The user experience of security
Introduction
Back in the 1990s, when you mentioned cybersecurity to anyone, a glazed look would come over their face. And fair enough. Security, as a discipline of IT, was a bit dry and boring.
Then the internet hit, and we all become co-opted into cybercrime in one form or another. Scams are now so ubiquitous that many countries have their own government services attempting to educate citizens. In the U.S., for example, the Federal Trade Commission (FTC) has a Scam Alert site dedicated to bringing the latest scams into the public forum. Another example is Australia, with its own Scamwatch site.
What should you learn next?
Even so, the “user” (aka people) generally does not want to have to think about security. The internet may be everywhere, but security is still boring. It is not until something actually bad happens that folks sit up and take notice.
However, as a business, we need to have our staff and other associates on watch for cyberthreats. We need to make sure that security moves out of the shadows and into our awareness so we can reduce the chances that our company will be the victim of a cyberattack. This, as with many areas of technology, comes down to making the interaction with security a good User Experience (UX).
Elements of UX in cybersecurity tools
To make an analogy to another area of tech: If you were to design a commercial website in the way that many security tools or processes are designed, you’d lose customers. Cybersecurity tools, even those meant for consumers, can often be complicated to understand and set up. Some use cases give us an insight into how UX can impact security choices.
The case of login credentials (authentication)
It is now accepted wisdom that using a second factor (2FA) such as an authentication code along with a username and password is more secure than not using one. However, consumer usage of 2FA is falling short of optimal. Google, for example, has an uptake rate of 2FA in only around 10% of users.
However, a DUO survey has found that awareness of 2FA is improving and SMS text code is the most popular method. In the U.S., over half of users are using 2FA for some accounts. Securing more sensitive or valuable accounts has the greatest numbers of 2FA users, e.g., for secure bank account access.
One of the issues with 2FA for consumers is that it is an extra step, a hurdle to use. It adds time to an interaction and extra clicks. The trouble is that if something is hard to do, it often won’t be done.
The use of a mobile app, such as Google Authenticator, may have better security than an SMS text message (which could be intercepted) but it has a lower take up. This is because the UX of an app involves extra clicks to open the app, scroll to the code and so on.
One of the better UX moments in using SMS text codes for 2FA is using them on a user journey that is entirely mobile. You click to access an account on a mobile, the SMS code is sent, the interface allows you to click the code, which is auto-populated into the account access field, and hey presto, you are in. The UX is seamless, simple and reduces friction; it’s a great UX, so it is a preferred UX.
When good security goes bad UX
An example of when good security goes bad because of poor UX is in the product Pretty Good Privacy (PGP). PGP provides end-to-end encryption of email communications. It is used in an email client, ProtonMail.
PGP was originally developed as a standalone product, but it never really took off outside of the tech community. Many have wondered why such a good security product never really went mainstream. One of the most popular theories is that the user interface was poorly designed, being a highly technical UI, and that it required an understanding of ‘key management — you had to know how to share, manage and maintain encryption keys.
In other words, the UX of PGP was such that it added hurdles to its use. Only those who were prepared to jump those hurdles used it.
The case of password managers
Password managers are also poorly used. By rights, they should be ubiquitous. They solve the problem of password fatigue and add a layer of security onto accounts that only have single-factor authentication in place (some offering more security than others). However, a Pew Research report found that only around 12% of users use a password manager.
One of the issues with password managers is that they can be difficult for the average user to install and maintain. It is easier to write a password down.
Carnegie Mellon Cylab looked at why password managers were not used. The answers included:
- Reusing passwords made it easier to just remember passwords
- Writing them down/saving in a phone was easier
- Giving up control of their passwords to software was in itself a concern
- As was the idea of a single point of failure
In all of the above examples, the poor UX resulted in poor security practices. UX is crucial to a good user experience of security and to making security work.
The security of processes and UX
One key thing to remember is that UX is not just about using a product. It is also about being part of/using a process.
This is evident in the case of Business Email Compromise (BEC). BEC is a cybercrime dependent on a number of things, including surveillance, grooming of individuals and social engineering.
BEC is committed as a process. It may utilize technology as part of that process, but it is much wider in scope. The UX of BEC as a process is carefully orchestrated by the cybercriminal. As such, the only way to counter these types of cybercrimes is to employ your own well-defined processes that incorporate a user experience that is workable and can be applied easily.
For example, to counter the impact of a BEC attack, you may put in place your own process around double-checking any large money movement. If that process is complicated or has workarounds that mean it can be circumvented, then it will likely fail, and your company will be at a greater risk of BEC.
A great user experience within a process is as important as any UX that impacts a human-computer interface. Removing obstacles from the process is key to making that process viable.
Cybercriminals themselves know this. They refine their scams to ensure that they create a great UX. Cybercrime works because the cybercriminals understand how to remove obstacles from success.
Good UX makes good security in processes
A great user experience is the goal, but UX is not something that happens overnight or without effort. To create a great UX, you need to start with certain design considerations:
- A diverse team: Having a team that includes people from all walks of life can help in designing a great UX. For example, have you thought about disabled users in your product or process?
- Design for your users, not yourself: When you design a security product or process, think about your audience. What are the demographics likely to be? Does the language suit the user? Is the interface accessible?
- Test it in the real world: Test with real users that represent the demographic using your process or product. Do A/B testing to get the best UX you can
- Be prepared to change: Keep testing, keep refining
- Usable and secure: The balance between usability and security is a constant of the industry, but you must find a happy medium. If you add UX hurdles, the security will not be used. You end up with a situation where you may even make security worse — the example where the user chooses to reuse passwords to remember them, rather than a password manager, is a case in point
The UX of security bottomline
We need to make security work to counteract the massive impact that cybercrime has on modern business and individuals. To do so, we must make security accessible and usable. This begins with good design, a design that removes hurdles caused by making people jump through UX hoops.
Whether you are designing your UX as part of a process or to create an accessible and usable security product, you have to think like a user. There is no point in making something so secure that it becomes unusable: all you do is create a barrier to uptake and allow individuals to think of ways around using something. The end result is your product or process is not used and your company cybersecurity threat risk increases.
Great UX equals great security. It is worth going the extra mile to make it happen.
Sources
- Scams, Federal Trade Commission Consumer Information
- Scamwatch, Australian Competition & Consumer Commission
- Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication, The Register
- The 2019 State of the Auth Report: Has 2FA Hit Mainstream Yet?, Duo
- What is PGP encryption and how does it work?, ProtonMail
- Password management and mobile security, Pew Research Center
- Why people (don’t) use password managers effectively, CyLab
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- The user experience of security
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security