Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

4/30/2020
02:30 PM
Ericka Chickowski
Ericka Chickowski
Edge Features
Connect Directly
Twitter
RSS
E-Mail
50%
50%

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

Frictionless security, improved interfaces, and more usable design may improve the efficacy of security tools and features (and make life easier for users and infosec pros alike). So why has there been so much resistance?

(continued from page 2)

"Vendors tend to forget that we look for solutions that are supposed to make our team's lives easier, not more difficult," Masserini says. "I don't care what bogeyman you think you're protecting me from. If my team has to work harder after your solution is in place, then your solution offers little to no value."

Security vendors, he says, need to do a better job connecting their solutions to open platforms so that teams like his can share data and build a common dashboard across teams. And they should also be working to continuously improve usability over time.

"Dedicate a release each year to fixing those bugs and requirements that directly go toward making your product easier to use," he says. "Those are the kind of things we look for in our partners."  

Bottom line, the easier it is to use a security product, the more likely it will be used. And that is far more likely to make an impact than a product with the best AI engines and other capabilities that never see the light of day. 

"If you look at the way Web application firewalls used to work, we saw many of them would end up as shelfware because the challenge of getting them safely inserted into the flow of Web traffic and tuned to reduce false positives made it difficult to even get the system operational," says Andy Ellis, CSO at Akamai. "So operator usability is a key component to even getting deployment."

Even the most technical security users like SOC analysts appreciate "usable and elegant" interfaces, says Phil Neray, vice president of IoT and industrial cybersecurity at CyberX, who explains that security vendors need to know how to balance those kinds of views with the flexibility to dive deeper into data through APIs or command-line interfaces. This means security vendors need to specifically target investments for usability from the very beginning.

"Not all vendors understand the value of a professionally designed user interface," Neray says. "Startups often skip this step for expediency or cost reasons, but in our experience having professional usability experts and graphic designers involved from the beginning delivers a significant payoff in terms of happier and more productive users." 

DigiCert's Ashley says her firm realized this as it was redesigning the certificate discovery feature in its platform. Usability was a key requirement from the start of the design and development process — precisely because the feature it was replacing had been panned by users. 

"We had a tool called Cert Inspector, which attempted to do certificate discovery, vulnerability identification, and reporting, but it was never adopted by customers because the UX was terrible," she says. "The new discovery feature was a big improvement because we did extensive research and applied user-centered design. More users means more people scanning their network and identifying vulnerabilities, resulting in a more secure Internet and intranets."

Conclusion: Respect Your Users
No matter who the user is or what the security product or feature is, developers and designers must make user experience a key requirement in creating security functionality. And that starts first at conception.

"Right now, as an industry, the focus isn’t on designing security products from a human-centric perspective," says Nicolas Fischbach, global CTO at Forcepoint. "If you want better results, let people be people and design accordingly." 

This is perhaps the fundamental challenge because, at its root, many of the usability problems that the security industry faces are due to a lack of respect for users. This is ultimately what must be changed to start making headway.

"When designing systems or services in general, a lot of people think that we have to 'fix the user' in order to achieve an overarching business goal," says Samira Creel, vice president of product and client success for Risk Based Security. "However, in our field especially we need to stop trying to fix the user to achieve security. Usable security does not mean 'getting people to do what we want.' It means designing security that works given, or despite, what people do."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsidman
50%
50%
gsidman,
User Rank: Apprentice
5/1/2020 | 12:41:12 PM
The best security is invisible to end users
Security engineers seldom make good application developers and application developers are, at best, dilitant security experts. And, getting security almost right in the application layer is perhaps more dangerous than no security.  These are two different silos that must be brought under one discipline if truly transparent security is to be achieved. 

The other problem is that the security world is entirely one of fighting defense and nobody ever won a war by fighting defense. Going proactive to build threat-immune security solutions requires a different innovative mind-set, and we know it can be done simply by using a more rigorous problem-solving approach.  However, the other fly in the ointment is that security industry makes its money today by working the problem, not solving it.

Moreover, as long as security us being dealt with almost exclusively in the protocol layers the problem will only grow. It can only be improved by integrating application layer innovations, multi-layer encryption and authenticated port controls and more, together with the basic flawed protocols - getting the level of control required - to provide transparent and highly durable security to end user processes.

George Sidman  - CEO, TrustWrx

 
Name That Toon: The Lights Are On ...
Flash Poll