Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Peter Hesse
Peter Hesse
Connect Directly
E-Mail vvv

Security Starts with the User Experience

Preventing a data breach is safer and more cost-effective than dealing with a breach after it has already happened. That means a focus on security in the design phase.

In a 1912 poem by Joseph Malins, a village debates how best to deal with a dangerous cliff. The town is torn over the decision whether to build a fence around the edge of the cliff or place an ambulance down in the valley. The townspeople decide to fund an ambulance, until a wise man suggests a preventative approach:

Then an old sage remarked, "It's a marvel to me
that people give far more attention
to repairing results than to stopping the cause, 
when they'd much better aim at prevention."

There's no question that preventing a data breach is much safer and more cost-effective than dealing with a breach after it has already occurred. Implementing specialized tools and tactics for data breach response is reactive, like funding the ambulance in the valley. Many breaches, both accidental ones based on user error and malicious attacks, could have been avoided had companies thought about security in the product design phase — if there had only been a "fence" built into the user experience.

The most recent example can be seen in the missile alert that was incorrectly sent to Hawaiians in January 2018. An investigation into the incident determined "that insufficient management controls, poor computer software design and human factors contributed" to the alert and a delayed correction message. While it is impossible to say that the situation could have been totally avoided, a design that deterred sending out actual alerts could have made quite a difference. What might have happened if after the employee had clicked to send the alert, he was prompted with a second step to acknowledge the gravity of his actions, or if a supervisor's approval was required? Changing the user experience could have helped prevent this unintended scare.

Another recent breach that could have been avoided or lessened by secure design is the 2017 Republican National Committee data breach, when it was discovered that a database containing personal details of more than 198 million American voters was exposed. The data was left unprotected after a software upgrade, when the analytics company storing files containing the information failed to re-enable password protection.

As with most breaches, there were numerous failures in this situation. This large amount of sensitive information deserved better protection than a simple website password as its defense. The fact that the upgrade required the password protection to be removed is bad; the fact that the upgrade didn't notify IT personnel to re-enable it is worse. Additionally, the ideal design would have separated the names of the voters from their information altogether.

According to the 2017 Beazley Breach Insights report, unintended disclosures were the cause of a shocking 42% of healthcare-related breaches. These breaches typically are caused by employee error, such as misdirected faxes or improperly released discharge papers. As these processes increasingly are done digitally, properly designed user interfaces can help to reduce or eliminate human error. Additionally, they can warn individuals of risky behaviors before they happen. Imagine seeing a warning that said "You are about to export 135 medical records without encryption. Disclosure of this file could result in up to $6.75 million of HIPAA fines. Do you want to continue?"

Opportunities to protect information in advance arise every day, and not only in the situations involving publicized failures. Consider, for example, an application to help accountants prepare their clients' taxes. This app would collect tax information and store tax returns for easy access. The app should make it very easy for the accountant to search for and view relevant information. However, the application should be designed in a way that makes it very difficult to download an Excel sheet documenting all their clients' Social Security numbers and income. Instead of a simple export button, the designer could implement an approval process, or it could just be difficult to aggregate such information. It would also make sense to warn the user before sensitive information is downloaded in bulk — and inform supervisory personnel as well. The goal for the designer is to give an incentive for safe and secure use, and mitigate or prevent system abuse.

Real and hypothetical situations to protect information with better user experience exist across all industries and types of systems. It is easy to show how a design flaw could create a crisis, while prudent design could prevent or minimize the likelihood of one. The best mechanism to prevent these crises is at the design stage. Developers must always consider making it easier for individuals to do the safer activities, and harder for them to do the unsafe ones. Take the advice of the sage and spend the time to build the fence, rather than calling for an ambulance later.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

For nearly two decades, Peter Hesse has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/28/2018 | 11:36:01 AM
Security Starts with the User Experience
@Michael: "...companies think that users with legitimate access to sensitive data are the biggest risk..." The problem is that any data might become "sensitive data" when combined with other data; and that other data might not be considered "sensitive" either, and doesn't have to be from the same data source. 

@Peter: You raise some good points, including the need to emphasize prevention over remediation.  Changing attitudes and practices in application development won't be easy; and there are limitations to the effectiveness of safeguards at the application-user experience level (they really belong closer to the data).  Partly that's the inherent problem of anticipating all of the ways user interaction might compromise security - when you think you've thought of everything, someone will surprise you (usually by doing something very clever or unimaginably dumb).  Also, the user experience part of it nearly always trumps security concerns; so anything that encumbers or makes that experience less enticing will likely be vetoed.  There's another concern that pushes security to the back of the bus: revenue.  From a developer's perspective: compromise the user experience or the revenue stream, and you get immediate, and invariably negative, feedback.  Compromise security, and it might never get back to you - so how would you set your priorities? 
Michael Fimin Netwrix
Michael Fimin Netwrix,
User Rank: Author
2/28/2018 | 4:59:50 AM
Insiders are the weakest link in your security
This is so true! No matter how much effort and investments you have put in your security, your business users can derail all your work in a couple of minutes. Most companies think that users with legitimate access to sensitive data are the biggest risk, and the only way to try to fix that is to educate them and raise cyber security awareness. In addition, you always should have visibility into your IT infrastructure to check if your employees follow security policies established in your company. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.