Shostack + Friends Blog Archive


Hans Monderman and Risk

Zimran links to an excellent long article on Hans Monderman [link to no longer works] and then says:

When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly caused by people being inattentive. Increase the feeling of risk, and you increase the attention. I know when I am in traffic on my bike, I’m hyper-vigilant, and this has made me a better car driver.

Some interesting quotes from the article:

Without bumps or flashing warning signs, drivers slowed, so much so that Monderman’s radar gun couldn’t even register their speeds. Rather than clarity and segregation, he had created confusion and ambiguity. Unsure of what space belonged to them, drivers became more accommodating. Rather than give drivers a simple behavioral mandate— say, a speed limit sign or a speed bump— he had, through the new road design, subtly suggested the proper course of action. And he did something else. He used context to change behavior. He had made the main road look like a narrow lane in a village, not simply a traffic- way through some anonymous town.

On Kensington High Street, a busy thoroughfare for pedestrians, bikes, and cars, local planners decided to spruce up the street and make it more attractive to shoppers by removing the metal railings that had been erected between the street and the sidewalk, as well as “street clutter,” everything from signs to hatched marks on the roadway. None of these measures complied with Department for Transport standards. And yet, since the makeover there have been fewer accidents than before. Though more pedestrians now cross outside crosswalks, car speeds (the fundamental cause of traffic danger) have been reduced, precisely because the area now feels like it must be navigated carefully.

We talk about Monderman’s thinking about risk in the New School, and I wanted to talk a little about the implications for computer security. The idea of giving a user experience a sense of place is a great one, if we could constrain it to the good guys. Unfortunately, bad guys can design their websites to look like a narrow lane in a village, a welcoming mall, or whatever else they want. The designer of a space can make you feel safe or feel like you must navigate carefully.

What do you think phishers are going to do?

4 comments on "Hans Monderman and Risk"

  • Allan says:

    From the article and my limited understanding of Monderman (from New School, mainly) I see two possible interpretations that appear to be directly contradictory:
    1) Removing common signals separates us from the common trope and increases awareness because we have to actively engage in the activity: e.g. remove hatched marks in roadways so we have to pay attention to other traffic.
    2) Changing the signals we receive links us to different context which activates other *automatic* instincts, e.g. we drive differently in a village.
    In some instances, there is no obvious difference between these two interpretations: people drive safer.
    But if we’re trying to implement these ideas in a different context, it’s critical to understand the distinction. #1 is a redesign, while #2 is only a patch. From a behavioral perspective, the new mental models we build following #2’s recontextualization may have its own weaknesses and vulnerabilities, whereas #1 implies a certain understanding of the situation. #1 involves understanding that phishing is a fairly small risk if you pay attention to how you reach a given site. #2 is just getting scared of online banking and looking for the lock icon.
    Another level to think about this is detecting low-likelihood events. What we’ve effectively done for, say, airport security follows the Monderman model. The normal flows and contexts that keep things moving along have been removed, and everyone is a threat. At the personal level, we’ve removed the contextual clues so every laptop or photographer is a threat. Most of your readers probably think this is the wrong approach.
    For security, the trick seems to have the tools to help people recontextualize at the appropriate time, in the appropriate way. (This is not a new idea, of course!)

  • I don’t buy this at all. When a road looks like a small village, most people are distracted. This is not a safety concern/reaction, but just one of leisure. That is why they slow down to look around. As they become more determined, and unconcerned/disconnected with their environment, they speed. Features and posted rules are practically irrelevant to curiosity and other more human objectives.
    What this really proves is that the British culture of trying to dominate the environment and coddle people into bureaucratic control zones through fines and signs actually makes things less safe than a more natural/efficient order.
    Birds flying in a flock might seem chaotic to the officials placed in charge of air affairs, but a naturalist will realize that it is more orderly and safe than anything the state could possibly design.

  • Chris says:

    I read about engineers successfully slowing traffic down by leaving a small child’s bicycle in plain view leaning against a street lamp.
    I also read about drivers giving unhelmeted bicycle riders a wider berth than those wearing helmets.
    What this means about a bank’s web site I am not so sure, however.

  • Jim Burrows says:

    One thing that it means for security is taht when we tell the uninitiated that the lock or the green bar means they are safe we do them a disservice. All it means is that you know, or perhaps even that you can know who it is you are talking to. Make them feel too safe and they will do unsafe things.
    The problem is that it is to all of eCommerce’s immdiate advantage to convince people that they are safe and can spend lots of money in that market and it is to the advantage of Browser makers to claim to have radical new features that make the user safer and to the advantage of CAs to be able to charge more for an EV SSL cert than a regular one. And so lots of people have lots of motive to gloss over the difference between “safer” and “safe”.
    It also means that repeated stories about the vulnerability of DNS and BGP and Charlie or Oyster Cards actually help build a healthy skepticism.
    Pre-911 we just told airline passengers that the safe thing to do was to go along with hijackers. Crews weren’t just told that, they were ordered to go along. It led to complacency. It also increased the trauma of being shocked into a world sudden;y seen as unsafe.
    The trick is how to sell products and strategies that help the user to understand that they have to take care and to make it easier for them to do so rather than products that make them feel unwarrantedly safe, comfy and complacent.
    Aye, there’s the rub.

Comments are closed.