The ROI on user-centric design
Ultimately, is user-centric design even possible or worth the effort? How can you put an ROI on it?
Ryan Naraine
Dumb users
Dumb design
Justin James
The moderator has delivered a final verdict.
Ryan Naraine: Let’s not beat around the bush. Users are stupid and can’t get out of their own way, even when it concerns their safety.
We’ve spent the better part of the last decade educating users about the risks associated with clicking on attachments in e-mails or clicking on links to “Britney Spears naked” or “Ghaddafi’s final moment” videos. Well, guess what? Users click on everything, even things they know are risky. According to Microsoft’s Security Intelligence Report, 99 percent of all attacks in the first half of 2011 distributed malware through social engineering and unpatched vulnerabilities. User interaction -- click on something and install the malware for the bad guy -- is still the go-to tactic for cyber-criminals.
We can chalk it up to laziness, human nature, stress, tiredness, whatever. Dumb users will continue to be dumb, despite software design choices.
Justin James: Decades of computer use have proven to us that no amount us training and education can ever change the behavior of some users. Unfortunately, computer security all too often depends on “herd immunity” because once a machine or account within the network has been compromised, the rest often fall like dominoes. In today’s world, it is just too easy for a single mistaken click to turn a healthy machine into a trainwreck within hours.
Computers serve people, not the other way around. If the systems we design are not secure with real world users, then they do not serve the users! If certain people will not drive a car safely, despite the obvious dangers, what makes you think they are going to learn to use a computer safely? Instead of trying to make better drivers, we need to be building better brakes.
Ultimately, is user-centric design even possible or worth the effort? How can you put an ROI on it?
iPhone is the model here. The bottom line will determine the value of killing the manual. Before iPhone, cell phones were a mess of keyboards and buttons. With iPhone's design, Apple truly shook up the telecommunications industry. We all know what iPhone did for Apple's bottom line. For all spheres of technology and design, I think this model holds true. If you bake simplicity in the design, it will appeal to us 'dumb' users.
I am for Dumb users
Back in the Windows Mobile era, people accepted bad design as the price you paid for sophisticated functionality. And then iPhone proved everyone wrong. And people said, "well, Apple can do it, no one else can", and Microsoft proved them wrong with WP7. The ROI is amazing... fewer errors, no training, increased productivity. We talk about devices where the risk of failure is high, even deadly... cars, firearms, insulin pumps, etc. We want to give people every chance possible to make those things as safe as possible. If there's an emergency with your insulin pump, do you want to have to go trying to find the manual? No. I'd say that's a good argument for better design. If your car won't start, do you want the explanation on page 423 of the manual, or on the dashboard? Etc. How many of us have had problems with the bank or the law due to someone making a mistake? Don't you want to minimize those? I once had a bench warrant out on me because the court computer let a clerk have me pay a ticket that wasn't assigned to me, that's silly. I could have been arrested because of that bad design choice.
I am for Dumb design
Ryan and Justin will post their closing statements tomorrow and on Thursday I will post my verdict on the winner. Between now and then, remember to cast your vote and post your thoughts in the comments.
Since we had a technical issue at the beginning of the debate, we've extended the time for a few minutes so that we can get through all of our questions.
Is limiting what users can do the best principle for helping them avoid confusion and protecting the systems? How do you choose what to limit?
In theory, implementing policies to limit what employees can and can't do can help. However, it's a big assumption that you can really limit employees, especially for those things that bring the biggest risk: using Facebook at work or use of 'unapproved' client software. I saw a study that documented the biggest risk in an organization was the practice of users circumventing the best-written policies. Facebook and Twitter are a gold mine for cyber-criminals but they've actually become business tools in many organizations. USB sticks introduce risk but how many businesses can really ban them?
