1 LECTURE 11: User Interface and System Security and Controls ITEC 3010 “Systems Analysis and...

1

LECTURE 11:LECTURE 11:User Interface and System Security User Interface and System Security

and Controlsand Controls

ITEC 3010 “Systems Analysis and Design, I”

[Prof. Peter Khaiter]

2

TopicsTopics

Inputs and OutputsInputs and Outputs User and System InterfaceUser and System Interface User-Centered DesignUser-Centered Design Metaphors for HCIMetaphors for HCI Designing System InputsDesigning System Inputs Designing System OutputsDesigning System Outputs Designing Integrity Controls Designing Integrity Controls Designing Security Controls Designing Security Controls Managing User Access Managing User Access Data Security Data Security

3

Identifying and Classifying Identifying and Classifying Inputs and OutputsInputs and Outputs

Identified by analyst when defining system scope

Requirements model produced during analysis

Event table includes trigger to each external event

Triggers represent inputs

Outputs are shown as responses to events

4

Traditional and OO Approaches to Traditional and OO Approaches to Inputs and OutputsInputs and Outputs

Traditional approach to inputs and outputs

Shown as data flows on context diagram, data flow diagram (DFD) fragments, and detailed DFDs

OO approach to inputs and outputsDefined by message entering or leaving systemDocumented in system sequence diagram (SSD)Actors provide inputs for many use casesUse cases provide outputs to actors

5

User versus System InterfaceUser versus System Interface

System interfaces – I/O requiring minimal human interaction

User interfaces

I/O requiring human interaction

User interface is everything end user comes into contact with while using the system

To the user, the interface is the system

Analyst designs system interfaces separate from user interfaces

Requires different expertise and technology

6

Understanding the User InterfaceUnderstanding the User Interface

Physical aspects of the user interfaceDevices touched by user, manuals, documentation, and forms

Perceptual aspects of the user interfaceEverything else user sees, hears, or touches such as screen objects, menus, and buttons

Conceptual aspects of the user interfaceWhat user knows about system and logical function of system

7

Aspects of the User InterfaceAspects of the User Interface

8

User-Centered DesignUser-Centered Design

Focus early on the users and their work by focusing on requirements

Usability - system is easy to learn and use Iterative development keeps focus on

userContinually return to user requirements and evaluate system after each iteration

Human-computer interaction (HCI) Study of end users and interaction with computers

Human factors engineering (ergonomics)

9

Metaphors for Metaphors for Human-Computer InteractionHuman-Computer Interaction

Direct manipulation metaphorUser interacts with objects on display screen

Document metaphorComputer is involved with browsing and entering data in electronic documentsWWW, hypertext, and hypermedia

Dialog metaphorMuch like carrying on a conversation

10

Desktop Metaphor Based on Direct Desktop Metaphor Based on Direct Manipulation Shown on Display Manipulation Shown on Display ScreenScreen

11

Document Metaphor Shown as Document Metaphor Shown as Hypermedia in Web BrowsersHypermedia in Web Browsers

12

Dialog Metaphor Expresses the Dialog Metaphor Expresses the Messaging ConceptMessaging Concept

13

Guidelines for Designing User Guidelines for Designing User InterfacesInterfaces

VisibilityAll controls should be visibleProvide immediate feedback to indicate control is responding

AffordanceAppearance of control should suggest its functionality – purpose for which it is used

System developers should use published interface design standards and guidelines

14

Eight Golden Rules for Eight Golden Rules for Interactive Interface DesignInteractive Interface Design

15

Documenting Dialog DesignsDocumenting Dialog Designs

Done simultaneously with other system activities

Based on inputs and outputs requiring user interaction

Used to define menu hierarchy Allows user to navigate to each dialogProvides overall system structure

Storyboards, prototypes, and UML diagrams

16

Overall Menu Hierarchy Design:

Each Use Case is Listed Under a Menu

Utilities, Preferences, and Help Are Added

17

Dialogs and StoryboardsDialogs and Storyboards

Many methods exist for documenting dialogs

Written descriptions following flow of activities like in use case description

Narratives

Sketches of screens

Storyboarding – showing sequence of sketches of display screen during a dialog

18

Storyboard for the Downtown Videos Rent Videos Dialog

19

Guidelines for Designing Guidelines for Designing Windows and Browser FormsWindows and Browser Forms

