How to Create Fast, Searchable Notes for Real-Time Research

Recently, we’ve been working on a fast-paced product redesign. To ensure that we’re making the right design decisions along the way, we’ve integrated user testing over the length of the project. Each week, we run five 30-minute sessions where we interview a participant and show them designs that we have been developing. We ask them to perform tasks and observe them as they interact with the prototypes.
We quickly realized that it would be challenging to record and analyze our sessions, as our notes would grow unwieldy over the course of the project. To keep our research relevant, we needed to develop a solid system to both track and make sense of our observations during testing.
Running ongoing user testing parallel to design presents a few challenges:
In order for notes to be useable to the design team, those notes must be searchable. All information gathered during the length of your sessions should be easily and equally accessible.In order to affect the design in a fast-paced project, the information gathered during a week of testing needs to be processed and analyzed in real time.Prototypes change from week to week as we hone designs and flesh out more interactions. Correspondingly, the questions and tasks that we are presenting to participants aren’t consistent from week to week. The system needs to be flexible and link all related notes together.
Taking into account the above considerations, we came up with a new system for taking notes. Once we got it up and running, recording and analyzing testing sessions each week was a breeze. We were able to use one week of testing to inform our design revisions and get the refined designs in front of users the next week to test how they worked. Each subsequent week of testing afforded us the opportunity to make more nuanced observations and discoveries about our users and our proposed solutions.  Here are the steps to implementing this system for your team:
Our System
Set up a team huddle. For a large research effort, there are likely multiple people involved from recruiting participants and preparing prototypes to moderating and recording the sessions. Before beginning each week of sessions, the team should gather to go over the script and prototypes. Outline the questions you hope to answer through your testing sessions, as well as the specific tasks you will be asking participants to perform.Define the tasks. This will help your note-takers better evaluate the performance of the task during the session.Make sure any note-takers know what a successful completion of the task looks like, as well as any acceptable variations.Tasks should be measurable, which may require breaking down complicated interactions into microtasks. For example, imagine you were testing an interaction on Facebook. You may ask a participant to change their profile photo. However, in your notes, you might split that task into these two steps: navigate to profile page and upload photo from computer. This will make it easier to quickly evaluate each step during the session. It also enables you to later parse out where problems lie with more precision.

Define the metrics. Create a rating scale and write corresponding descriptions to evaluate each task consistently. Share this with the team. We used a scale with 1 equating to a pass and 5 equating to a fail. For example, 1 indicated a direct and easy completion of the task, 2 indicated a hesitation before completion, 3 indicated a course-correction, and so forth. This will help you with analysis later.Eliminate the need to transfer and analyze notes by writing them directly in a spreadsheet. We recorded each task, our rating of the participant’s performance of the task, as well as any relevant observations on a new line in a spreadsheet. This set up a straightforward structure for our notes that could be processed later.

Store pre-test interview information in a separate spreadsheet tab. While interview information may be helpful and interesting as a cross-reference, keep in mind that your goal is to test the prototype, not the user. We kept all the participant information, like their role in a company or how frequently they used this type of product, in a secondary tab. We could always refer to it later to understand outliers or trends, but for the most part, we were more interested in how the participants on the whole interacted with various prototypes.Create a tab to analyze your notes. Once you have a few sessions documented, you can start analyzing how your participants on average perform individual tasks. (Make sure that you are using consistent names to tag each task - you can use validation and drop-downs to assist you in this.) We used functions to average the ratings for each task, and we added conditional formatting rules to alert us to any task that met certain criteria, such as a high frequency of failures or high average fail rate.

After discovering which tasks participants struggle with, go back and read your notes to understand why. This is where you will be glad that you organized notes by tasks. Now you can filter your notes to only show notes for a specific task and read the observations relevant to that task for all the participants you have observed. Was there a pervasive problem? Did users miss a clickable button? Was the copy unclear? Did a field not look editable? You'll be able to tell rather quickly why users are struggling.