I am for Dumb users
iOS and WP7 are excellent examples of how baked-in limitations make life so much easier and more secure. Windows went the wrong direction, they started from "wide open" 15 years ago to trying to steadily lock down the stuff that was no good, and we know the results. The C/C++ programming languages allow wide open access to the dev, and we see the security ramifications. Is it the end user's fault if a trusted source sends them an infected Word document and they open is, and the A/V gave it a pass? NO! But if Word was written in a language other than C/C++ (like Java or C#), then the majority of the security bugs wouldn't be in it. Ditto for Acrobat, Flash, QuickTime, and the other big security risks. The WP7 to Mango shift is a perfect example of how you do it... start with a highly restricted system, then slightly let off the restraints a bit where you see the demand, and in a way that keeps apps from even being able to access the base system.
I am for Dumb design
You've both mentioned some complex business solutions as an exception to the user-centric design principles we're talking about. What percentage of products should require a manual or training versus the percentage of products that should be self-explanatory and never need a manual?
I think we should expect consumer gadgets (cell phones, tablets, airline web sites) to just work without needing a manual. For those, I'd say we can kill the manual. Again, the iPhone TV ads serve as the manual without the headaches of reading fine-print in a PDF file. For mission critical software and tech products (insulin pumps, pacemakers, water meters, etc.), the manual is 100% mandatory. Of course, there should be trade-offs for everything in between.
I am for Dumb users
Ryan mentioned cars. You know why we train people to drive? Because they're lethal, not because they are hard to use! Operating a car is easy to figure out, but like my firearms example, the price of failure is expensive. There are some things which are highly sophisticated... Photoshop, QuickBooks come to mind. Manuals and training for them make sense. High value items, where not using it to the fullest leaves a pile of money on the table is another great example (like the CRM or ERP app that doesn't get used due to lack of training). But for things that are not part of the "core competency" of someone, or things that are not sophisticated, they should be no-manual/training required!
I am for Dumb design
What are the most important tips and training messages to convey to users to help them protect themselves and their systems from security risks?
It's amazing how the use of common sense can solve the most dangerous security problems today. Let's look at how social engineering took down RSA Security. An e-mail from a strange address, with a strange Excel file, was delivered to the SPAM folder. Two users went into that spam folder, opened the file and the company was compromised in a breach with major ramifications. User training to cope with the success of social engineering attacks can help but we've been trying that for a decade with little to show for it. On the desktop, I always recommend that users apply software updates with regularity and that includes third-party software like Adobe Flash, Reader, Java, etc. Patch and stop clicking. It really is that simple.
I am for Dumb users
Until systems get better at filtering out the junk (phishing filters, A/V scans, etc.), users need to learn to verify and validate the source. Of course, we've been pounding this message into their heads for over a decade now, and it is clearly not sticking. Look... again, back to cars, everyone knows that a car is a deadly item, but people still fiddle with radios and phones while driving. If people can't be trusted to operate a car or a firearm with safety in mind 100% of the time, do you *really* think that we can teach them to use a non-deadly item like a PC properly?
I am for Dumb design
What about training? Can it help solve the user problem, or if a product is so complex that it requires a full day of user training, is it ultimately doomed?
Training has not only become a requirement, it's become mandatory for anything mission-critical product. You can't put a 17-year-old in a car and expect him to drive without any training? It's no different in the software or technology world. Talk to the most competent IT guy in your office and he'll give you horror stories of 'dumb users' asking dumb questions. To him, the questions are dumb but to the end user staring at this complicated navigation menu, the questions are perfectly legitimate. Training really is mandatory in today's complex world.
I am for Dumb users
Training wipes out the ROI of far too many items. If an application saves 5 minutes a day per employee, is it worth spending a day training them when the average employee is gone in a few years? Not really, especially when you consider that things change pretty often. And too many people come out of training with an inability to diverge from "the rules" when needed. We see this all the time, even in non-tech stuff, people get stuck on "the way things are done" to the detriment of "the way things need to be done in this circumstance". As a result, training is not only expensive, but it often makes the situation worse, not better!
I am for Dumb design
Should all tech products be self-explanatory enough that they do not need a manual? Is that realistic?
Thats the expectation. A perfect product is the one that doesn't have a user manual. But that's not realistic. We're turning to technology to solve some very big problems. I have a young cousin who is diabetic. He has an insulin pump taped to his stomach. Do you want to use that product without following the directions *exactly* as specified in the manual? It isn't realistic to kill the manual but it sure is a nice goal to aim for.
