News / June 2018

CLTC Grantee Q&A: Cybersecurity and Data Vulnerability in Mobile Sensing Devices

Euiyoung Kim and Alice M. Agogino

Alice M. AgoginoDanielle PorehEuiyoung Kim, and Matilde Bisballe Jensen recently had their CLTC-funded research published on the Design Society website. In their paper, “Novice Designers’ Lack of Awareness To Cybersecurity and Data Vulnerability in New Concept Development of Mobile Sensing Devices,” the researchers focus on the privacy awareness of particularly vulnerable users of mobile sensing devices and co-robots in domestic settings. Drawing upon user approaches to phishing and malware in the online domain, the researchers aimed to create relevant guidelines on cybersecurity behavior for private users, and to inform designers on how to more effectively build cybersecurity awareness and features into their product design.

Matilde Bisballe Jensen and Danielle Poreh

In the abstract of the paper, the authors assert that “As more mobile sensing devices are introduced in the market, the risks associated with cybersecurity increase. Our research goal is to shed light on novice designers’ awareness to these risks with a focus on the sensing device design.” The researchers coded qualitative data from teams of design students at UC Berkeley to see how carefully they took data vulnerability of their created solutions into account. “The results reveal that novice design students did not pay much attention to the data vulnerability of their new solutions, in spite of numerous prompts for them to do so.”

What led you to pursue this research topic?

Mobile sensing and co-robots are emerging technologies that are predicted to have exponential growth in a range of markets: for example, they can be used in surveillance, connected home, personal monitoring, education, entertainment, health care, and even car sharing. As more and more devices are introduced in the market, the risks associated with cybersecurity is also increasing as these devices collect sensitive information about users and their environments. It becomes more problematic when the devices are hacked. In our research, we wanted to explore how we, as design educators, can inculcate future designers so that cybersecurity is considered in the process of product development. By doing so, the risks become more conspicuous to the end users, thus more preventable.

How would you boil down the key findings of your research?

In our research we evidenced low cybersecurity awareness of student design teams in a new product design course. We also observed that design teams in the class rarely explicitly identified user needs associated with data security or privacy. Thus, the research team concluded that we needed to further investigate (1) the trade-offs between ease of use / performance and cybersecurity around new product development and (2) how cybersecurity awareness varies across different user populations and application areas.

Your research suggests that novice design students struggle to integrate security when designing tools. Why do you think this is?

Current design courses in higher education rarely explicitly include cybersecurity content, mostly focusing on product innovation, functionality, or usability. We assume that the lack of cybersecurity curricula in product design courses has resulted in the lack of product design students’ awareness in design issues around cybersecurity. We believe it is critical to add cybersecurity in product design education and translation to practice.

Your research focuses in part on co-robots. What are co-robots, and why is it important to consider their security?

In our research, we define co-robots as collaborative robots that are designed to co-exist with people, and that may collect sensitive information about users or their environment through devices such as mobile phones, laptops, smart speakers, monitoring cameras or robot toys.

In general, why do you think product makers fail to make it easy for users to manage the cybersecurity and privacy settings on technologies they design?

Users are worried about their unintentional data disclosure while using their devices.

Manufacturers of products have not appropriately address this issue, partially because there were no negative impacts for them directly in the past. But recent negative publicity about notable breaches has greatly increased concerns from the public about unintentional data disclosure. For instance, we remember an account of seeing a picture of Mark Zuckerberg in his office, with a covered laptop camera and microphone jack with tape. We see more people trying to cover their laptops with a small Post-it. It’s simply not an ideal solution. Product makers could have taken more attention to the way proactive users manage their cybersecurity. Since such risks on cybersecurity are often invisible to the user, we, product designers, need more deliberation to make risks more conspicuous and tangible.

Who is the ideal intended audience for this research, and what are they key lessons you hope that audience will learn from your work?

We understand that most current cybersecurity campaigns have not led to improvements in cybersecurity behavior. While cybersecurity topics are mostly covered in the Computer Science curricula, they aren’t in tangible product design courses such as Mechanical Engineering, Product Design, and other Technology related courses. Rather than traditional cybersecurity research that focus on the end-user perspectives, there is a need to develop design guidelines and educational materials for future product and service designers. Teaching how to make the cost of trade-offs between usability and secure data features that are less prevalent should be further investigated. The main audience for our research is not only the cybersecurity community, but also communities involved in product design and manufacturing who are primarily dealing with personalized data in the creation of their own tangible products and/or services.

What are your next steps, and what are your near- and long-term goals for this research?

In collaboration with CLTC (Center for Long-term Cybersecurity) at UC Berkeley, we want to (1) develop cybersecurity educational materials, (2) conduct another experiment in a product design course in summer 2018, similar to the course we studies last year but this year we will plan on providing product design students with more explicit interventions of cybersecurity awareness throughout the course, and (3) compare the results of data sets between these two classes and examine the differences and similarities in designer’s implication of the cybersecurity awareness.