How UX Can Improve Information Security
We have established behavior patterns and mental models for security. We lock our houses, businesses, and cars. We display security cameras in prominent places to dissuade people from stealing. Safety deposit boxes were a trusted way to secure important physical documents—until those documents took digital form.
Today, security increasingly includes managing access to digital assets. But managing something that doesn’t exist in physical form poses some challenges. While physical security is still important in terms of limiting access to devices, servers, and other equipment, there’s the added problem of securing access to data in the digital realm. To further complicate the issue, we often rely on outside organizations to secure and manage our own data on our behalf.
The issue? Many organizations don’t understand that digital security is a human problem. That means we can’t solve it by building bigger and bigger barricades. We have to understand humans: their behaviors, goals, and motivations. Just like you can’t make technology more usable without a user-centered design process, you can’t solve over-arching security issues without taking into account the people using technology.
Digital Security Solutions Require Us to Understand How Humans Behave
Digital security relies on old solutions. Passwords aren’t new. But they’re hard to remember and manage. Because of this, many people use the same password to access multiple accounts. Sure, you can enforce two-factor authentication. But it’s often perceived as a hassle. Imagine if you had to access your car by entering an eight-digit password with at least one symbol and uppercase letter, as well as enter an additional passcode that was sent to your phone. You’d probably be more lax when it came to locking your car.
It’s not that humans don’t care about security. They just want security and convenience. Further, it’s important to point out your data’s security is often in the hands of outside organizations, which really means your security is in the hands of other— also imperfect, and convenience-driven—humans.
There’s no easy solution. But thinking about digital security as a human—as opposed to only a technology—problem, allows us to address the root of the issue: people. People create the systems that manage and secure—or fail to secure—the data of organizations, other people, and themselves.
Data security starts with education.
What organizations can we learn from when it comes to helping people help themselves? Health organizations combat infectious diseases not only by addressing the source of the disease but also by educating the public and encouraging changes in behavior that prevent the disease from spreading. So think of security patches as vaccines. But how do you convince people they need the vaccine? How do you administer the vaccine to everyone who needs it? How do you encourage people to take actions to prevent the disease from spreading?
Governments and health organizations don’t just assume that everyone has the right information. They create campaigns to educate the larger population—particularly those who may be affected the most. And they communicate that information so that you don’t need a PhD understand the relevant details about the disease and take the necessary steps to prevent yourself and others from getting sick.
Those in information security roles should consider operating in a similar manner. While it may be second nature to lock your door and close your windows when you leave the house, it’s often less obvious to employees that they should limit access to your server room. If you run an organization that deals with proprietary information and personal data—which, by the way, is nearly every organization—don’t assume everyone shares the same technical knowledge.
If you develop digital products--whether software or hardware--build in data security education into your products. Not only should security be built into your products from the ground up, it is also your responsibility to help users take advantage of the security your product offers. Sometimes that will mean guiding users as they set up the product or service, as well as reminding users of potential security concerns or best practices throughout the use of the product.
Supplement education with failsafes built into digital and physical products and processes.
Today’s cars, despite the abysmal usability of most car’s interactive touchscreens, take into account the messiness of everyday life, including a common safety concern: human error. My car—or rather, the folks who designed my car—understand that drivers are occasionally distracted while driving. By monitoring the lines on the road, my car knows when I am about to go over the line and provides visual and haptic feedback so I can snap back to attention and put the vehicle back on course. Similarly, my car’s design team also knows I can’t be trusted to regularly check important things like my tire pressure. Because of this, they thoughtfully added a tire pressure alert that is activated long before I’m stranded on the side of the road.
These failsafes are built in because driving on the highway, like keeping data secure, is fraught with a myriad of internal and external factors that could impact my safety and the safety of others. Too often, the products, software, and technology services we use today—and the people who make them—unrealistically assume technical savviness. Further, they don’t account for how humans behave. We forget, we are in a hurry, we get lazy. Solutions to data security means understanding and aligning with human behaviors and anticipating the inevitability of something going wrong.