Comments on: What do you really need?

By: James Christie

James Christie — Tue, 13 Oct 2009 10:58:35 +0000

Thanks. Did you look up my article? The question of usability was fairly peripheral, but I think the intersection between security and usability testing is an interesting topic that doesn’t seem to have received as much attention as it deserves. Personas and usability techniques should be among the tools that functional and security testers call on when they’re considering how applications can be abused. I wasn’t familiar with Extreme Characters, but I tracked down the paper I think you meant.
http://homepage.mac.com/j.p.djajadiningrat/publications/2000DjajDISInte.pdf. It was very interesting.

Of course using these Extreme Characters would be rather different from what I was thinking of. That paper’s about product design. However, the interesting point is that such characters are needed because of the limitations of stock, stereotypical personas that have just bland, “good” characteristics and who will behave in neat, predictable ways. And if they’re going to be predictable, why bother with personas at all? Surely you have to think a bit more deeply than that about your users and what motivates them.

A big problem for testers is that their rushed functional testing, which looks at what the application is supposed to be doing, is hopelessly superficial compared to the deep understanding that real users will acquire over time of what the application actually can do. It’s impossible for testers to acquire that deep knowledge in a limited time, but if they use well-judged personas, unleash their imagination and start looking at the application in a different and more cynical way then they can expose serious weaknesses.

Unfortunately the documentation heavy approach that software testers have traditionally placed too much emphasis on proving the application can do what it’s meant to and haven’t allowed testers time to use their imagination to discover whether it can do thing it really shouldn’t.

By: marc

marc — Mon, 12 Oct 2009 15:46:40 +0000

I like the article!

‘Bad guy personas’… Are you familiar with Extreme Characters? There’s a paper out there where the authors introduced a drug dealer and the pope and new personas in the product development processes to see how their needs could be addressed

By: James Christie

James Christie — Mon, 12 Oct 2009 13:04:08 +0000

This struck a chord with me. I’ve worked as a computer auditor, and I’m very interested in usability issues. Something that has troubled me when I’ve reviewed applications is the way existing functionality has been carried forward without serious scrutiny. I suppose my particular concern has been the corollary of yours. I’m interested in how the functionality can be exploited, and what the latent, unintended functionality might be. Ideally I’d like a form of usability testing involving bad guy personas trying to exploit the application, but that;’s getting onto another subject.

I recently wrote this in an article in Testing Experience magazine discussing flaws in an insurance application that had been exploited by fraudulent users.

“The control weaknesses related to an abuse of the authorization process, and a failure of the application to deal appropriately with third party claims payments, which were extremely vulnerable to fraud. These weaknesses would have been present in the original manual process, but the users and developers had not taken the opportunities that a new computer application had offered to introduce more sophisticated controls.

No-one had been negligent or even careless in the design of the application and the surrounding procedures. The trouble was that the requirements had focused on the positive functions of the application, and on replicating the functionality of the previous application, which in turn had been based on the original manual process. There had not been sufficient analysis of how the application could be exploited.”