Month: February 2024

Security – but where is the usability?

I wrote earlier about the threats that are currently attacking our computer systems in the society, and we can also see that there are new attempts at increasing the security in the systems. However, there is an inherent problem in computer security, namely the transparency and usability of the systems. It seems that it is very difficult to create security systems that are easy to use. We have been used to writing our passwords on sticky notes and paste them on the screen, and we put our PIN codes on small paper notes in the wallet so that we will not forget them when we really need them. The reason for this is of course that the passwords, in order to be strong, have to be more than impossible to remember. Even worse is that in order to be really safe (according to the professional advice), you should have different passwords everywhere. And there are also all the many PIN codes to all the cards we have.

One important property within the human being is the delimitation of the memory. We have problems remembering meaningless things, such as the recommended password: “gCjn*wZEZK^gN0HGFg4wUAws”. So people tend to not have that kind of passwords, which of course leads to a decreased security. Well, in some sense we also solved this problem by adding two-step verification, i.e., the “if-you-don’t-have-your-phone-you-are-lost”-verification. This, of course, has to be interleaved with “find a motorcycle” or “find the traffic lights” games, to prove that you are not a robot (!).

Now it has become better, we have biometric security. We use the fingerprint or facial recognition methods. Only problem is that after a day of work in the garden, the fingerprints are no longer recognizable, and after a severe accident, the face may not look at all like yourself anymore, so you cannot call your family to say that you are OK. Well, at least it is safe, isn’t it?

Yes, but not when it comes to the current means for BankID, the virtual identification used in Sweden. Yes, of course it works when you want to log into your bank in order to handle your affairs. It is an accepted identification method. BUT not when you want to move your BankID to a new telephone! To do so, you now (after the last change) have to scan your passport or national ID-card. The most common means of identification, which in Sweden is your driver’s license, is on the other hand NOT accepted.

You might think that that should not be any problems, since everybody will surely have a passport today? But, no, that is not the case. As an anecdotal evidence I will relate my fathers situation:

My father just turned 90 years old. He is still a young man in an old body, so he has an iMac, an iPad, a laser printer, etc. at home. He is in fact a quite heavy tech user for his age. He also had an old smartphone that started to lose its battery charging, so he was given a new smartphone as one of the birthday presents. The transfer of the data went smoothly and without any hiccups, until it was time to use the BankID on the new phone. It was of course not transferred. Thus, we ordered a new BankID on his bank and signed it with his BankID on his new phone. But now…

Who is being excluded by the design?

My father decided to quit driving several years ago. However, he still kept his drivers license and even had it renewed without problems. Although being an ex-globetrotter he also reckoned that he needs no passport any more. So, when I asked him for an ID, he produced the drivers license. That did of course not work, although it is valid as identification in most other places. It was not an option to go to the bank and identify himself. They cannot validate the BankID. It has to be done through the web page and the app. Sorry!

So, now I have to take my father through the heavy cold and snow to the police station to have a new passport, which is only going to be used one single time, that is, in order to install the BankID. Where is the user friendly procedure in this?

I would think that my father is not the only person who is using the driver’s license as identification. I assume that many older people, for example, will have a similar problem when they need to get a new BankID (provided that they even use a smartphone).

Where is the human-friendly procedure for establishing the identity? Why can we, for example, no longer trust the people at the bank to identify a person with a valid identification and flick a switch to accept the ID? To make the issue a bit more general: Where has the consequence analysis gone when we make this kind of decisions? Or even better stated:

Who is going to be excluded by the new design or decision?

How vulnerable are we?

This post was actually started in late 2023, when the Swedish Church had become the victim of a cyberattack with ransomware, which took place November 22. The church organization at that time decided that it will not pay the ransom (in order not to make this a successful attack) but will instead recover the systems manually over time. However, this recovery takes a lot of time, and as long as the systems are not completely recovered, it is not possible to make any bookings for baptizing and weddings. In case of a funeral, it has still been possible to make a booking, but, the data had to be taken down using pen and paper (i.e., post-it notes).

We are very vulnerable if we only depend on our digital systems.