Each dialog might require several windows forms

Standard forms are widely available

Windows: Visual Basic, C++, C#, Java

Browser: HTML, VBScript, JavaScript, ASP, Java servlets

Implementation

Identify objectives of form and associated data fields

Construct form with prototyping tools

20

Form Design IssuesForm Design Issues

Form layout and formatting consistencyHeadings, labels, logosFont sizes, highlighting, colorsOrder of data-entry fields and buttons

Data keying and data entry (use standard controls)

Text boxes, list boxes, combo boxes, and so on Navigation and support controls Help support – tutorials, indexes, context-

sensitive

21

Design for RMO Phone-Order Design for RMO Phone-Order DialogDialog

Steps in dialog models

1. Record customer information

2. Create new order

3. Record transaction details

4. Produce order confirmation

Traditional approach – use structure charts

OO approach – expand SSD to include forms

22

Required Forms for RMORequired Forms for RMO

Main menu

Customer

Item search

Product detail

Order summary

Shipping and payment options

Order confirmation

23

Design Concept for Sequential Design Concept for Sequential Approach to Approach to Create New OrderCreate New Order DialogDialog

24

Design Concept for Order-Centered Design Concept for Order-Centered Approach to Approach to Create New OrderCreate New Order DialogDialog

25

Prototype Main Menu Form for Prototype Main Menu Form for Order-Centered Approach to DialogOrder-Centered Approach to Dialog

26

Order Summary and Product Order Summary and Product Detail FormsDetail Forms

27

Completed Order Summary and Completed Order Summary and Shipping Payment FormsShipping Payment Forms

28

Identifying System InterfacesIdentifying System Interfaces

System interfaces are broadly defined as inputs or outputs with minimal or no human intervention

Inputs from other systems (messages, EDI)Highly automated input devices such as scannersInputs that are from data in external databasesOutputs to external databasesOutputs with minimal HCIOutputs to other systemsReal-time connections (both input and output)

29

Just for Fun!Just for Fun!

http://www.informationaddicts.com

30

Full Range of Inputs and OutputsFull Range of Inputs and Outputs

31

Design of System InputsDesign of System Inputs

Identify devices and mechanisms used to enter input

High-level review of most up-to-date methods to enter data

Identify all system inputs and develop list of data content for each

Provide link between design of application software and design of user and system interfaces

Determine controls and security necessary for each system input

32

Input Devices and MechanismsInput Devices and Mechanisms

Capture data as close to original source as possible

Use electronic devices and automatic entry whenever possible

Avoid human involvement as much as possible

Seek information in electronic form to avoid data re-entry

Validate and correct information at entry point

33

Prevalent Input Devices to Avoid Prevalent Input Devices to Avoid Human Data EntryHuman Data Entry

Magnetic card strip readers Bar code readers Optical character recognition readers

and scanners Radio-frequency identification tags Touch screens and devices Electronic pens and writing surfaces Digitizers, such as digital cameras and

digital audio devices

34

Defining the Details of System Defining the Details of System InputsInputs

Ensure all data inputs are identified and specified correctly

Can use traditional structured modelsIdentify automation boundary

Use DFD fragmentsSegment by program boundaries

Examine structure chartsAnalyze each module and data coupleList individual data fields

35

Automation Boundary on a Automation Boundary on a System-Level DFDSystem-Level DFD

36

Create New OrderCreate New Order DFD with DFD with an Automation Boundaryan Automation Boundary

37

List of Inputs for Customer List of Inputs for Customer Support SystemSupport System

38

Data Flows, Data Couples, and Data Elements Making Up Inputs

39

Using Object-Oriented ModelsUsing Object-Oriented Models

Identifying user and system inputs with OO approach has same tasks as traditional approach

OO diagrams are used instead of DFDs and structure charts

System sequence diagrams identify each incoming message

Design class diagrams and sequence diagrams identify and describe input parameters and verify characteristics of inputs

40

Partial System Sequence Diagram Partial System Sequence Diagram for Payroll System Use Casesfor Payroll System Use Cases

41

System Sequence Diagram for System Sequence Diagram for Create New OrderCreate New Order

42

Input Messages and Data Input Messages and Data Parameters from RMO System Parameters from RMO System Sequence DiagramSequence Diagram

43

Designing System OutputsDesigning System Outputs

Determine each type of output

Make list of specific system outputs required based on application design

Specify any necessary controls to protect information provided in output

Design and prototype output layout

Ad hoc reports – designed as needed by user

44

Defining the Details of System Defining the Details of System OutputsOutputs

Types of reportsPrinted reportsElectronic displaysTurnaround documents

Can use traditional structured models to identify outputs

Data flows crossing automation boundaryData couples and report data requirements on structure chart