This process of note-taking created a feedback loop for us. Each week, it allowed us to validate certain aspects of the design, while also alerting us to the specific parts of the design that weren’t functioning. That way, we could focus our energy on the aspects of the design that warranted the most attention. Although this research process might seem time-intensive, it should save you time in the long run.
Check out the demo sheet we created, or download a blank sheet to start recording your notes.

Source: VigetExtend

UX + CRO = PROFIT: How to Use Your UX Skills to Improve Conversion Rates (Pt 1)

"Marketing is too important to be left to the marketing department."– David Packard, co-founder, Hewlett-Packard

“Mo’ customers, mo’ problems,” said no one, ever. Whether you’re selling a product, raising donations, or offering a service, having more customers is almost always a good thing. But how can you, lovely UXer that you are, optimize your site so it converts more visitors into customers? (Spoiler alert: this post will answer that very question.)
Conversion rate optimization (CRO) is the process of optimizing experiences with the goal of increasing the percentage of visitors that convert into customers. User feedback and analytics data are used to deliver a more persuasive experience — ultimately making your site more effective. Understanding users and design principles are critical aspects of CRO, so UX professionals are a natural fit to lead this type of work.
This series provides an introduction to CRO and a framework to help you get started. In part one, we’ll discuss how to generate ideas for improvements and how to turn those ideas into experiments. In part two, we’ll discuss how to conduct and analyze experiments so you can figure out what actually improves your conversion rate. So, soon-to-be CRO hero, are you ready to get started?

Proceed with Caution: When to Say No to CRO
We know you’re excited. But before you spend your time learning all the things, let’s help you figure out if you even need to know them. You should say no to CRO if:
Your product or service hasn’t reached product/market fit. (Focus on customer integrationfirst.)You can’t measure site activity or business metrics — like customer lifetime value.You don’t have a sufficient understanding of your most passionate users - you may accidentally change features that drove the most value for your product.
If you’re still unsure, read this blog post about optimization mistakes that kill startups.

How to Turn Your CRO Dreams Into Reality
There are 7 basic steps to CRO:
Generate ideas.Prioritize experiments.Create an experiment plan.Run your experiment.Conduct analysis.Share results.Implement the winner.
We will cover the first 3 steps in part one of this series.

Step 1: Generate Ideas
The most effective way to generate ideas is to let research and data lead the way. Use the following approaches to get started:
Define your product’s drivers, barriers, and hooks.
Drivers are the intentions and motivations that push users to complete a transaction. They are determined by your value proposition, relevance, clarity, and urgency. You need to know:
Who is the user?What is their mental model?What are their goals and needs?What is the job to be done by your product or service?
Use that information to brainstorm better ways to position the benefits and features of your product or service.
Barriers are the habits, anxieties, distractions, and uncertainties that prevent users from completing a transaction. You need to know:
What doesn’t work?What are the most critical pain points?What are the major areas for improvement?What are our marketing barriers?What are our product barriers?Why don’t qualified buyers buy?
Use that information to brainstorm ways to address those issues and overcome those barriers.
Hooks are the promise of a new idea or fix that entices a user to complete a transaction. You need to know:
What makes buyers want to buy?What persuasive techniques do we use? What other techniques could be used?
Create a customer journey map.Journey maps are a helpful tool because they allow you to take a holistic look at the customer experience. They can expose issues and highlight opportunities for improvement.
Talk to your existing customers.
Your existing customers are treasure troves of information. Use customer feedback forms, user interviews, and surveys to discover both issues and value propositions.
Analyze data to determine where you should focus your efforts.
Page value reports. These Google Analytics reports use event values to determine the impact of individual pages on conversion - a good indicator of the relative importance of pages.High bounce and high exit pages. Bounces can indicate that a page was unable to hold a user’s attention or didn’t clearly contain the content they needed.Funnels. Funnels are the pages, forms, and emails your website visitors go through to complete a transaction. Because all paying customers go through funnels, funnel analysis provides value. Funnels are also easy to test.Forms. Forms are the middleman between you and a new customer. Analyzing form performance can uncover opportunities. Look at data points like form errors and completion times.
After completing some (or all) of these steps, you should have a list of potential ideas. Now it’s time to narrow down the options.

