Security and usability have traditionally been opposing concepts. For years, there’s been a misconception in infosec that for something to be secure, it had to be complicated. Many vendors used this to their advantage, pushing complex products that didn’t actually solve the issues organizations were facing.
The truth is that while the past 20 years have centered on creating security for systems, the next 20 will have to focus on developing security for people. That’s because adversaries are increasingly targeting users with social engineering techniques, while many vulnerabilities are created when security processes are not followed correctly.
When users are involved in a security breach, the default reaction tends to be to blame the victim, criticizing them for not being more careful and following the proper procedures. Instead of pointing fingers, however, we need to look at why that incident happened. What gaps existed in the defenses that meant users were exposed to threat actors? What was it about the security solutions and processes that caused users to sidestep them and create additional risks?
To answer these questions, we need to focus in on the user experience problems that are common in security.
Putting user experience first
We have found that very few users will knowingly put their company at risk; it is the duty of the security industry to do everything it can to help users carry out their jobs while keeping themselves and the organization safe.
However, the average user’s interactions with security solutions often tend to be negative, with security being seen as a barrier that only exists to prevent them from getting on with their jobs. Many solutions also suffer from being difficult and cumbersome for the average, non-technical worker to use effectively. If a process is too confusing, complicated or slow, people will immediately begin to find a way around it so that they can get on with their busy day.
User experience should therefore be a central focus of all security solutions and processes within any organization. Yet improving the experience beyond the surface can require a completely new mindset. With that in mind, these are five key actions that will help the industry improve user experience.
Invest in user research from the start
The user experience should be an integral part of any security solution from the very beginning of the development cycle. At Duo, for example, we ensure there is one user experience specialist for every five developers, guaranteeing that product management, design and engineering are all working closely together.
Waiting too long into the development cycle to focus on user experience will result in chasing after the project, making it difficult to change much beyond the surface UI. While a slick interface is certainly important for user experience, this alone will not address the heart of the issues causing people to sidestep security.
Look at real users to find moments of friction
Rather than being designed in a vacuum, security solutions should incorporate studies involving real people in the normal workplace environment – think of it like an anthropological study. In particular, this will help to uncover the real moments of friction that arise in a normal working day.
For example, picture a department head who is running late to an interview. They only have five minutes to log in and prepare their notes, but the system has decided to go through a lengthy credentials refresh process.
These kinds of delays are the moments where stress will override security sense, with the user trying to find a way around the security process so they can get on with their work. In-depth user research will help development teams understand where these friction points arise, enabling them to build in features that will better address them where possible.
Address user behavior
Alongside implementing security technology and processes that are designed with the user experience in mind, companies also need to ensure that security is ingrained as a normal part of employee behavior. This can involve anything from workshops and training to informative posters and emails. Hygiene in the healthcare industry is a good example of this approach in action – observing the behavior of physicians and iterating on signage in hospitals led to more consistent handwashing, and therefore better patient outcomes.
Manage expectations
Even the most thoughtful and accessible solutions will sometimes create moments of friction. When there is an unavoidable delay due to additional actions or downtime, it’s important for the solution to be transparent, keep the user informed, and manage their expectations. Knowing whether the service will be interrupted for five or 40 minutes will help reduce the frustration and minimize the impact on the workflow.
Reduce, reduce, reduce
The larger and more involved any kind of IT solution is the more issues there are likely to be, and this is just as true for security systems. Overly complicated solutions are more likely to create issues for end users, as well as being more difficult to rollout and maintain. There is a greater chance of vulnerabilities emerging that can be exploited by threat actors. Developers should look to reduce the size and complexity of their solution wherever they can.
By implementing these steps, among others, when designing and iterating security solutions, the industry will help to make it the natural choice for all users to stay secure as they go through their day. Establishing a positive user experience around security will greatly reduce the chances of users exposing the organization to risk through their behavior, and make things more difficult for threat actors looking to exploit the human factor.