Head of information services at the Swedish church

In Sweden, the church has been separated from the government, but it is also still responsible for a number of national and regional bookkeeping services, like funerals. Also, a large number of people will still use the church services for baptizing and weddings, where in the latter case it also fulfills its role as an official administrative unit, in parallel with the weddings that are registered by the government. Suffice it to say that the church depends heavily on digital administration for its work. Consequently, some parts of the Swedish society also depends on the same computer systems being intact.

More attacks…

In 2024, there has now been a number of similar events, mostly through the use of ransomware, but also with overloading web servers. The systems affected this time have been in other organizations and governmental institutions. The most famous of them this time is probably the HR management system Primula, which is also used by the defense organizations and industries, among many others (including universities). This time the attacks are suspected to be made Russian hackers, possibly as part of a destabilization campaign as part of the ongoing war in Ukraine.

Again, the main issue is not that there have been attacks that have been successful, but rather that the backup systems are insufficient or, in most cases seemingly missing. Hopefully the systems will soon be up and running again, but if there is an attack on systems that are more central to the functions in society, then the problem is not only in small organizations, but may affect larger systems including systems for money transfers. Recently shops have been forced to close, when there have been longer problems with the money services.

In this context it is also important to point to the problem with paying. The Swedish Civil Contingencies Agency (MSB), which is responsible for helping society prepare for major accidents, crises and the consequences of war, recently sent out a message to the public, advising them to always have at list 2000 SEK in cash at home. The question is whether the society is prepared to revert to using cash money for the transactions. A large number of shops and services no longer accept cash as payment.

What now

When interviewed, the head of the information service for the Swedish church said that one lesson they have learned from this event is that they have to be less dependent on computer services than before. He did not specify how in any more detailed way, but the message was more or less clear: “We are very vulnerable if we only depend on our digital systems”. His conclusion is neither new, nor especially controversial. When our computer systems or the Internet fails, we are more or less helpless in many places. However, most of the time, the threats are envisioned in terms of disk crashes, physical damage or other similar factors. The increased risk of cyber attacks is not mentioned to the public to any larger extent.

We depend on our IT-support units to handle any possible interrupt as fast as possible, but the question is whether this is enough. Are there backups of the data? Are there backup systems that are ready to be launched in case the old system is failing? Are there backup non-computer based procedures that can replace the computer systems if there is a longer breakdown of the computer systems? Even if it is costly to maintain these backup systems/procedures, it is quite likely that we will need to add a higher level of security in order to not end up with a social disaster, where a large part of the society is essentially incapacitated.

What are the consequences?

We can just imagine what would happen if, as mentioned above, the central systems for bank transfers fails badly or gets “cyber-kidnapped”. Credit cards will not work, neither will mobile money transfers or other electronic payment options. There will be no way to pay our bills, and we may not even get the bills at first hand. Probably even the ATM machines will cease to work, so that there is no possibility to get cash either. Imagine now that this failure will last for days and weeks. What are the consequences?

But we don’t have to look at this national disaster scenario. It is enough to think about what will happen if the computer systems in universities or other large organizations are attacked by cyber-criminals. Not to mention the effects on critical health care, where minutes and seconds can count. Do we have any possibilities to continue the work, reaching journals or other important documents, schedule meetings, planning operations and other important events? Are we really ready to start working on paper again, if necessary? I fear not!

With the current situation in the world, with wars and possible also challenges from deteriorating environmental factors, a lack of emergency plans for our digital systems may not only be causing serious problems, but may really turn out to be disastrous in case of any larger international crisis. Looking at what happens around the world currently, it is easy to see that the risk for cyber-attacks in international crisis situations has increased to a high degree. In many cases the (possible) plans on how to proceed are not known to people who work in the organizations. Is your work protected? Do you know what to do if the systems fail?

Unfortunately, we cannot continue to hope that “this will never happen”. Even if the most extreme of the possible scenarios may not happen, we are still very vulnerable to attacks, e.g., with ransomware or “Denial of service” from “normal cyber-criminals” and this can be just as bad on the local scene, when a whole organization is brought to a halt due to a computer system failing badly. Therefore we need to be acting proactively in order to not be stuck if/when the systems fail. Because, it is quite certain that they will fail at some point of time.

And how will YOUR organization handle that kind of situation? Do YOU know?

