Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

4/30/2020
02:30 PM
Ericka Chickowski
Ericka Chickowski
Edge Features
Connect Directly
Twitter
RSS
E-Mail
50%
50%

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

Frictionless security, improved interfaces, and more usable design may improve the efficacy of security tools and features (and make life easier for users and infosec pros alike). So why has there been so much resistance?

For so many digital initiatives today, user experience drives design above nearly all else. Whether it's for customer-facing applications or internal tools, enterprises and software vendors are working full tilt to improve usability in order to delight their customers and improve usage rates of their technology.

But a lot of that effort evaporates in the realm of security.  

According to security pundits, too many security vendors think of user experience as a nice-to-have afterthought, if they even address usability concerns at all.

"Many vendors do not take usability seriously enough," says Lorrie Cranor, director of Carnegie Mellon CyLab Security and Privacy Institute. "Their expertise is on the back-end security components, and they either ignore the user experience or address it only after the product is mostly developed."

On the flip side, security features shoehorned into nearly designed nonsecurity products or tacked on after the fact are usually so driven to lock down a gaping security hole that their designers forget to account for the natural human tendencies of their users.

But also important: If a security feature introduces any kind of friction into users' workflows, they'll find a way to turn it off or find a workaround. And even if the feature doesn't flummox them but the feature is off by default and takes effort to turn on, odds are most users won't bother with it. This isn't a disparagement of users — just a fact of human nature in a busy work environment. 

"When secure systems are not usable, there is a huge risk that users may try to avoid using them or disable security features," Cranor says. "There is also a risk that users may use security features incorrectly and make errors that compromise security."

Experts believe that as organizations and security vendors try to help their colleagues mature their  cybersecurity practices, they have to get more serious about usability. They argue that it is not a nice, optional feature, but is atually the key to improving security posture.

"Usability is integral to operationalizing cybersecurity for businesses," says Sierra Ashley, vice president of product and user experience at DigiCert. "Security solutions are effective when they minimize user effort to achieve maximum results."

The trick for security decision-makers is to understand that usability is a complex topic when it comes to security because so many different kinds of users and scenarios have to be accounted for. Security leaders and vendors must keep an eye out for all of them if they are to improve the security user experience across the board. 

Making Security Frictionless for Average End Users
As organizations push to improve security through better usability, they first need to tackle how protective security technology and features impact the work environment of their end users.

(continues on page 2 of 3)

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. 
View Full Bio

Previous
1 of 3
Next
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsidman
50%
50%
gsidman,
User Rank: Apprentice
5/1/2020 | 12:41:12 PM
The best security is invisible to end users
Security engineers seldom make good application developers and application developers are, at best, dilitant security experts. And, getting security almost right in the application layer is perhaps more dangerous than no security.  These are two different silos that must be brought under one discipline if truly transparent security is to be achieved. 

The other problem is that the security world is entirely one of fighting defense and nobody ever won a war by fighting defense. Going proactive to build threat-immune security solutions requires a different innovative mind-set, and we know it can be done simply by using a more rigorous problem-solving approach.  However, the other fly in the ointment is that security industry makes its money today by working the problem, not solving it.

Moreover, as long as security us being dealt with almost exclusively in the protocol layers the problem will only grow. It can only be improved by integrating application layer innovations, multi-layer encryption and authenticated port controls and more, together with the basic flawed protocols - getting the level of control required - to provide transparent and highly durable security to end user processes.

George Sidman  - CEO, TrustWrx

 
   OVER THE EDGE
All Links Are Safe ... Right?

Source: Mimecast

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Sign of the Tides
Flash Poll