Much of security is about implementing controls. These are things like a lock on a door or a perimeter fence. In our cyber world, controls include things like passwords and capthcha and ACLs and routing tables. Controls impede or prevent actions. Controls are meant to make things harder — ideally impossible — for bad actors, but not impossible for good actors. Controls introduce friction.
Friction, in the UX world, is generally something to be avoided. We are taught to make things easier, more effortless, and smoother for users. Friction is what happens when users are impeded in the tasks they are trying to perform. Sure, UXers occasionally use friction judiciously, like when you want a user to slow down and absorb something. (The story behind the sans forgetica typeface is fascinating!) But for the most part, UXers spend most of their time getting rid of friction.
Here is my take on the origin story of the putative tension between Security and UX. Security is the stern and paternalistic Department of No, and UX is the wide-eyed, tell-me-about-your feelings, slightly pinko power-to-the-users radical. Ok, those are awful stereotypes, but bear with me.
Security demands that we implement controls that are impossible (!) for bad actors to circumvent, but historically security hasn’t cared much about how hard this makes the lives of the good actors. UX demands that operations be friction free but doesn’t distinguish between good and bad actors. [Note: I’ve worked in theatre so I know a thing or two about good and bad actors.]
I posit that that tension is a false dichotomy. But I have a solution.
Let’s start with the notion of imposing controls to keep bad actors out. Bullshit. Controls must allow good actors in. That’s it.
But wait, I hear you say, isn’t that the same thing? Nope. They are very different approaches to the same problem. If we focus solely on keeping bad actors out, we end up with a friction-riddled world where controls are impediments for good and bad alike. If you attempt to sprinkle magical friction-reduction dust onto any system after the fact, you are doomed to failure. Usability is not something you bolt on after the fact, just the same as security isn’t.
If we flip to allowing good actors in and focus on supporting and facilitating — dare I say lubricating? — the journeys of the good actors, we end up with smooth sailin’ for the good actors.
If we can assume that well-lubricated journeys for the good actors do not come at the expense of lax controls against the bad actors, then what we’ve done is we’ve put security and usability on the same footing.
I realize that saying that security and usability should be on the same footing is likely to raise eyebrows (or even cudgels) but ultimately they are very much aligned. Ideally, both ultimately serve users.
Earlier I said that neither security nor usability are things that you can bolt on after the fact. Security and usability (and privacy too, for that matter) have to be considered from the very earliest moments of inception. Whereas one has tended to be secondary to the other, we are now in a world where they are equal partners in keeping users safe, effective, efficient, and satisfied.
This change in emphasis does something that, as far as I can tell, few in the industry is doing: making usability and security (and privacy) equal partners in protecting users and business success, rather than continuing to blindly assume that the two are irreconcilably at odds.
So why doesn’t everyone do it this way? One reason is that it’s a lot easier to quantify risk in monetary terms than it is to quantify usability.
An organization can crunch numbers to show that they can save money by imposing security controls, but they tend not to do the same with usability. A CISO can make a financial argument to spend money tracking assets and maintaining infrastructure and controls so that when that ransomware crew comes a’calling, the organization doesn’t get thoroughly owned and potentially lose millions. How many UX arguments have you heard along those lines?
The reason we seldom hear about spending money on UX to save money in the long term is because the cost of poor usability is hidden from the organization. The cost is mostly borne by users themselves. UX failures don’t make the news the way security failures do, or when they do (like the Hawaiian missile debacle) they are not understood for what they are. In short, organizations can get away with turning a blind eye to usability.
I’d like to continue this discussion and delve into the idea that frictionless usability and security controls serve competing interests. I need to do a bit more research to be able to formulate that argument in a clear way. Stay tuned.