I am for Dumb users
One caveat... I am assuming that we are talking about users who are familiar with the use case that the product addresses (ie: I never expect a non-accountant to "get" QuickBooks, or a non-graphics artist to "get" Photoshop). But assuming that this is the case, products should be obvious to use. A manual in this day and age is almost always a crutch for poor design. If the workflow isn't obvious, if default behavior isn't clear without giving it a try, etc., then the design is poor. Almost all of what goes into a manual are things that a proper user interface explains. Some highly sophisticated things (complex machinery, highly dangerous items, for example) need supplementary warnings, information, etc., but those are edge cases. For example, firearms are really simple to use if you've used one before, but the manuals need to be filled with important information because the price for failure is so high.
I am for Dumb design
How much does tech product design still need to become more user-centric rather than focusing on engineering capabilities?
This depends entirely on the type of technology product you're designing. In the consumer world, auto-pilot is all the rage. The less the user has to interface with the product, the better for everyone. Software engineers need to test their products on the dumbest users. Dumb users + dumb design = epic failure. In the business world, where products are becoming more powerful, user-friendliness generally take a back seat and businesses have to invest in training and manuals to get the job done.
I am for Dumb users
If you look at the size of the mobile market, when Windows Mobile ruled the roost it was tiny. When iPhone was delivered, the mobile market exploded. Why? Because it was user friendliness, not capability, that was holding us back! The iPhone is actually less capable that classic WinMo in terms of what devs can do with it, but that didn't matter to users, they finally had a mobile device that didn't inherit the design flaws of the desktop Windows OS. The questions that the typical IT pro fields from users is proof positive that we have a long, long way to go on user-friendliness.
I am for Dumb design
What are some least user-friendly -- though widely-used -- technology products that you come in contact with? Give me your bottom three.
Microsoft Excel. As you would notice from my previous answers, I'm a big fan of auto-pilot software. Microsoft Excel, as useful and widely deployed as it is, is impossible to run on auto-pilot. The iPhone alarm clock will only ring if the ringer is switched away from vibrate, which is the default state. That has caused me to oversleep many times. That's an example of a device that's brilliantly designed but still causes problems for dumb (tired, overwhelmed, lazy) users. My list of unfriendly technologies would also include airline websites (try booking a flight without getting a migraine). Microsoft Windows as an OS is pretty overwhelming for newbies. Installing Linux to stay secure (a bit of advice I give to people) can be an herculean task.
I am for Dumb users
All three of these have way too much design legacy from the 1970's and 1980's, an era when secretaries were writing macros in Lisp for their word processors. Do we really want to work this way? Sure, these systems are great for the power user who wants an in-depth view of what's happening and fine grained control, but for someone who just wants to "get things done" they are awful. Again, the feature sets are far too sophisticated for most users, and it shows in their frustration, need for training, and typical mistakes.
I am for Dumb design
How about users? Are they more tech-savvy than they were a decade ago?
A wise man once said: when you want to figure out technology and modern advancements, go the kids. Today's teenagers are definitely more tech-savvy and adventurous. However, they are learning to rely on auto-pilot and tend to lean to software or hardware products that work as advertised, without too much clicking around. A decade ago, people were clicking on everything as default, leading to the era of the Windows e-mail worms. Today, users are more educated but it's still not ideal because social engineering is still successful.
I am for Dumb users
The percentage of people who have a desire to become tech-savvy is the same as always. Yes, more people use tech devices, but that doesn't mean they are digging deeper into them. And when they do, it hardly is by choice! Indeed, most "tech-savvy" people actually are only slightly less clueless than the general population. Kids now get praised for being "tech-savvy" because they can use an iPod or look something up on Google, but that's no more "tech-savvy" than knowing how to use the stereo in your car or a dictionary. In fact, most of the supposedly "tech-savvy" kids I encounter are actually worse than their "dumb parents" because they assume that they know what they are doing and stop learning, while their parents keep trying to learn more.
I am for Dumb design
What do you consider the most user friendly tech products that money can buy? It can be software and/or hardware. Give me your top three.