45

Table of System Outputs Based on Table of System Outputs Based on Traditional Structured ApproachTraditional Structured Approach

46

Using Object-Oriented ModelsUsing Object-Oriented Models

Outputs indicated by messages in sequence diagrams

Originate from internal system objects Sent to external actors or another external system

Output messages based on an individual object are usually part of methods of that class object

To report on all objects within a class, class-level method is used that works on entire class

47

Table of System Outputs Based Table of System Outputs Based on OO Messageson OO Messages

48

Designing Integrity ControlsDesigning Integrity Controls

Mechanisms and procedures built into a system to safeguard it and information contained within

Integrity controlsBuilt into application and database system to safeguard information

Security controlsBuilt into operating system and network

49

Objectives of Integrity ControlsObjectives of Integrity Controls

Ensure that only appropriate and correct business transactions occur

Ensure that transactions are recorded and processed correctly

Protect and safeguard assets of the organization

Software

Hardware

Information

50

Points of Security and Integrity Points of Security and Integrity ControlsControls

51

Input Integrity ControlsInput Integrity Controls

Used with all input mechanisms Additional level of verification to help

reduce input errors Common control techniques

Field combination controlsValue limit controlsCompleteness controlsData validation controls

52

Database Integrity ControlsDatabase Integrity Controls

Access controls

Data encryption

Transaction controls

Update controls

Backup and recovery protection

53

Output Integrity ControlsOutput Integrity Controls

Ensure output arrives at proper destination and is correct, accurate, complete, and current

Destination controls - output is channeled to correct people

Completeness, accuracy, and correctness controls

Appropriate information present in output

54

Integrity Controls to Prevent FraudIntegrity Controls to Prevent Fraud

Three conditions are present in fraud cases

Personal pressure, such as desire to maintain extravagant lifestyle

Rationalizations, including “I will repay this money” or “I have this coming”

Opportunity, such as unverified cash receipts

Control of fraud requires both manual procedures and computer integrity controls

55

Fraud Risks and Prevention Fraud Risks and Prevention TechniquesTechniques

56

Designing Security ControlsDesigning Security Controls

Security controls protect assets of organization from all threats

External threats such as hackers, viruses, worms, and message overload attacks

Security control objectives

Maintain stable, functioning operating environment for users and application systems (24 x 7)

Protect information and transactions during transmission outside organization (public carriers)

57

Security for Access to SystemsSecurity for Access to Systems

Used to control access to any resource managed by operating system or network

User categoriesUnauthorized user – no authorization to accessRegistered user – authorized to access systemPrivileged user – authorized to administrate system

Organized so that all resources can be accessed with same unique ID/password combination

58

Users and Access Roles to Users and Access Roles to Computer SystemsComputer Systems

59

Managing User AccessManaging User Access

Most common technique is user ID / password Authorization – Is user permitted to access? Access control list – users with rights to access Authentication – Is user who they claim to be? Smart card – computer-readable plastic card with

embedded security information Biometric devices – keystroke patterns,

fingerprinting, retinal scans, voice characteristics

60

Data SecurityData Security

Data and files themselves must be secure Encryption – primary security method

Altering data so unauthorized users cannot view Decryption

Altering encrypted data back to its original state Symmetric key – same key encrypts and

decrypts Asymmetric key – different key decrypts Public key – public encrypts; private

decrypts

61

Symmetric Key EncryptionSymmetric Key Encryption

62

Asymmetric Key EncryptionAsymmetric Key Encryption

63

Digital Signatures and CertificatesDigital Signatures and Certificates

Encryption of messages enables secure exchange of information between two entities with appropriate keys

Digital signature encrypts document with private key to verify document author

Digital certificate is institution’s name and public key that is encrypted and certified by third party

Certifying authorityVeriSign or Equifax

64

Using a Digital CertificateUsing a Digital Certificate

65

Secure TransactionsSecure Transactions

Standard set of methods and protocols for authentication, authorization, privacy, integrity

Secure Sockets Layer (SSL) renamed as Transport Layer Security (TLS) – protocol for secure channel to send messages over Internet

IP Security (IPSec) – newer standard for transmitting Internet messages securely

Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)

66

The End!The End!

http://www.visualjokes.com