'

Great user experience leads to great security

Security need not be a series of walls. A UX expert says security can be gently woven into the flow of applications.

Pump up the user experience (UX), and have a generally more secure infrastructure. That sounds like a win-win.

programmer-ibm-and-paoli-calmettes-institute-photo-from-ibm-media-relations.jpg
Photo: IBM Media Relations

The correlation (and causation for that matter) between good UX and good security was made by Peter Hesse, chief security officer of 10 Pearls. (Thanks to Michael Santarcangelo for surfacing Peter's post. Peter also participated in a panel discussion on the topic, which Michael moderated.)

Peter eschews traditional, hardening approaches to security, which only makes life difficult for everyone. "It is unrealistic, unnecessary, and not generally effective to reduce risk by limiting (or eliminating) access to applications," he points out. "Putting up walls just keeps people from getting their work done, from creating value in the organization. And, it creates discord between value creators and information protectors."

Instead of password barriers and the like, Peter suggests that security be designed into the background of application flows, through non-intrusive tracking and monitoring capabilities. It should also be noted that 85% of the time, users are just seeking basic, non-sensitive information.

He provides three ways to accomplish this, while heightening UX:

Create different user types. "Those that do not need access to the sensitive information can't retrieve it," Peter says.

Channel application flows. "Make it easy to get access to sensitive information only if needed. And make sensitive information harder to access otherwise."

Help users understand the potential consequences of their actions. "Give them steps they must acknowledge to access sensitive information or execute risky operations. We can also record these riskier operations for further review without overloading our systems or administrators."

The last point deserves emphasis. Along with building in automatic flows that may be invisible to users, as Peter notes, there's another force at work as well that could be beneficial. As anyone involved in Agile processes knows, the ultimate user experience may come down to a sense of ownership in the process of designing and developing an application. With that pride of ownership comes a sense of responsibility over what happens with that application.

Close collaboration between designers, developers and users also provides valuable learning that helps build more secure environments. As Peter observes, with the insights gained from user preferences, IT managers "can reduce friction and create the best experience. Knowing how people use applications helps you to understand what information should be protected. It's also valuable when something goes wrong during testing of an application, to know where someone was in the application and what they had clicked on in order to cause an error."