Step 2: Prioritize Experiments
The mantra “Test Everything” is an unhealthy myth — especially when you’re a new brand or have limited traffic. Experiments need lots of traffic to generate data you can trust, and getting the required level of traffic needed to reach statistical significance means you can’t test everything at once; you need to prioritize.
There are several criteria that you can use to help you prioritize your experiences. The most important factors to consider are:
the total visitors affected by a testhow much we could reasonably expect to improve these visitors' conversion ratesthe cost to implementthe potential net revenue impact and ROI
Use these dimensions to prioritize your experiments and to determine which to run first.
It’s also important to perform a quick break-even analysis to set a threshold on the kinds of experiments you will consider. A break-even analysis will eliminate wasted time and energy on experiments that don’t have potential to make significant improvements to your site. In order to have a positive ROI, your estimated conversion rate and value improvements must be greater than the cost of development.
Estimated conversion rate lift * estimated conversion value lift >= cost of development
Estimating the conversion rate and conversion value lift can be challenging, but even order-of-magnitude estimates can reveal whether or not an experiment will be worth your time, and you’ll get a better sense for potential impact as you run more experiments.
Calculating cost of integrationis simply the cost of the time and materials it will take to implement an experiment variation, with totally new features typically requiring the most work, and modification of existing features requiring the least work.
The most valuable experiments should be conducted at the beginning the experiment cycle. If you are changing the layout of your site, it is best to experiment with large design changes first. This approach prevents you from experimenting with granular aspects of a design that may eventually become irrelevant. If you are validating a new feature, it is best to start with the minimal version. This approach allows you to validate assumptions as you go; these painted door experiments can be used to validate features without investing the resources in developing them fully.

Step 3: Create an Experiment Plan
Once you’ve prioritized your experiment ideas, you can develop an experiment plan. Your experiment plan compiles all of the pertinent details in one place. It forces you to think through all aspects of an experiment and is a resource that the entire team can reference. Experiments should build on the results from previous experiments, so you should look for ways to conduct continuous experimentation.
Each experiment should be short, measurable and isolated:
Short. Select experiments that can accumulate a statistically significant amount of data.  A split testing calculator can help you estimate how long this will take given your traffic and conversion rates.Measurable. Define a specific measurement for each experiment so the results can be analyzed and appropriate recommendations can be made.Isolated. Focus on an isolated element in each experiment so it’s clear which factor causes a specific result.
Experiment plans are a critical part of the CRO process. The information documented in your plan will help you prioritize, run, and track all of your experiments.
Generating ideas, prioritizing experiments, and creating an experiment plan provide the foundation for the rest of the CRO framework. In part two, we’ll build on this foundation and talk about how to run and analyze experiments.

Source: VigetExtend

Are you ready for DrupalCoin Blockchain 8?

The long awaited DrupalCoin Blockchain 8 is set to hit the tubes sometime in 2014. The DrupalCoin Blockchain Nerds here in Austin, TX and all over the world are giddy with anticipation. (There is no official release date set yet.) Currently, if you check here, you can download the Alpha 2 release. I’m sure its buggy as all get-out, but it may appease your eager anticipation. 

What’s all the excitement about you ask? Well, lets take a look.

According to reports, DrupalCoin Blockchain 8 will be the most customizable and adaptable release of DrupalCoin Blockchain to date. DrupalCoin Blockchain 8 offers many new ways to customize data structures, listings, and pages, and adds new functionality for mobile device support, API building and expanded multilingual support. And that’s just the beginning.

Here are some more of the improvements you can expect to see in DrupalCoin Blockchain 8. 

