Bridging the Gap Between UX and Security

ux image shutterstock

A newfound focus on privacy and security has emerged in the post-Snowden era, and users are increasingly interested—or at least have a heightened awareness—of these issues. But on the product side, there often exists a bit of disconnect between security specialists and UX designers.

“It is a mistake to try to design security without considering the user experience, or to try to design a user experience without considering security, because unless those two are cooperating, one of the two will fail,” said John Brooks, a software and security engineer for Jolla, which builds smartphones that run on the Sailfish operating system.

Check out the latest UX jobs.

Some of the negative repercussions of insecure software get more media play when user information is compromised; at such moments, the case for stringent security becomes clear. There’s less talk, however, about average users struggling with software they don’t quite understand how to use.

“If you write security software without taking the user experience into account, you end up harming your security. It is a vulnerability to not consider how the user will use your software,” Brooks said.

So how do we bridge the gap to create products that are both secure and usable? Perhaps a more important question is how UX designers can have more input on the usability of security products, and how security specialists can better understand their software from an average user’s point of view. Here are some tips from both perspectives.

Bring UX Designers In Early

When it comes to security, usability can’t really be tacked on as an oversight. “Where we’ve failed is thinking that we could solve usability in the security community,” said Justin Troutman, a security and privacy designer who’s deeply passionate about the convergence of applied cryptography and user experience. “When you build a product in that way, you end up with a design that you expect users to learn, but that design may not reflect what is optimal, or reasonable to ask of a user.”

Troutman believes that usability’s effect on security needs to be solved by people whose expertise is usability. “We need to engage with that community to fix these problems. We don’t just need to get their advice and do it ourselves,” he said.

In some circumstances, the resources for bringing in UX consultants and designers aren’t available. In those instances, Brooks points out that caring about user experience is better than ignoring it altogether; there’s no substitute “for having an actual expert caring significantly, with a significant amount of their time about the experience issues exclusively.”

Bringing in UX early in the game has the added benefit of usability and security experts building a project together, and there may be less tension than trying to fix core components after the fact.

Be Willing to Discuss Tradeoffs and Solutions

But UX designers working on the same project as security specialists isn’t enough: There needs to be meaningful discussion to help everyone working on a project make their voices heard, and their concerns taken into account.

Blaine Cook, CTO and co-founder of Poetica, and former founding engineer at Twitter, uses this approach when working through the interactions that users will have with Poetica’s website. “We all talk about it and discuss tradeoffs, and we help each other understand the different things that are involved in making decisions,” he said, referring to his internal team. UX designers many not necessarily need to understand the nuances of the security protocols taking place under the hood, but explaining to them what happens to the user at each point in a sign-in process, for example, is enormously helpful. Likewise, it’s important for designers to help developers understand areas that could trip up users who aren’t technical experts.

It’s also important to not leave out users who may struggle with a process. “It doesn’t matter if it works for someone who can understand the arcane crazy encryption stuff—if it doesn’t work for the average user, then it doesn’t work,” Cook said.

Being Open-Minded in Discussions Is Crucial

“Engineers and security people are oftentimes a lot more absolutist or binary or black-and-white about things than other technologists,” said UX/UI designer and engineer Brennan Novak, “but it’s harder to fit usability into a binary paradigm.”

Conversely, focusing too much on usability sometimes doesn’t take security into account. What is easiest and most convenient for users, or what users may not otherwise notice, could be a far cry from an adequate level of security. UX designers need to “take security issues seriously and accept the challenge of bringing complex topics and inherently clunky systems to users in a way they can understand,” John Brooks added.

Communicate With Users Honestly

Security specialists have a tendency to create warning language that users don’t exactly understand; Novak points out that messaging is an important aspect of UX that’s sometimes overlooked by developers. “You want to communicate in a way that users can understand,” he explained. Some security warnings in software warn users of potentially unsafe activity in a way that doesn’t mean much to them, that they don’t know how to respond to, and sometimes the warnings are inaccurate (such as Web browsers that scare users away from visiting sites that roll their own security certificates).

UX designers can work with developers on creating a message that’s honest, makes sense, and is easy to understand and work with. Sometimes a confusing interface can be solved with nothing more than a tutorial for new users, an FAQ page, or a series of help videos.

Follow these tips and you’ll be well on your way to products that not only have robust security, but are easier to use, to boot. And that’s a goal everyone can get behind.