Security versus usability: An unnecessary battle
It’s a common misconception - security and usability can’t live peacefully side by side, if you change one it negatively affects the other.
Not on our watch.
The employee benefits industry is entrusted with so much personal data and we have a responsibility to safeguard it.
The old approach
In the past you may have been asked to choose between a secure system and a user-friendly one. Technology has long moved on since that was acceptable. That’s not to say that security shouldn’t be paramount because it should. A super secure system that’s impossible to use just isn’t worth anyone’s time, and your employees will vote with their absence.
Effectively it’s a balancing act. Sometimes the two sides may be equal, other times one will take priority over the other.
How do you strike the balance?
Keep the user in mind. Lose sight of the people at the end of your software and it won’t be worth the code it’s written with. So take time to consider what the most appropriate approach is for them.
Think of user experience as a seesaw. In this instance on one side is security and on the other is usability. The thing that keeps it all together is the user. They are the pivot in the middle, and it’s up to you to keep it balanced.
Our User Experience Lead, Robert Shafik believes that it’s all about providing a seamless user experience. "Balancing security and usability is all about trade-offs. There are no blanket rules but compromises that aim to safeguard the security of both system and users whilst providing an easy and intuitive experience."
Take the log in process as an example. Too many questions can be overwhelming and put an unnecessary strain on the support side of your business even if you think that you’ve got world class security in place. On the flipside you don’t want to end up with is a system that is aesthetically pleasing and extremely user-friendly but lacking the integral security it requires.
Getting it right
Here are my tips for designing user interfaces with security implications.
- Attention – The task must capture the user’s attention. But not demand too much time otherwise it will be deemed disruptive.
- Vigilance – Anything that diverts your user’s attention from the task at hand could be used for malicious purposes. Make sure you log these incidents to prevent future occurrences.
- Motivation – Keep in mind that employee have different motivations in carrying out security procedures.
- Memorability - Authentication systems often require you to memorise facts that are difficult for someone else to guess or even attack by brute force. But as the amount you have to memorise increases the less likely you are to recall them. Don’t overcomplicate your process.
- Knowledge – Educate your employees about internet security and systems so that they can make informed decisions.
- Effectiveness – A system is only useful if it can be used for its intended purpose. Keep you user in mind at all times.
- Satisfaction – Your system may be usable but that doesn’t mean that your employee want to use it. Take time to assess if it is ticking all the necessary boxes.
- Accuracy – Test, test and test again. Anything less than 100% accuracy just isn’t good enough.
- Efficiency – Ensure that your goal can be achieved in an acceptable timeframe.
- Planning - Account for assumptions. Employees will learn or attempt to learn and understand the system.
There’s been a lot of talk of gamification over the past few years. But don’t be fooled into thinking that it’s just a hollow buzzword. Gamification can be used to help capture data that you need to authenticate the user and provide the best possible experience. It’s also a great way to generate and maintain engagement.
Imagine this, an employee is asked to provide a mobile number when they first log into your system. They enter their details and as a result their profile updates to 80% complete. The next time they go to log in they’ve forgotten their log on details. Because you previously captured their contact details you can now give them the option to be sent an SMS passcode to log into their account.
The result is happier employees and even happier auditors. It’s a win-win situation for everyone.
Ease of use
It may seem simplistic, but it’s all about putting the user at the heart of everything you do. In a time when convenience is key this kind of approach will be fast become the norm. Remove unnecessary barriers whilst adhering to security protocols.
"If the authentication system is too complicated, restrictive, or hard to use, you won't be able to—or won't bother to—use it." Bruce Schneier, The Guardian
Time for innovation?
Security measures have been in place for as long as we can all remember. They are there for good reason but in some instances are we just following the procedures because that's the way it’s always been done?
In a Forbes interview Tsion Gonen, Chief Strategy and Marketing Officer at SafeNet said that "Too often the security profession gets a bad name because it emphasizes protection over enablement.."
Security can be improved through a revised usability approach and vice versa. By taking the time to improve the usability of your system, the opportunity to address certain security details will present itself. Use this opportunity to your advantage. Who knows, it may be time to remove those unnecessary barriers.
What’s your opinion? Leave a comment below and join the conversation.