User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?
May 3 2020
For so many digital initiatives today, user experience drives design above nearly all else. Whether it’s for customer-facing applications or internal tools, enterprises and software vendors are working full tilt to improve usability in order to delight their customers and improve usage rates of their technology.
But a lot of that effort evaporates in the realm of security.
According to security pundits, too many security vendors think of user experience as a nice-to-have afterthought, if they even address usability concerns at all.
“Many vendors do not take usability seriously enough,” says Lorrie Cranor, director of Carnegie Mellon CyLab Security and Privacy Institute. “Their expertise is on the back-end security components, and they either ignore the user experience or address it only after the product is mostly developed.”
On the flip side, security features shoehorned into nearly designed nonsecurity products or tacked on after the fact are usually so driven to lock down a gaping security hole that their designers forget to account for the natural human tendencies of their users.
But also important: If a security feature introduces any kind of friction into users’ workflows, they’ll find a way to turn it off or find a workaround. And even if the feature doesn’t flummox them but the feature is off by default and takes effort to turn on, odds are most users won’t bother with it. This isn’t a disparagement of users — just a fact of human nature in a busy work environment.
“When secure systems are not usable, there is a huge risk that users may try to avoid using them or disable security features,” Cranor says. “There is also a risk that users may use security features incorrectly and make errors that compromise security.”
Experts believe that as organizations and security vendors try to help their colleagues mature their cybersecurity practices, they have to get more serious about usability. They argue that it is not a nice, optional feature, but is atually the key to improving security posture.
“Usability is integral to operationalizing cybersecurity for businesses,” says Sierra Ashley, vice president of product and user experience at DigiCert. “Security solutions are effective when they minimize user effort to achieve maximum results.”
The trick for security decision-makers is to understand that usability is a complex topic when it comes to security because so many different kinds of users and scenarios have to be accounted for. Security leaders and vendors must keep an eye out for all of them if they are to improve the security user experience across the board.
Making Security Frictionless for Average End Users
As organizations push to improve security through better usability, they first need to tackle how protective security technology and features impact the work environment of their end users.
(continues on page 2 of 3)
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?
May 3 2020
For so many digital initiatives today, user experience drives design above nearly all else. Whether it’s for customer-facing applications or internal tools, enterprises and software vendors are working full tilt to improve usability in order to delight their customers and improve usage rates of their technology.
But a lot of that effort evaporates in the realm of security.
According to security pundits, too many security vendors think of user experience as a nice-to-have afterthought, if they even address usability concerns at all.
“Many vendors do not take usability seriously enough,” says Lorrie Cranor, director of Carnegie Mellon CyLab Security and Privacy Institute. “Their expertise is on the back-end security components, and they either ignore the user experience or address it only after the product is mostly developed.”
On the flip side, security features shoehorned into nearly designed nonsecurity products or tacked on after the fact are usually so driven to lock down a gaping security hole that their designers forget to account for the natural human tendencies of their users.
But also important: If a security feature introduces any kind of friction into users’ workflows, they’ll find a way to turn it off or find a workaround. And even if the feature doesn’t flummox them but the feature is off by default and takes effort to turn on, odds are most users won’t bother with it. This isn’t a disparagement of users — just a fact of human nature in a busy work environment.
“When secure systems are not usable, there is a huge risk that users may try to avoid using them or disable security features,” Cranor says. “There is also a risk that users may use security features incorrectly and make errors that compromise security.”
Experts believe that as organizations and security vendors try to help their colleagues mature their cybersecurity practices, they have to get more serious about usability. They argue that it is not a nice, optional feature, but is atually the key to improving security posture.
“Usability is integral to operationalizing cybersecurity for businesses,” says Sierra Ashley, vice president of product and user experience at DigiCert. “Security solutions are effective when they minimize user effort to achieve maximum results.”
The trick for security decision-makers is to understand that usability is a complex topic when it comes to security because so many different kinds of users and scenarios have to be accounted for. Security leaders and vendors must keep an eye out for all of them if they are to improve the security user experience across the board.
Making Security Frictionless for Average End Users
As organizations push to improve security through better usability, they first need to tackle how protective security technology and features impact the work environment of their end users.
(continues on page 2 of 3)
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
