We often hear security and usability described as competing interests: really usable products can’t be secure, and really secure products are hard to use. Is this really true? Can we create applications that offer great user experiences while also providing the necessary security features to protect critical, personal information?
Here at 10Pearls, we answer this question with a resounding “yes.” Security and usability are frequently viewed as tradeoffs, but this misconception is a mindset that all product teams must overcome.
Origins of the Usability vs. Security Myth
Let’s take a step back and look at why this false premise exists. From the creation of computers in the 1930s until late in the 20th century, system administrators were the singular authorities of their domains. They were completely in charge of everything, including using the system and keeping it secure. Fast forward to today and nearly 80% of Americans own smartphones. Now, the responsibility to make sound security decisions is literally in people’s own hands.
Unfortunately, most people do not realize the need or value in prioritizing their security and privacy. They are more concerned with an enjoyable, convenient user experience. Thus, people (and their tendency toward weak passwords, ignoring system updates, etc.) are viewed as a security risk.
With today’s cyber threats, it’s imperative for companies to avoid serious, costly data breaches, which can ruin a brand’s reputation. And many companies wrongly assume that their users’ demands for convenience and ease-of-use are at odds with security measures. This simply isn’t the case. In fact, the best security measures should allow for seamless protection while enhancing user experience.
Security and UX: Allies not Enemies
Leading technology companies are rapidly implementing systems that increase security and user experience simultaneously.
For example, the latest iPhone X uses their Face ID facial recognition technology in place of a PIN code or a fingerprint. Apple touts that this technology is secure enough to be your authorization when making purchases. Both usable and secure, this new iOS feature naturally accelerates purchasing times. (For users with an identical twin: you may want to stick with a passcode just in case.)
So how can companies create a symbiosis between security and usability, and excise the idea that the two are at odds?
The first step to making security and usability harmonize is co-creation.
Too often cybersecurity experts are looped into the last phases of the product creation process (or not at all) and security is framed as an “add-on.” Instead, security team members should be involved from the very beginning. By working as one team, UI designers, user researchers, and security professionals can create a customer experience that helps and encourages users to make better security choices.
In addition to creating a culture of co-creation, security teams should embrace agile methodologies like most UX teams have.
Too many security teams are accustomed to the procedural ways of the past, and not thinking about continuous improvement throughout the product lifecycle. An iterative process is be needed to keep up with new technologies and new security threats.
Finally, and perhaps most critically, is to use the techniques of UX in order to improve security.
The best example of this is choice architecture. Given options in the interface, the default or easy path should be the safer or more secure choice. We can also use UX techniques of analyzing behavior to find out if people are spending time and effort on risky behaviors – and if so, do research and analysis to figure out why.
Ultimately the argument that and usability are a tradeoff is a false premise. Working together is the key, and will separate leading technology companies in the coming decade.
Peter Hesse is 10Pearls’ Chief Security Officer. For nearly two decades, Peter has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the National Institute of Standards and Technology (NIST), to overcoming obstacles and successfully demonstrating the system that formed the basis of the Federal PKI, Peter has built his reputation tackling complex challenges and explaining them to others.
Peter founded and ran the successful information security consulting firm Gemini Security Solutions for over a dozen years. He now focuses on avoiding the common break/fix mentality around security, and instead finding ways to architect and build security into systems and products.