Creating usable security technologies is essential for fostering an environment where users can easily adopt and maintain appropriate cybersecurity behaviors. Usable security focuses on making security measures intuitive, accessible, and aligned with users’ everyday activities, thereby reducing the cognitive and physical burden associated with securing information and devices. Below, I discuss key strategies for making security technologies usable, drawing on insights from the article “Users are not stupid: Six cyber security pitfalls overturned” by Haney (2023).
Six Problems to Avoid for Usable Security
- Assuming Users Are Incompetent:
- Explanation: A common pitfall is designing security technologies under the assumption that users are not capable of understanding complex security practices. This mindset leads to overly simplistic solutions that may not meet the actual security needs of users.
- Solution: Recognize that users can learn and adapt to security practices if given the right tools and guidance. Design security measures that empower users by providing clear instructions, feedback, and support, rather than dumbing down the technology.
- Overcomplicating Security Processes:
- Explanation: Security technologies that are too complex can overwhelm users, leading to non-compliance or improper use. This complexity often results from trying to cover every possible threat scenario without considering the user’s perspective.
- Solution: Simplify security processes by focusing on the most critical threats and designing user interfaces that guide users through necessary steps without overwhelming them. Use automation where possible to reduce the burden on users.
- Ignoring User Workflows:
- Explanation: Security technologies that do not integrate well with users’ existing workflows can disrupt productivity and lead to resistance. For instance, if a security measure requires frequent interruptions or changes to how users typically work, they may find ways to bypass it.
- Solution: Design security measures that fit seamlessly into users’ workflows. This can involve integrating security features into commonly used applications or minimizing the number of steps required to perform secure actions.
- Neglecting Accessibility:
- Explanation: Security technologies that are not accessible to all users, including those with disabilities or those using different devices, create barriers to effective security behavior. This neglect can exclude a significant portion of the user base from engaging with security practices.
- Solution: Ensure that security technologies are designed with accessibility in mind. This includes providing alternative input methods, ensuring compatibility with assistive technologies, and offering multiple ways to interact with security features.
- Failing to Provide Feedback:
- Explanation: Users need feedback to understand whether they are engaging with security measures correctly. A lack of feedback can leave users uncertain about their security status or unaware of potential issues.
- Solution: Implement clear, real-time feedback mechanisms that inform users of their security status and provide guidance on how to resolve any issues. For example, a password strength meter that shows the effectiveness of a password as it is being created can guide users toward better security practices.
- Overemphasizing Technical Language:
- Explanation: Security technologies that rely heavily on technical jargon can alienate users who are not familiar with such language. This can create confusion and reduce the likelihood of proper usage.
- Solution: Use plain language and avoid technical jargon when designing user interfaces and instructions. Security information should be communicated in a way that is understandable to all users, regardless of their technical expertise.
Practical Examples for Making Security Usable
- Password Management: Offer password managers that automatically generate and store complex passwords, reducing the cognitive load on users and ensuring stronger security practices.
- Two-Factor Authentication (2FA): Implement 2FA systems that use biometric data or one-time codes sent via SMS, making it easy and quick for users to verify their identity without extensive steps.
- Training and Education: Provide security training that is interactive and relevant to users’ roles, ensuring that they understand the importance of security measures and how to implement them effectively.
Book Reference
For further exploration of these concepts, the following book is recommended:
Cranor, L.F., & Garfinkel, S. (Eds.). (2005). Security and Usability: Designing Secure Systems That People Can Use. Sebastopol, CA: O’Reilly Media.
This book offers a comprehensive guide to designing secure systems that prioritize usability, covering case studies, practical design tips, and theoretical frameworks that highlight the importance of user-centered design in security. It provides a deeper understanding of how to avoid common pitfalls and create security technologies that users will adopt and maintain.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.