[Sigia-l] time-out session lengths, security, and user tasks

Samantha Bailey a2slb at bellsouth.net
Tue Nov 12 08:34:57 EST 2002 

As someone who works for a bank and deals with this issue regularly, I'll
weigh in on the experience we've had. Online banking requires a delicate
balance: our customers are seeking convenience and ease of use (as they
should) and they demand security. A security breach would undermine our
credibility, but worse, it would break the social contract we have with our
customers to protect their information & their money. Subsequently, we err
on the side of security while constantly striving to limit the degree to
which this poses barriers and inconvenience for our customers.

One thing we have consistently found is that users consistently need/want
more time to complete tasks than we initially imagine using the "seems
reasonable" rule of thumb. Often when designing a system we envision our
customers using the system in a focused and linear fashion that puts the
activity at the forefront of their mind. In reality, people often begin
online banking and then have the phone ring, the radio catch their
attention, the baby cry, etc. Furthermore, some online banking processes
(e.g., applications) are inherently complex and can require customers to
seek information mid-process that they didn't realize they would need (even
when you give good 'before you begin' instructions).

Our approach has been security first (yes, we listen to and respect our IT
folks), reasonable guess at appropriate time limits next and then refining
the timing based on user feedback, both in testing and customer
comments/surveys (yes, we bargain and cajole and otherwise work with our IT
folks to push the parameters and come up with new solutions).


Samantha Bailey
samantha at baileysorts.com | http://baileysorts.com

"Do you know what that trick is? Magicians would call it the redirection.
A theologian would note that it parallels a theme found in all religions:
the paradox of turning away from the goal to achieve the goal."
-Karl Fast


----- Original Message -----
From: "karl fast" <karl.fast at pobox.com>
To: "sigia" <sigia-l at asis.org>
Sent: Tuesday, November 12, 2002 12:00 AM
Subject: Re: [Sigia-l] time-out session lengths, security, and user tasks


>
> > Karl, while you address the needs for a specific situation, a bank, and
> > successfully answer the main question, that
> >
> > a) doesn't answer the question in all instances
>
> Yes, though I believe you asked about secure sessions specifically.
> Can you give me a situation for a secure connection where this would
> not apply?
>
> > b) provides little guidance for any notion of "why 20 minutes".
>
> How can I? Obviously 45 days is as unreasonable as 10 seconds. But
> there is no formulua for this. You have to make some sort of
> estimate about what's reasonable. Twenty minutes seems reasonable to
> me for many applications, but I have no evidence to back this up. On
> an intranet you might make it more. A bank might make it less (my
> bank has a ten minute timeout).
>
> I don't think anyone can give you a formula to give this a number.
>
> > As someone who has shopped on sites where Broadvision is used, and
> > thus lost shopping carts after having been dormant for 20 minutes,
> > I think my question is fair.
>
> AHHH!!! Now this is different. A shopping cart is not secured and
> shouldn't be set at twenty minutes.
>
> The *checkout* process is secured and it can be setup to have a
> separate timeout value. A short timeout on the checkout is probably
> rooted in assuming that once you decide to buy, ie: to start the
> checkout process, you are either going to complete the transaction
> or cancel the whole thing (I dunno if this is a valid assumption).
>
> So is your complaint about short timeouts on the shopping cart, or
> the secured checkout process? Or both?
>
> > The degree which people will roll over for issues of security or
> > CPU time distresses me.
>
> Sure. Now to defend the IT people, I'll toss out that the degree to
> which people don't understand basic technical or security issues
> distresses me.
>
> We have so few people who speak both geek and usability, IA,
> interaction design, etc.
>
>
> --karl
>
>
>
> ------------
> When replying, please *trim your post* as much as possible.
> *Plain text, please; NO Attachments
>
> ASIST Annual Meeting:
> http://www.asis.org/Conferences/AM02/index.html
>
> ASIST SIG IA website: http://www.asis.org/SIG/SIGIA/index.html
> Searchable list archive:   http://www.info-arch.org/lists/sigia-l/
> ________________________________________
> Sigia-l mailing list -- post to: Sigia-l at asis.org
> Changes to subscription: http://mail.asis.org/mailman/listinfo/sigia-l

More information about the Sigia-l mailing list