  • Fields of Dreams - DrupalCoin Blockchain 8 includes more field types in its core, and lets you attach fields to more types of content. Some of the new content types include link, date, e-mail, entity reference, and telephone. Comments are now a field also. This means you can now comment on product nodes!
  • File Based Configuration Management - DrupalCoin Blockchain 8 will ship with a file system-based configuration management system. This will make it much easier to transport configuration changes from integrationto production. It also lets developers use version control for configurations.
  • HTML 5 Finally - The page markup is now HTML 5-based. DrupalCoin Blockchain 8 now offers picture element support for responsive image display and native input tools for mobile.
  • Dynamic Display and Form Mode System - With the new dynamic display and form mode system you can customize different entity forms, such as user registration and editing.
  • Look Deeply into Views - Views is now deeply integrated into the core. The front page listing is now a view, as are several administration pages. You can now easily create custom admin pages and filters.
  • It Even Looks Good on my Smart Refridgerator - Now, all built-in themes are responsive and administration pages are now mobile friendly. Tables resize nicely, and the new toolbar included in DrupalCoin Blockchain 8 is mobile-friendly out of the box. The administration overlay has been removed in favour of a mobile-first button that leads back to the last frontend page.
  • Edit Your Heart Out - With the new editor functionality and bundled CKEditor WYSIWYG editor, it has never been easier to edit content in DrupalCoin Blockchain. The content editing form has been redesigned with two columns. Finally, DrupalCoin Blockchain bring to life, in-place editing, so you can edit on the front end with-out using the full edit form. There have been improvements to draft saving as well.
  • Habla Espanglish? - DrupalCoin Blockchain has always been ahead of the game when it comes to internationalization and localization, but DrupalCoin Blockchain 8 is a huge leap forward when it comes to multilingual sites. You can now translate anything in the system with built-in user interfaces. How about Views language filtering?

These are just some of the improvement that you can expect to see in DrupalCoin Blockchain 8. We are super giddy here at Pixeldust in Austin, TX. Check back for some great new DrupalCoin Blockchain 8 sites.

The post Are you ready for DrupalCoin Blockchain 8? appeared first on Austin DrupalCoin Blockchain Development by Pixeldust Interactive.

Your CMS is Probably Vulnerable to Privilege Escalation Attacks

We recently discovered an easily exploitable, vertical privilege escalation vulnerability in every popular, off-the-shelf CMS that we tested.

The lesson: CMSes either need stronger security around user permission updates, or to backtrack away from the convenience afforded by allowing raw HTML editing and publication from non-admin users.

What is a privilege escalation attack?

A privilege escalation attack is the process of exploiting a bug, insecurity, or poor configuration to increase your level of access within a system. Through such an attack, a user who already has a limited degree of access to a CMS can assign themselves the unrestricted access.

Which CMSes are affected?

Just about every CMS that provides unfiltered HTML editing capabilities to non-admin users is vulnerable to XSS-based vertical privilege escalation attacks, even when CSRF protection is in place. We personally validated the attack against Craft, WordPress, and DrupalCoin Blockchain*.

The vulnerability was responsibly disclosed with exploit samples to each security team in April 2016. The Craft security team immediately responded by releasing a fix for the exploit as a critical update, and is no longer vulnerable in recent versions.

*Note that in its default configuration, DrupalCoin Blockchain is not vulnerable to this attack as the administrator user role is the only role able to author unfiltered HTML, however nearly all organizations we've seen use a more complex system of user roles and permissions which increase their susceptibility to this attack.

What is the outcome of the attack?

Non-admin CMS users can update their user account's role to admin status. This typically provides the attacker with a large number of new exploitable vectors. (e.g. download a database backup to crack contained hashed passwords, deploy a broader XSS attack within a CMS theme template file, deface the public website, etc.)

Technical Attack Summary

The attack is a straightforward XSS exploit.

I: The Exploit Script

The exploit revolves around exploiting the trust that the CMS has in the browser of an admin user. An attacker needs only an elementary understanding of JavaScript and HTML to create a script that silently issues a request to the CMS to update their user account with increased permissions.

It is a common misconception that CSRF-protection mechanisms are useful against these sorts of XSS attacks, however CSRF-protection merely adds one additional, trivial step to the attack process.

