • Design Principal: “Do No Harm

IoT Design Risks

Context is critical

  • Situational interaction problems for consideration

The following barriers reduce our ability to understand the situation

  • Perception based on faulty information processing
  • Excessive motivation – over motivated to the exclusion of context
  • Complacency
  • Overload
  • Fatigue
  • Poor communications

A possible solution

  • Avatar (can be visual, sound, texture, smell, taste or a combination) – smart use of Artificial intelligence (AI), where the users cognitive interface is patterned on their unique cognition pattern through a learning algorithm
  • This avatar should be directional and instructional like digital signage
  • This avatar should respond to the users behavioural interaction and should fall away gracefully as users behaviour becomes more ‘expert* In effect it should be a learning system – learns from the users rather than based on static rules
  • For example the AI that George Hotz has built into his self driving car while not the answer points to the kind of thinking required to find the answer, don’t tell the machine to watch and learn from a human and then carry out your task (from 3.33 to 5.04) “the point is to drive naturally like a human, not some engineer’s idea of safety“. For anyone who then thinks this is the final solution, please let us know why you think driving a car is like cooking dinner or navigating the street?

The Full SXSW Talk is on YouTube

Connect to the speakers on LinkedIn here Karl Smith and Thom Heslop

Tagged : / / / / / / / / / / / / / / / / / / / / / / / / / / /

British Airways security update stops ticket sales

I just logged into my BA account to book a ticket, but BA does not want my business because they have implemented new security without thinking about the impact on users.

After making my selection I’m shown the page below instead of a flight selection page. I could understand getting this if I’m not logged in, but I am so I have already authenticated my session. But there is no excuse for sending me to a blank screen, my firewall does not block Captcha, I know this for a fact.

When was this tested or has it gone up today without being tested, who knows?

—- A few minutes of testing later …

I have now managed to get it working and BA have fallen for the classic developer problem, the new security page has been developed on FireFox with Internet Explorer an after thought. The Captcha loads in FireFox but does not in IE.

Now here is a description of one of the worst user experiences possible;

  • In FireFox I first log into my account, I’m in they know who I am.
  • Then I do my search selection.
  • I get the Captcha page fill it out, great I’m in my results
  • Now the clear thing is and everyone who books travel online know is that (sorry back now, I was in Heathrow and had to get my flight, ironic that I was in the BA lounge trying to buy a ticket but being stopped by poor usability) searching and finding are two different experiences.
  1. The British Airways flight search tool has always been bad as it does not cross link results e.g. Date, Location, Tier unless you search again, this is because the person who designed it does not think like a passenger. Potential passengers want to get somewhere, that is their first requirement, not to select class of travel. If you want a good standard look at EasyJet flight search, if you can forget all the other painful experiences and thinking the search is really very good.
  2. Now some bright spark at BA has looked at the log statistics and thought we are getting lots of drop outs and re-searching, this could be a denial of service attack, it’s not, it is in fact the only way to find flights.
  • So my results only show me one class of flight, to see the other ones I have to search again, if I do I get Captcha again and again and again as I try and cross relate the various sets of results to get the best deal, that gets me where I need to get, when I need to get there.
  • Really, really painful experience, oh and I still have not booked a ticket because I was so angry at my treatment, I gave up.

What to do next?

  1. Sack someone, really, they made my evening hell!
  2. Hire a User Experience Architect (must be technical as they will lead the IT part too, so not a graphic designer) who will tell you how to redesign your search results and change how the back end IT works.
British Airways website security upgrade stops ticket sales
British Airways website security upgrade stops ticket sales
Tagged : / / / / / / / / /

#Agile #User #stories is a #UX #method

User stories is another name for a Cognitive Walkthrough

I have been involved in Agile for a very long time, mainly because it uses methods from the human computer interaction scientific process (CHI/HCI).

I’m surprise no one else has blogged about the use of CHI/HCI processes in Agile before, but though I should say something as I keep getting told that it’s interesting how many CHI/HCI people have embraced Agile. In fact it’s the other way around

Agile has imply appropriated UX techniques that have new Agile names

The main one is User Stories; they are in fact a reuse of the Cognitive Walkthrough, but I’ll let you draw your own conclusion.

Cognitive Walkthrough

Cognitive Walkthrough is a method utilised to express how the system works from a user perspective it exposes potential usability failures and defines happy and unhappy pathways

The method starts with a task analysis that specifies the sequence of steps or actions required by a user to accomplish a specified task. The system response to each action is noted. The designers and developers of the software then walk through the steps as a group this enables an agreed view. They ask themselves a set of defined questions at each step to determine all the potential outcomes. Afterwards a report of potential issues is compiled and the project team has a clear focus on the various user pathways including happy paths, risky paths, error paths and failure paths.

User Stories

User Stories are a quick method to determine the who, the what and the why of a business requirement and are produced in a narrative format as if a user was walking through their use of an interactive system

User stores are written at two levels Epic Stories that define groups of functionality (registration) and User Stories that define a single piece of functionality (sign in).

