Disabled Security: The Role of Universal Design in Cybersecurity

[Music]

hi i'm maddie bright and today i'll be presenting disabled security the role of universal design in cyber security so first a little bit about me i am currently a third year student at drexel university studying computer science with a focus in computer security however i've had i have some past work experience too my first and most recent co-op was as an assistant systems administrator at the university of pennsylvania before that i worked as a an it support intern at the center for independent living of central pennsylvania where i was placed by my vocational services provider as an intern and this is a new program so i was their first intern so while i did do it support i also did

a lot of advocacy work and clerical work as well which was an interesting experience i didn't know what i was getting into but i had a great time and this is actually where the idea for my presentation came from because as i was working there working in an organization staffed by people with disabilities with the aim of helping other people with disabilities and advocating for our needs well i wasn't finding the resources that i was looking for to help people with disabilities learn which resources are accessible to them are there accessible sites for people to learn cyber security from and i found that there was this huge information gap in that while a lot of other areas of

of design were pretty well covered in terms of how they could be made accessible i didn't see a lot about security so let's get started as you can see this person is not getting into that building no way no how no matter how hard they try so when i say inaccessible that's what i mean you can have whatever technology you have at the time whatever adaptive technology whatever needs whatever exists if you cannot do something because it is a restriction of your disability and the way in which you are equipped that's inaccessible if someone hands me a newspaper to read but doesn't let me use my magnifier that's inaccessible and as i should also mention that

again i'm visually impaired so i have faced several of these challenges and i've also faced them during my own schooling so through my own experiences and through as i said that information gap that's why i felt the need to make this presentation so one way i think in which we could begin to consider accessibility more thoroughly in security is to look at the ways in which the principles of universal design apply however first i have two short anecdotes to illustrate why accessibility and security haven't really been shown to play well in mine and my friend's experiences in the top upper corner there is an image of a woman using a cctv magnifier to read a book

and that's essentially an electronic magnification device i use these a lot in my middle and high school years and i still drag it out occasionally to do paperwork or to play with my raspberry pi or something but the thing is whoever's behind you can see what's on that screen whether you want them to or not and unlike laptop computers there's no there's no screen shields designed for these you have to make your own but why should someone have to go out of their way to go through that trial and error and purchasing materials to make their own it seems like that should be an accessory that's offered just like it is with laptops it should be something that is equally

considered as part of the device's security but it's not and that's no fault to the people who make these they had a goal and they fulfilled it a lot of these devices work really well for their intended purpose they're just not that great if you don't want people to read over your shoulder in high school i also had a friend who had a physical disability and when they went to type with the keyboard they used one hand so whenever they wanted to type a capital letter they hit the caps lock key type the letter hit the caps lock key and continue typing it was a system that worked for them and i never heard them complain

about it until we got uh laptops with these kinds of keyboards this keyboard doesn't have a catalog key it has a search key instead so they found typing on this kind of keyboard very frustrating and you can see that if you had to type long complex strings like say a password on these pretty frequently your thoughts would probably go to how am i going to make this so that i can type it out every time with minimal hassle if this is the hardware i have to use well that means you probably aren't considering the complexity whether or not you're repeating a password your mind is in other places considering other needs and in a way you can think of it's kind of

like maslow's hierarchy of needs when the need of access is met now then you can think about security for the future and in every subsequent time you use your device or you carry out a task but until you know that you can do that task reliably and repeatably with an acceptable level of effort you can't really start thinking how is this going how can i make this better and again this is no one's fault but it is the way a lot of things have currently been designed and i think that that needs to change especially as security becomes ever more important and ever more present in people's minds whether it be consumers employees upper management

we all have to care about it and that means we can't leave anyone out just because current at the moment there aren't the greatest resources designed for people with disabilities doesn't mean that this isn't a need it's going to be this isn't a need that will go ignored in the future and just because someone has a disability doesn't mean that they'll be ignored as a weak link in security just as it's easy for someone to write out a password on a post in it and leave it somewhere or to leave it in a file on their computer or to just make a mistake and have that be exploited for example like an s3 bucket with improper

permissions it could be possible one day for people with disabilities needs and their own like homebrew adaptations that again like making their password is not as strong because they are required to use a device that is not accessible to them as other potential devices and that could be a security vulnerability so again it might seem that these two ideas act expanding access to information and making sure it's secure might not seem like two sides of the same coin but they really are so back to the seven principles i mentioned these were originally uh conceived at the university of north carolina and you can read lots about them online they were originally designed for buildings physical buildings to make

