People are just trying to get tasks done. Like a river finding its way to the sea, people will find the easiest way. For example, landscape planners sometimes wait to see where people want to go, revealed by dirt tracks, before paving the paths.
So, when you’re designing your product or your process, it’s important to start with the end in mind: getting the task done, in the way that people naturally want to do it. Imposing restrictions can mean that people take a different route to achieve what they want.
In the same way, adding in security too late can result in blocking the trail, so that people end up going around it. Cyber security requires good user-experience (UX) design, and should be considered from the beginning, so that the secure route becomes the natural path to take.
Don’t try to ‘fix the user’, test ‘what if’
People are sometimes called, rather unfairly, the weakest link in the security chain. It is true that people make mistakes, and that people try to find the most efficient way to work. However, people, on the whole, want to do the right thing.
Security should be designed in, so that it works as well as it can, whatever people do. Mistakes should be designed out, wherever possible, and anything that could be a block to people following ‘the good path’ removed.
Of course, there are two types of users to be considered: those with good intent, and those with bad. There are two types within each of those: customers (or others outside the organisation) and insiders.
User-testing is an essential part of development and user-input should be included right from the beginning. But it is important to consider all groups of people likely to use your product; internal and external, expert users and novices, people with good intentions and those with malicious intent.
Don’t just test that the path you expect someone to follow works: watch what people in all these groups really do when faced with the task at hand and your product or process. You should also do some threat-modelling too. Ask what happens if someone does this, instead of that?
Think like water
Water takes the easiest route and flows around obstacles. But with care, it can be directed to create great power.
A wide range of skills will be needed to nudge people in the direction you want them to go. You’ll need people with skills, not only in design and security, (and in ways to defeat security, which is not quite the same), but also in UX and copywriting.
UX, design and security all have obvious roles to play at the macro level, but copywriting also has an important part. Micro-copy is key to the final nudge in the right direction. Use it to explain why someone is being asked to take this extra security step, to clarify an error, or to confirm that they have done something right.
The aim is to make it more difficult to make a mistake, and to enable someone to recover cleanly, if a mistake occurs.
The nudge: examples
Begin with the end in mind. More than that, begin with the person in mind, and remember that some people will have bad intentions.
- Design security in from the start, and consider it for every decision. Examples: don’t allow usernames to match the email addresses or any of the names provided on signup; in a password reset process, don’t display the email address to which the reset password has been sent.
- Ensure that the default settings for any product or application are security-on, or ensure that security settings are a mandatory part of the setup routine.
- People need to trust a website to share their data. Reinforce that trust by ‘nudging’ towards, for example, the creation of stronger passwords, through good design and copywriting. A good example are those password widgets that change colour as the password becomes stronger, though do bear accessibility requirements in mind.
- Ask for minimal data – do you really need to know date of birth? Making forms shorter by asking for less data will increase your conversion rate, as well as reducing the amount of personal data you are storing. You can ask for more once you have built up a relationship, if you really must.
- Develop microcopy using brand voice and non-technical language to encourage and direct someone using your tool or process, especially for security notifications.
- Make logging in easier: single sign-in for most applications, perhaps, with extra authentication required for sensitive applications.
- CAPTCHAs irritate people and they don’t counter bots very well any more. Find another way, such as a slider with a ‘slide to unlock send button’ (again: it must be an accessible option for all).
The product or process being designed should be intuitive to use, as seamless or friction free as possible, written in Plain English… and secure.
It should be designed with the support of people who will use the result as well as security experts and with the intentions of good and bad players in mind.
Usability, like security, doesn’t stop at the initial design. By proactively tracking user journeys, support tickets, and metrics such as failed logins, you should be able to identify and clear obstacles blocking your well-intentioned users, and reinforce the barriers blocking those with bad intentions.
Need some help? Contact us or call the Click and Protect team on 0113 733 6230.