Friday, August 23, 2013

The Art of Balancing User Experience and Security

The Art of Balancing User Experience and Security

How much thought do users really give when they key in their username and password while making an online transaction or accessing online banking? Not much, I'm afraid. They trust the website and believe that the application they're using is doing the right thing. But the World Wide Web is facing a growing concern of security breaches and phishing attacks, and that could put massive amount of sensitive information in the wrong hands. Internet attackers are using sophisticated tools to gain unsolicited entry into computer systems all over the globe, and security systems are finding it difficult to keep up with them.

The Problem With Traditional Online Security Systems

Imagine a scenario where you don't require a password to log in to check your email; and another where you need to authenticate your credentials every few minutes using CAPTCHA codes. Without doubt, the first scenario is very pleasant from a user experience point of view, but lacks security. Conversely the second one is extremely secure, but is very irritating from a user experience perspective, and no one would be interested in using it. This is where organizations need to learn how to balance user experience and security.

The link between user experience and security has been closely studied academically and is known as HCISec (also referred to as HCI-SEC or Human Computer Interaction and Security). Security professionals should be fully aware of the fact that while they need to give utmost precedence to system security, they cannot overlook user experience. They must ascertain that only authorized users have access to the system and also make sure that users are safe in the knowledge that their information is safe online and they can continue to safely use it.

Cyber Threats To An Organization

One of the biggest online frauds most users are wary of is identity theft. It not just destroys reputations but can result in major financial losses for organizations. At any given point in time, over 2 billion people are surfing the Internet, logging in to access stored information. Spammers and hackers can have a field day trying to hack into users’ personal information. For instance, most websites have an additional secure socket layer which can be verified by its URL that begins with https:// instead of http://. But even this layer isn’t immune to cyber-attacks and can be exploited by a man-in-the-middle attack, which can intercept confidential user information and is a classic example of identity theft.

What Can Organizations Do?

In cyber world, it is not always easy to determine that you are who you really claim to be. It has become necessary for organizations to use identity and access management to beef up the security to protect sensitive information. Identity authentication services make sure that users are indeed who they say they are. Organizations need to:

  • Make doubly sure that users' data is secure by adding additional layers of encryption. When companies employ such services, they must keep in mind that deploying identity authentications services should not cause inconvenience to users. Safety and security are of the greatest importance, but that doesn’t mean users should be subjected to a negative online experience.
  • Work together with their security professionals to create identity verification and authorization services that can be seamlessly integrated and facilitate user transactions.
  • Consider employing the services of a company that provides such services and help protect the online identity and information of their customers, while providing them with an effortless experience.
  • Create a system that has layers of security and also provides a pleasant user experience.

The main goal of security professionals should be to maximize positive user experience and minimize security breaches and to create a system that deters attackers and is extremely user-friendly. As an organization committed to keeping user information from being misused, give serious thought to user experience and security, because even if you neglect any one aspect, you’ll end up with a system that has security flaws or unhappy and very few users!

Can User Experience And Security Live In Harmony?

Yes they can. For most systems, adhering to user experience principles and guidelines can actually improve their security.

In his article Security vs. Design: Standing at Odds?, Mike Maas gives a great example by creating a scenario where your mother asks you to recommend a good web browser. There are 2 web browsers from which you can choose. The first web browser conceals its settings underneath an unclear toolbar, uses outdated controls, contains a lot of technical jargon and lacks any help for advanced options. The second web browser is the exact opposite. Its toolbar labels are clearly labelled, it has simple selection controls, easy-to-understand language and contextual help. Assuming that both browsers have the same level of security, which web browser would you recommend? The second browser of course! The reason is simple – if a security problem is detected by any of the browsers, just imagine how misleading and more difficult it would be to understand what is happening (under a panicky state that accompanies any security breach) when using a web browser that is difficult to use even under normal circumstances!

User experience and security are both essential for any system. In fact, it has recently been discoveredthat 2 out of 3 users abandon a purchase using their mobile device because of bad user experience and security concerns.

At the extreme end of the opinion between the user experience and security debate, some even go as far as saying the user experience overrides security. In fact, according to the author of this article, Vikki Noreilla, the primary concerns of user experience designers and security professionals lie in these questions:

  • For user experience designers the question is: How do you design the security experience to fit the needs of the digital identity. Behind the identity there is a person with the same basic needs as stated in Maslow’s hierarchy of needs – security among the most critical.
  • For security professionals the question is: How do you enable your customers business in an environment, where the speed and comfort override the traditional understanding of security – environment, where user experience overrides security?

The art of striking the right balance between user experience and security is still evolving. On a more positive note, users are also getting savvier with each passing day, and most don’t mind an extra layer of security before they can access their personal information, if that means additional security.

Additional References