sure that everyone could have equitable access to a space however they're used a lot in other types of design like web design too so these principles are equitable use flexible use intuitive use perceptible error tolerance minimal stress and space freeze i will actually be kind of discussing the last two principles as in one section because again these were originally written for physical spaces and sometimes those considerations aren't as necessary when you're moving into the digital space and for those last two especially the focus for implementing those principles would be on physical security which i don't feel unqualified to talk about but they would be important to consider so i'm not leaving them out and encouraging you to look into them on

your own if that's something you're wishing to improve so equitable use when i worked for the center for independent living one of our advocacy goals was to move people out of institutions and nursing homes and into their own apartments or houses basically places where they could have more independence and more personal space so when we would move these people out sometimes they didn't have full use of their hands or arms so we would have to replace the locks on their doors to something they could use maybe a keypad maybe something with an rfi or id scanner and an rfid tag on their wheelchair or an app on their phone and say you have a building with all

these different types of locks in it that's an example of equitable use everyone can get into their apartment regardless of their needs their apartments are all secure let's for this for the purposes of this example let's forget about internet of things vulnerabilities and everyone can choose to lock or unlock their apartment as they come and go so in security that needs to be thought of too there's if someone needs an alternative method to do something it should be just as secure as another method as much as possible and in our area we shouldn't let we shouldn't let that hold us back every all security all people need to be held to the same standards of security

is what i'm trying to say and i'm actually going to talk about this more in the second principle what you will notice is that a lot of these principles feed into one another and the boundaries aren't like this is one principle this is another principle this is the third principle no they ebb and flow between each other and in my view that seems like something that's purposeful because i mean if you add a ramp to help people in wheelchairs to your building it also helps people pushing strollers for people carrying heavy boxes or bags so again accessibility is not unilateral if you do one thing it doesn't just help one group of people it can help more

people outside of the intended target group so one of the places i worked we could do two-factor authentication you could do it with a password and an ssh key a password and a um one-time password a password and a text there are lots of different ways to do this so if you needed something to suit your workplace you could set it up like for example if you don't like to work with your phone nearby you can be taught how to use the ssh key and set that up properly to the organization's security standards and again and this is something that could potentially help accessibility something like this the same test can be performed multiple ways

such as if you have stairs and an elevator to get up to the second floor of a building same task can be performed multiple ways just like if someone for example doesn't have the dexterity to reach their phone on time but may have the option to store their passwords on a password manager they could generate some pretty secure passwords for the first authentication and for their ssh key and still have equitable access to the system without undue hardship especially if they have other adaptive technologies they use that make their computer use just easier for example like my screen magnifiers so as you can see this can help solidify accessibility and just makes it easier for other people if they don't

want to work with their phones for example so the third principle is that it should be intuitive you see the stop sign it's about as obvious as could be that it's a warning and that you need to stop what you're doing especially if you've been raised and you see them a lot and so in security you want people to know what information they need to perform a task and where they can go to get information if you want people to participate in their own security they need to feel empowered to do so and they shouldn't have to be be forced to remember long lists and long instructions to do so intuitive use one helps people without

disabilities because it's it's cut short on the mental heuristics that would lead people to take shortcuts however it also helps people with disabilities because if you have a learning disability or trouble processing having having reminders that makes it easy for you to know what exactly you need to do at any time also prevents you from one falling prey to those heuristics and two makes it easy and simple and not at all stigmatized for you to get the information you need to perform that task consistently because it's all right there every single time and i mean i like it doesn't have to look bad if you provide all the information see the sign in box it's simple and clean but it does

help you you know exactly what goes where and what buttons to press to do what the fourth principle is perceptible and i will be using a personal example recorded off my own computer to demonstrate this i'm on a travel website and i am paging around with my screen reader [Music]

it doesn't matter what's in that menu if every single item i touch is unnamed link i can't get anywhere i can't know what i am being told it's not helpful it's not descriptive and you can't expect people to learn and understand security and updates if the information you provide to them is it in a format that they can access or isn't descriptive or is it helpful and that's exactly what you heard right there that's not helpful that's not descriptive that's annoying that's going to make me go to some other website or ask someone for help because that's not cool that's just unnamed link unnamed link so if you want to train people and you want them to know for certain

what to do then you should design your training and your your security assessments so that they'll be accessible from the start one so that you don't have to go back and change them later when it turns out you do need to train someone with a disability and two people have different learning styles even if you aren't disabled or neurodivergent if someone likes to listen to audio they could have the audio in a video or um an audio play to go along with the text if someone is a visual learner or perhaps their workspace is pretty noisy they could turn on captions or look at a transcript and transcripts are especially helpful for deaf-blind people because they could put them into a

brailler or a braille display so again it's not just people with disabilities that can benefit from this but it is everyone and if you're assessing people then make sure that you use an accessible assessment system that way people aren't singled out as perpetually failing even if they know the information because if all you hear is object object object you can't expect to be able to use that information that you were given to convey your understanding of your training material so again this doesn't just help people with disabilities helps everyone so this is one that doesn't seem like it fits with the idea of security is that error tolerance but if you fall off a catwalk

