Strong protection is at the heart of effective cybersecurity. However, in an era of unparalleled risk, it’s remarkably easy to introduce confusing design elements, poor functionality, and draconian restrictions into the user experience (UX), prompting company employees to bypass controls and embrace shadow IT.
Not surprisingly, subpar usability can undermine and defeat even the best tools, technologies, and policies.
“How organizations create a user experience and design Web pages, apps, and other tools determines their level of protection,” observes Sam Olyaei, a research director at Gartner.
Usability problems can also weaken the business.
“The relationship between user interface and security is about a user’s time and cognitive load,” says Andrew Wagner, VP of engineering at security and compliance solutions provider Tripwire. “Good UX means that a user doesn’t need to be a security expert to increase security.”
Designs on Security
The relationship between security and UX begins with a simple but profound fact, Wagner says.
“It’s about how any sort of solution fits into a user’s life and relates to their actual goals. No company exists for the sole purpose of being secure,” he explains. “The objective is to provide value to customers, and security is mostly a distraction from that goal.”
A great interface is intuitive, connects to the right tools or links, and ultimately leads the business user in the direction of accomplishing their goals. Wagner says the idea that there’s a trade-off between UX and security is a myth.
“Strong UX reinforces strong security in that it makes security practices easier and less expensive, and this ease of use helps prevent bypass culture,” he says.
Ultimately, usability spins a tight orbit around a few key factors: how a program or app integrates with other solutions within an ecosystem, how easy it is to use, and how various security protections are designed, configured, and customized. An enterprise should aim for a “low-impact, low-cognitive-load solution” that avoids complications and complexity, Wagner explains.
UX problems rear their heads in numerous ways, making it difficult, for example, for an account rep to transfer data between devices. As a result, the employee might copy and paste data into personal software. A company might also toss out a new software update without briefing employees about new and confusing features, or block legitimate external emails.
These UX problems — and the resulting workarounds and shadow IT — can extend to customers, business partners, and supply chains, too.
“If the path to applying good security practices involves having to spend hours learning about a problem, learning about the tooling to solve it, and then constantly going outside of my day-to-day work to apply it, then the solution has only caused me to make hard trade-offs with my limited time,” Wagner explains.
UX and cybersecurity aren’t monolithic entities either, Olyaei points out. For instance, NASA and Netflix have very different security objectives, so they must design their usability and security accordingly. Within an organization, there’s also a need to understand different functions, applications, and tools — and to think about how applications and systems can be designed to balance performance and security.
Cracking the Code
Addressing the UX-security challenge starts with a basic understanding, Olyaei says.
“Security is ultimately not about the need to run the business versus the need to protect the business,” he says. “If you overprotect or oversecure, you actually can increase your security risks.”
A starting point, Olyaei says, is to ensure business groups and security teams have ongoing discussions about what works, what doesn’t work, and what can be changed for the better.
“There must be appropriate checks and balances across business and IT,” he says.
One way to address the task is to establish a cross-functional usability team that operates independently of other business and security units.
“They’re responsible for making sure that anything that touches users is built around the required level of customer experience — with the best possible security,” Olyaei says.
Accountability across the organization, clearly defined by the board and C-suite, is also critical.
“When accountability is set by the board and baked into roles and job descriptions, compliance and awareness increase and security improves,” Olyaei notes.
There are also ways to push UX-security controls into an organization more consistently. For instance, an organization can develop self-service tools and wizards — typically delivered through an enterprise portal — that leads designers, developers, and others through processes without ever having to interact with security.
It’s also wise to embed controls into design and development processes. This might mean embracing a “shift-left” approach that incorporates security protections into the software and systems people use. This method helps ensure protections are built directly into UX and customer interfaces (CX) rather than added afterward. The approach can also save money.
Putting the Pieces Together
User research, analysis, and testing are also critical components, Wagner notes. It’s important to understand design and security best practices, but also to study the way employees, customers, and business partners use apps, websites, and various tools, he says.
“You never really know how things are going to go until users start interacting with your software in the real world,” he adds.
In the end, Wagner believes it’s critical to treat UX as the first and most important line of defense.
“There are many more ways to get the interface wrong than there are to get it right,” he concludes. “You almost certainly won’t get it right without applying established user experience research and design processes to understand what the user needs to accomplish and validating that they are able to do it.”