A Path to a Brighter Future: Understanding the Relationship Between Software Quality and Sustainability

Image Source: Unsplash

Sustainable development is the development that meets the needs of the present without compromising the ability of future generations to meet their own needs.

Gro Harlem Brundtland, 1987

In recent years, sustainability has emerged as a critical concern in various domains. While environmental sustainability remains a focal point, sustainability also encompasses social and economic dimensions. In our technologically driven society our daily lives encompass many increasing digital needs; researching how to create sustainable software is important. This research area has many gaps to explore.

One aspect of software sustainability can be seen in this example: software that crashes frequently is not sustainable. The user will think this product is low-quality and will probably stop using it. However, the relationship between software quality and sustainability is not always this obvious. Also, sometimes trade-offs between sustainability and quality may be necessary, necessitating a comprehensive understanding of this relationship.

One area where software sustainability and quality have a positive relationship is cost efficiency. Well-crafted code typically requires less maintenance and suffers from fewer defects, translating to reduced operational costs over the software’s lifecycle. Moreover, code optimization and energy-efficient design further contribute to long-term savings, aligning with sustainability goals.

Software sustainability also encompasses social aspects, extending beyond technical considerations. Clean, understandable code not only facilitates collaboration among developers but also can foster a supportive community around the software. The societal impact can also include the software user if the software includes a social influence.

At the center of software sustainability lies the need to understand and address the needs of end-users. By prioritizing quality and sustainability, developers can deliver products that not only meet user expectations but also foster trust and loyalty among stakeholders. This user-centric approach enhances the software’s longevity and cultivates a sense of responsibility towards its societal and environmental impacts.

By embracing a focus on quality and sustainability, software products should be evaluated by more than their functionality. Focusing on sustainability and quality not only benefits end-users but also contributes to the well-being of companies, society, and the environment at large. I look forward to sharing more as the research progresses.

Maria Normark has joined the AROA project

Maria will be conducting research on work engagement within the realm of automation and AI, specifically within the field of rail traffic. Her particular interest lies in exploring the evolving division of labor between humans and technology, examining how AI will reshape work practices, and the potential risks of diminishing the meaningfulness of work. While automation has traditionally targeted repetitive and time-consuming tasks such as administration, monitoring, and manufacturing, the emergence of generative AI introduces new possibilities. This technology can now be applied in novel domains, offering solutions that partly replace professional intuition and creativity. Maria is interested in questions concerning the implications of this shift for future work engagement, how professionals will navigate this new landscape of labor division, and the role of embodied interaction within it.

As an associate professor in the Human-Computer Interaction (HCI) group at the Department of Informatics and Media, Uppsala University, Maria Normark’s research centers on fields such as critical design and Computer-Supported Cooperative Work (CSCW).

Research Update: Exploring Work Engagement in the Age of Automation, Robotics, and AI

In the fast-paced world of technology and automation, keeping a close eye on how these advancements affect the workforce’s engagement and dynamics is essential. The “ARbetsengagemang vid autOmatisering, robotisering och AI” (AROA) project aims to illuminate this crucial aspect of our work. In this blog post, we’ll delve into the project’s first-year report and its progress.

AROA’s journey began with a literature review, where we scoured existing knowledge. This review aimed to identify critical knowledge gaps and relevant research to serve as the project’s foundation.

Collaboration is at the heart of AROA’s approach. In pursuit of comprehensive insights, they formed a reference group of stakeholders from various sectors. This diverse group of participants would be instrumental in shaping the project’s direction. AROA organised a dynamic full-day workshop to facilitate open dialogue and receive feedback.

Moreover, we did field studies to understand the real-world impact of automation and AI by conducting in-depth interviews and fieldwork within the agriculture and railway sectors. These empirical studies offered a closer look at how workers in these sectors were experiencing the transformative effects of technology firsthand.

In August 2023, AROA welcomed a doctoral student, strengthening their research capabilities. Additionally, the addition of Associate Professor Maria Normark brings even more depth to the project’s knowledge base.

These highlighted areas showcase AROA’s first-year progress. As the project evolves, it continues to illuminate the nature of work engagement in the automation, AI, and robotics age.