Unusable systems break cyber security
There is nothing new about the need to design systems and processes that people find easy to use. A whole industry has grown up around the business of making sure that commercial websites and apps are intuitive to use and deliver the behaviour, such as spending lots of money, that the owners of those websites and apps want to see.
Usable systems generally require three things:
- The system has to be useful, or at least perceived as useful, by the end user.
- The system has to be easy to use by the end user.
- And the system has to be persuasive so that the user to take the actions that the owner desires.
Is cyber security any different?
The three requirements of utility, usability and persuasiveness are seen in cyber security systems. However, there are some differences compared with the consumer-facing world. Making sure a cyber security system succeeds is in some ways more important than making a commercial system succeed.
One issue is that the cyber security system has to work for everyone: potentially if just one person fails to use the system properly then the organisation will be put at risk.
In addition cyber security systems are like stable doors – they need to be shut when you want them to be shut. There is no use locking them after a breach has happened. If an online shop doesn’t work for some reason then the user can go back and try again, but with a cyber security system, if it doesn’t work first time then the damage may be done.
These are tough requirements. And the nature of cyber security means that these requirements are hard to meet:
- Users don't have much motivation to comply with security requirements. Keeping secure simply isn't their main purpose when they are at work. In fact security processes are often thought of as are part of a technical infrastructure that has no real meaning or relevance to the end users.
- Security systems can easily “get in the way” of completing tasks and so can be thought of as a nuisance rather than a benefit. If you are incentivised on the number of sales calls you make, why bother with irrelevant irritations such as data privacy laws?
- Security systems are often based on seemingly arbitrary rules set by other people, such as those found in security policies, rather than on the desires of the end user.
- Users may find complying with the requirements of security systems socially difficult as they may force them to display distrust or a lack of empathy towards colleagues and other people they feel that they should help.
These are all challenging issues and any security systems you design need to ask the very minimum of effort from the user if it is to overcome them.
Unfortunately many cyber security systems demand a degree of technical knowledge. For instance they may use jargon: “Do you want to encrypt this document?” will have an obvious meaning to anyone working in IT but may mean nothing to some users.
Furthermore some security requirements may of necessity require a degree of “cognitive overload”: the requirement to remember a strong password (perhaps 12 random characters) is an example. Again this will cause difficulty to users who will look for ways of working around the problem. (Like writing system log in details on a whiteboard.)
Users are not naturally motivated towards cyber security systems. And they may find them hard to use. So how can success – universal and efficient use of systems – be achieved?
Start with the end user. Ensure, through the use of a combination of interviews (including the standard “speak aloud” protocol used by many UX practitioners), observation and expert evaluation identify where the obstacles to successful use of the system are placed. Obviously the usual rules of good usability will apply: consistency, reduced cognitive overload, feedback, and help when mistakes are made.
Learnability is also important. Accept that some form of help may be needed by the user and ensure that this is available, ideally within the system. Help files shouldn’t just tell people how to achieve something but also why it is important.
But for cyber security systems there is also a lot of work to be done around persuasion. This will involve educating the end user about the importance of the system – how it protects their organisation, and how it protects them as individuals.
It will also involve ensuring that the system is credible – that end users realise that the system does what it is supposed to do and isn’t just a tick box exercise or something dreamed up by the geeks in IT to make everyone’s live that little bit harder.
And it will involve demonstrating to the end user that all their colleagues are using the system – and if they don’t use it then they will be out of line with the majority.
“Usability is not enough” is a common theme in retail website design. It is even more important in the design of cyber security systems.