you're not just doomed to die on the ground or to be horribly injured there's railings if you fall you have a chance to catch yourself or to be caught you're not doomed similarly providing information to people and not information that violates security i mean i just read about the amazon api vulnerabilities that provided too much information that attackers could potentially use like we all know that's a bad thing but provide enough information for individuals to be able to have feedback on their own behavior to realize when will a consequence occur so they know when to get help when to ask for different adaptations and are able to have basically information that they can act on

yeah i talk a lot about making things accessible but part of accessibility at least from my perspective is that it's something that you have to participate in as well if i didn't tell people what i needed and expected them to read my mind well quite simply i would not be sitting here in front of you and i would not have gone to drexel because nobody would have been able to help me no matter how accessible their systems were and this is also a measure of again preventing stigmatization if someone has a disability and the way they're using their computer they have trouble entering a password and they're always getting it wrong they don't have to constantly call it

they have a pattern established again based on that feedback that they've been given that they can use to realize that maybe they need to ask iq for something different maybe they need they need to discuss making a change somehow in their workflow and that might happen so again principles six and seven are mixed together because i'm no expert in physical security but say fingerprint scanners the ones on phones we have today are pretty tiny so i mean if you have a physical disability or other difficulty and you're gonna you might mess up hitting that it might be frustrating you might want to find it might take you a long time to perform a task that

otherwise should take very little time so there needs to be addict so there needs to be adequate space for use but by saying this i really mean that the way a person's workflow is set up should work no matter what needs they have do they have an assistant for medical help then maybe a policy needs to exist for how to handle the way that person interacts in the workspace because clearly they're needed but they're i mean they're not the person doing the work or maybe a person is in a wheelchair how how is the workspace set up if they need to put materials away as part of a physical security measure can they do that comfortably and easily

then you need to use biometric scanners can those be moved to the correct heights be and if someone uses adaptive software like i do is there ways that it's not blocked by firewalls and that it can be used securely and i mean sometimes i know some screen readers and screen magnifiers have this implemented there are secure modes that can be used you have to dig to find them but it's possible so so again that's evidence that someone's already been thinking about this that it's already been a priority in some way or some space and that's good i think there just needs to be more of that so some way that this can be remediated and apart from just considering

disabilities at all points at development of security policy um and procedure and materials is to talk to people talk to people with disabilities that work in the field talk to people with disabilities that in places from which you recruit like universities in the mangers from which you recruit talk to people from rehabilitation or advocacy organizations because i mean this field is if everyone in this field was a homogenous clone of each other new ideas would not be sparked and we wouldn't have all of the great feedback and ideas that make conferences like b-sides so great because everyone would think the same way we need people with different life experiences different challenges and different ways of thinking

in order to keep this field as vibrant as it is and to keep ourselves in the right headspace and thinking dynamically enough to keep ourselves and our assets safe so talking with people with disabilities tells you about one what would help them make the most of security in their workspace and in the workplace and two what do they do when they face these situations outside of work and outside of the office within accessibility because there's all kinds of disability life hacks and to be honest some of them probably some of them might not be the best for your own security posture if they happen in the workplace helping people out by making things more accessible

and making sure that they can be active participants in their own security is a really good way to make sure that you don't get stung by someone just trying to get around a system that was never designed for their inclusion another thing to note is that i've spent some time poking around reddit and on the different disability subreddits people will ask for help with the school project or for their idea or their small company and i think that's really cool but these often you get a lot of engagement because the ideas are never implemented the people are starting from a point where they're already not listening to people with disabilities and whether or not they're satisfied

with the tools they already have to accomplish a task and three there's no compensation or at least any signals that they respect these people's time nothing changes no product ever comes out it's just this people will spend all this time and effort helping them and just like i had to spend quite some time writing practicing and putting together this presentation like that's not something you want to do over and over and plus there are disabled consultants who are paid for this work the best thing to do is if you want is if you are serious about making a change is to convey that make the changes take the feedback into account pay consultants make sure you're serious and that you're

not just asking around as a potential token of respect and that this project doesn't get shelved for four years by then the people aren't going to want to work with you because i mean all the hard work they put in it looked like nothing ever happened with it that it went nowhere that you didn't listen to them and honestly as a person with a disability i don't go back to working with people like that i don't try because it feels like i wasn't listened to and that's something that if i want to make a change i want my voice to be heard so that's it that's all i have thank you for watching and thanks to

besides philly for having me talk you can email me at mtb 345 drexel.edu or find me on linkedin you can search my name madelinebright or you can use my username

m-a-d-e-l-i-n-e-b-r-i-g-h-t and the number 12. thank you so much

you