If you think of the refrigerator, the microwave, car alarms or coffee makers in hotel rooms as tech products (I do!), those should be the model for user-friendly design. You press a button and they work as advertised, beautifully. We venerate Apple's iPhone as the bible for UI brilliance, but as much as I love the simplicity of using an iPhone, there are still many complications that require a manual. That's why those iPhone video ads are so valuable. They serve as the manual for the devices. So, it's not necessarily about the friendly tech products, it's mostly about how the user manual is delivered to the user.
I am for Dumb users
iOS and WP7 both are absolutely amazingly easy to use. They have taken most of the power of a full PC (aside from things like system utilities) and presented it in a way that even a child can understand. That's really incredible when you consider how long it takes to train someone to use a PC. The Wii is equally intuitive, at least for the games that really make use of the motion controller in a natural fashion (bowling, baseball, etc.).
I am for Dumb design
Hang in there, folks. We're smoothing out a technical issue, then we'll let the tigers back at each other.
Alright, let's get this started. What is the state of user friendliness in technology design? How much better (or worse) off are we than we were a decade ago?
There's no doubt we're better off today. Cars are easier to drive. Refrigerators dispense crushed ice at the touch of a button. Software is easier to use. Modern cell phones have (mostly) eliminated keyboards and lots of buttons. I can go on and on about the improvements. However, because users are dumb (read: tired, overwhelmed, stressed, newbies), it is the documentation of software and the drive for complicated features that cause problems with modern technology. In the world of business software, sales teams are demanding sexy features to sell an upgrade. Every new feature brings a new drop-down menu. Every drop-down menu brings its own complications. Dumb users never RTFM.
I am for Dumb users
User friendliness is affected by the size of the feature set, and the sophistication of those features, more than anything else. Usability experts like Jakob Nielsen who track these things objectively over time show that on the whole, we are not much better off now than we were decades ago.
I am for Dumb design
Ryan Naraine
End users have gotten smarter about using technology but human vulnerability will always be the weakest link in the security chain.
The inquisitive nature of human psychology will always push us to click on that strange URL or open that e-mail attachment. Cyber-criminals make a living out of using social engineering to infect our computers and use your resources to make money. Dumb users will remain dumb but we have an opportunity to make software design decisions that can reduce the effectiveness of social engineering.
Our software products must start making decisions for end-users and remove the temptation of the lure. It's already happening. Modern e-mail clients have started to automatically block harmful attachments. Modern web browsers are putting up roadblocks to malicious web sites. Modern operating systems are using things like ASLR and DEP to block vulnerability exploitation without the end-user ever seeing anything.
We need to get to a world where the errant click means very little. We need software developers to bake security into design decisions to save dumb users from themselves.
Justin James
Jason Hiner
This is one of those debates that has been going on for as long as human beings have been building tools that they weren't going to just use for themselves but share with other people. In tech, this debate would have been a lot different even a decade ago, when virtually every tool in the computer industry required a manual and some training (or, at least a trial-and-error period). Today, the user expectations are different and the resources and capabilities of our product builders are a lot better.
Doc has to agree with Justin on this one and take Ryan to task for thinking so poorly of users. The bad guys are getting better and better at luring folks into their schemes, and Doc doubts very much that many people are falling for the old “Brittany Spears Naked” bit these days. You know, Ryan, that it’s not that simple anymore, and Doc’s willing to bet you’ve been fooled into opening something you thought was innocent.
Justin has it right – it’s time to put even more effort into security and shore up our information resources. In other areas such as our food supply and our drug supply, we’ve built in systems to protect the manufacturing and distribution chains so that problems are relatively rare. Why should information be any different?
Yes, there will always be bad guys and mischief makers out there trying to game the system. But private enterprise (perhaps with a little more government support) is pretty resourceful and should be able to keep one step ahead of those wishing to bring systems down. Of course, users need to exhibit some basic common sense, but in the end, technology should be as foolproof as possible. Don’t let the manufacturers of our software and hardware off the hook here – they need to step up the effort and provide stable, hard-to-hack products.
Now please, Ryan, can you send Doc that link to the Brittany Spears photos?
Posted by Jason Hiner