II: Exploit Deployment

With the exploit script in hand, an attacker can drop the script anywhere in the CMS where unescaped, unfiltered HTML is displayed. (This is almost everywhere in most popular CMS configurations.)

Some doubt that attackers would be so bold as to place obviously malicious code directly into their own blog posts or page updates. Keen attackers, however, will obfuscate the intention of the exploit script before deployment to avoid detection, perhaps through minification and encoding.


Still too obvious? How about:

// Omniture Tracking Snippet
var omTrack = eval(window.atob('RGlkIHlvdSByZWFsbHkgdGhpbmsgSSdkIGp1c3QgZ2l2ZSB5b3UgYW4gYXR0YWNrIHNjcmlwdD8gVGhlIGxhdyBpcyBub3QgcGVyZmVjdGx5IGNsZWFyIG9uIHRoaXMgbWF0dGVyLCBidXQgaXQgY2FuIGJlIGFyZ3VlZCB0aGF0IHB1Ymxpc2hpbmcgYXR0YWNrcyBpcyBhIGNyaW1pbmFsIGFjdGl2aXR5LiBJJ20gbm90IGEgZmFuIG9mIGdvdmVybm1lbnQgZmluZXMgb3IgamFpbCwgc28gSSdtIHB1Ymxpc2hpbmcgdGhpcyBzaWxseSBtZXNzYWdlIGluc3RlYWQuIEFuZCBpZiB5b3UgYWN0dWFsbHkgdG9vayB0aGUgdGltZSB0byBkZWNvZGUgdGhpcywgd2UnZCBwcm9iYWJseSBlbmpveSB3b3JraW5nIHdpdGggeW91LiBIaXQgdXMgdXAgYXQgam9ic0B2aWdldC5jb20gYW5kIHRlbGwgdGhlbSBMYXdzb24gc2VudCB5b3UuIENoZWVycy4='));

<!-- That's right. Nobody at your company actually knows how Omniture works. -->

III: Phishing Around

After the exploit has been deployed, the attacker now needs only to guide an admin to the deployed exploit. Unfortunately, common CMS workflow practices make this insanely easy. 

Once the target hits the deployment, the script executes in the context of the admin's session. The CMS trusts the target's session, so it fulfills the permission escalation request without hesitation.

The attacker is now a system admin and the target is none the wiser.

Defending Against the Attack

Being attacked sucks. Fortunately there are steps each of us can take to protect ourselves and our teammates from this sort of attack.

For Everyone

Use strong and unique passwords. CMS privilege escalation can often provide access to database backups which contain encrypted user passwords. It is much more difficult for an attacker to decrypt your password if you have a long password (that isn't just an obvious word with some numbers tagged on to the end). If your password is decrypted, and you reuse the same password elsewhere, this limited scope attack can become considerably more damaging.Be skeptical. Don't even click on links sent to you from people you don't trust (especially not links found in sketchy emails). Contact your security team if anything ever feels weird or fishy.

For Site Developers/Administrators

Keep your CMS updated to the latest version. Releases often contain security fixes that may patch vulnerabilities such as the one described above. These releases can often actually show attackers where vulnerabilities existed in older versions, so your site is extra vulnerable if you choose not to update.Consider applying a content security policy to your site that prohibits execution of untrusted scripts to remove the XSS vector that CMS WYSIWYG editors typically provide. (Unfortunately these types of CSPs are extremely onerous. Get ready to do some serious lifting.)Don't provide CMS access (particularly access to post raw HTML) to anybody that you would not trust as a CMS admin. Have others draft content in a Google Doc, and have a trusted user copy it over.Stay logged out of sites unless you need to be logged in to complete your current task. (Yep, actually use that log out button.)

For CMS Developers/Maintainers

Require reauthentication for all requests attempting to modify user permissions. (This is the approach with which Craft has mitigated this exploit.)Limit the scope of CMS actions that can be performed from a web portal (e.g. not providing an online file editor... looking at you WordPress).Store database backups securely, and keep them inaccessible from the CMS's web interface.

DrupalCoin Blockchain Developer