User stories are written by the product owner (an Agile tile for stakeholder or product manager) a user experience architect or a business project manager (not a scrum master) or the development team when they break down stories that are too large (these are then confirmed by the product owner).

The method starts with defining the Epic stories, then breaking these down into smaller stories that relate to an encapsulated (self standing) component. In design and development these stories can be parcelled to the various specialisations including user research (end user validation, How It Works), visual design, user experience design, back-end development (feature and service delivery), security and front end development. These stories will have their interlinks (to other components) stubbed out until those stories are built and can be integrated.

Agile + CHI/HCI = User Centred Requirements, Human Centered Design and Human Centered Development.

They are not exactly the same but the essential method is,

  1. think like a user
  2. describe what you can do
  3. build the system that enables a user to complete a task or aquire a feature


Author Links

Tagged : / / / / / / / / / / / / / / / / / / /

6 ways to keep your #identity #secure #online

Think about what your doing, security is a choice

I have been using the Internet for years in fact long before the world wide web became available but one thing has always mystified me;

Why do people willingly give away so much private, valuable and dangerous information about themselves?

Going back to a pre-web example, I realized years ago, in my teens that my signature was valuable, it may have been while forging my mothers on a school sick note. But the knowledge of that essential truth made me have different signatures for different purposes, government documents, cheques, membership forms etc all have different levels of importance and risk.

And because of my experiences I have taken this kind of thinking into the digital realm

1. Don’t always use your full or real name

I know some websites require your real name but unless you need to make a payment you could spell it in a different way, add middle names or initials other than those on your birth certificate.

2. Don’t supply your real date of birth

Most websites will never do anything with this information apart from market stuff at you. If this makes you feel weird make your self older than you are, plus or minus two years works well, but change your day and month too.

3. Don’t provide your real address

Some websites require this for their security, put some typos in on purpose, add an A or B to your building, but remember them and use them consistently across the web (as there is a look up database). If your buying things you’ll need your correct address and postcode for 3d secure card security.

4. Don’t supply your real town of birth

Give your best friends or partners town, this is usually a really important banking security question, so any answer you can remember is relevant (usable security).

5. Don’t provide real bio metric information including pictures

Don’t use pictures that can be used to create identification documents, have your head turned  to one side or the other, also be taller or shorter, just don’t give very accurate information.

6. Don’t supply extra information

If it’s not required (if a good design indicated by an asterisk), give the bare minimum to get access.

Why does the security of your online identity matter at all?

Well in the simplest form all anyone needs is three key identifiers;

  • your name
  • your date of birth
  • your town of birth

and they can get a copy of your birth certificate totally legally in the United Kingdom.

Once they have your birth certificate they can apply for other forms of identification and then start spending your credit value.

Another useful thing from this type of attitude to supplying information is to find out which companies are selling your data and then decide if you still want to deal with them.

Never provide any information to someone who messages you online on on the phone, if they called you they already know who you are, if your interested to communicate don’t use any link or numbers they give you look up the company independently and call them through their switchboard.

And finally;

careless information costs billions, no matter how secure a company says it is always assume they will be hacked at some point either electronically or by a staff member

Tagged : / / / / / / / / / / /

Mobile is now Slowbile, mobile experience is destroying user experience (UX)

I like many other people love to use my mobile phone to view the web, contact friends through mobile applications and keep up to date. But recent changes by companies are driving me nuts; it’s so bad that I’m considering not using their services.

So what’s the problem with mobile?

When the World Wide Web started to go mobile, the complex problem of screen size and control had many solutions, some worked some did not. I remember writing my first WEP site; it worked but was an awful user experience. Then CSS took over as the solution of choice, now it’s purpose built applications (less functionality, one for each device and a rather expensive route) or the responsive web (resizes with same functionality, the direction I’m taking). However it’s the change in user choice that’s driving me nuts, as a user I used to be able to choose to have an application or not, now I’m being forced into an experience I don’t want.

A recent forced bad user experience with LinkedIn

I really like the concept of LinkedIn but they have really lost contact with users and the following experience really expresses this detachment better;

I was using my iPhone and I wanted to manage one of the groups I run on LinkedIn, so I used Safari on the phone to access LinkedIn. I had to do this as the LinkedIn iPhone application does not support group management. So through Google I went to LinkedIn and I was given an interstitial page about the iPhone application. Great they are clever enough to know I have an iPhone, but not clever enough to know I already have the mobile app but am not using it!! maybe there is a reason, I can’t cancel this (never see again checkbox, a feature I put on all interstitial pages as its just good user experience) so every time I try I get this bad experience.

I get to the website, great I put my email address and password in (really not easy on an iPhone, that’s an easy fix, but just look at all the sites and companies who can’t be bothered to make it easy for users) and click login — I’m expecting to get into my account, but no I’m forced into their (very slow) mobile site.

At this point I’ve already been asked if I want a mobile version and said NO, I’ve logged in and now I get asked to login again. This is because their credential store is not set up to pass my credentials to their mobile site version; this is really poor, even in the most basic WordPress system that is integrated.

Anyway as I don’t want the mobile version as it does not have the functionality I require, I click on the go to desktop version. I’m back at the desktop version but I have to login again, at this point I want to throw the iPhone under a car.

It took 25 minutes to login to LinkedIn, Mobile is now Slowbile

At this point I’ve arrive in the office and decide never to bother with this again, way to go LinkedIn forcing me to hate your thinking and technology when your concept is such a good one.

Tagged : / / / / / / / / / / / / / /

#Usable #security in investment banking and #wealth #management

1.0  Usability principles in security systems

Security and trust are vital principals in building interpersonal and business relationships. These same principles should be employed to both directly and indirectly communicate with users. The following post shows how the construction of password reset challenge questions tell a narrative story of capability and intention as much as supporting text and brand values of the system and service that is secured by them.

2.0  Characteristics of good questions

Correctly structuring and defining the content of password reset challenge questions has a number of characteristics that underwrite a good user experience and establish the environment as high quality, well considered and competently managed technology.

2.1   Cannot be easily guessed or researched

The most important characteristic of a good security question is its own difficulty to discover.  A good security question would have answers that are not easy to guess or deciphered directly or indirectly from what is known or can be researched about the person.

Good security questions meet a number of specific requirements and have high entropy (the number of possible answers) and that the probability of selecting the correct answer is very low.  Only the authorized user is likely to provide the correct answers making a highly secure system.   Answers are even unlikely to be known by a family member, close friend, relative, ex-spouse, or significant other.

Bad examples:

  • What is your address?
  • What is your phone number?
  • What is your mother’s maiden name?

Good examples:

  • What was your dream job as a child?
  • What is the first name of the boy or girl that you first kissed?

2.2   Doesn’t change over time

One of the most common mistakes in creating reset challenge questions is the use of “favourites” as a concept.  Favourite vacation, teacher, colour, movie, book, animal, song, artist, etc. The list is endless and worthless as people change their minds about these favourites.  Last year my favourite holiday was France; this year it is New York.  Not only does the type change from country to place but the next time I login and have to answer a security question, I can get locked out because I’ve had several favourite holiday locations and activities. For the user the result is frustration, “I answered the question, didn’t I” leaving them feeling foolish and with a perception that the technology and its user is untrustworthy.

Bad examples:

  • Where did you go on holiday last year?
  • Where do you want to retire?

The answer to a good security question doesn’t change over time.

Good examples:

  • What is the middle name of your youngest child?
  • What school did you attend when you were 16?

The other problem with favourite or preference types of questions is that people are displaying more information on social network sites like Facebook and Myspace so this type of information enters the public domain.

2.3   Is memorable

The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up an association or reference or having to remember too far back in time.

Bad examples:

  • What is your driver’s license number?
  • What is your car registration number ?

Good example:

  • In what month were you married?

The problem with memorable questions and answers is that they may relate to a social context that not all users have i.e. Married, Brothers/Sisters etc.

2.4   Is definitive or simple

The question should require a specific answer.

Bad example:

  • What was your first car?
  • Answer: Ford, Escort, Ford Escort, 1972 Ford Escort

The answer can be remembered and entered differently and still be correct for the user but wrong for the system.

Better example:

  • What was the make of your first car?
  • What was the make and model of your first car?

This is where the use of language and cultural context starts to have a major effect.

2.4   Does not embarrass

When users are presented with questions that offer open text answers they will sometime use language that they would not expect to be questioned about or worse still have a colleague of manager see them enter into a form.  Also very personal questions cause users to negatively view the technology and ‘ask, why would this company want to know that?’

2.5   Security Level

The most important factor to determining the types of challenge questions used is the level of security required and what risks are opened up by the questions being used.

3.0  References

Ariel, R., University of California, Berkeley 2008. Personal knowledge questions for fallback authentication: security questions in the era of Facebook, SOUPS ’08: Proceedings of the 4th symposium on Usable privacy and security.  Available through:  ACM Digital Library [Accessed 26 October 2010].

Florencio, D., Herley, H., Microsoft Research. 2007. A large-scale study of web password habits, WWW ’07: Proceedings of the 16th international conference on World Wide Web. Available through:  ACM Digital Library [Accessed 26 October 2010].

Just,M., Aspinall , D., University of Edinburgh. 2009. Personal choice and challenge questions: a security and usability assessment, SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security.  Available through:  ACM Digital Library [Accessed 26 October 2010].

Mohammad, M., Van Oorschot, P. C., Carleton University Ottawa. 2008. Security and usability: the gap in real-world online banking,  NSPW ’07: Proceedings of the 2007 Workshop on New Security Paradigms. Available through:  ACM Digital Library [Accessed 26 October 2010].

Note: A longer version is in process and this post will be updated soon.

Author Links

Tagged : / / / / / / / /