One of the reasons cybersecurity is incredibly difficult is that it touches so many areas of business. While it’s tempting to focus on endpoints and data intersection points, how people use, misuse, and abuse systems also has a profound impact on security.
“Design and usability are the cornerstones of strong security,” says Damilare Fagbemi, founding partner of Resilient Software Security. “The way organizations approach interfaces and user-friendliness has a major impact on the image but also on everyone’s safety.”
Of course, user interface (UI) and user experience (UX) impact many areas, including websites, apps, emails, text messages, and even physical documents. They can cross paths with authentication methods, shopping carts, and areas as diverse as marketing and product support. It’s also remarkably easy to forget that user interface and user experience affect employees who use systems and devices.
“Cybersecurity protections need to be integrated seamlessly into design processes,” says Therese Schachner, consultant for VPN Brains. “People need complete and simple instructions for various tasks, including creating passwords and using multi-factor authentication.”
Dark Reading spoke to experts on the intersection of safety and design. Although UI and UX may seem like two separate entities – and to some extent they are separate things – they are also inextricably linked. This article explores the visual elements that drive secure design.
The visual elements behind secure design
As organizations seek to strengthen security, one thing that is often overlooked (or even ignored) is secure design. Appearance matters, but a website, app, or message should be more than just a pretty face. Various elements should help people avoid errors and actions that lead to security breaches and failures. Although no one wants to implement security controls, everyone recognizes that they are essential.
A starting point for a journey to a secure user interface and user experience revolves around a fundamental but crucial goal: “to develop security that frustrates attackers, not users,” says design lead Amber Lindholm for Duo Security at Cisco. “The user experience of any security application can make or break the usefulness and security value of this tool. A good user experience is simple and easy to navigate, allowing the user to get things done.”
Unfortunately, many design elements compromise security by creating enough friction to encourage visitors to abandon their tasks. For example, a password entry form that continually forces a user to start over after exact criteria are not met can lead to a weak but acceptable password. If an application login is too cumbersome or requires constant password resets, users will disable controls or bypass them entirely.
Inconsistent colors, designs, workflows and fonts can also wreak havoc on security. They can make confusing choices and bury the right path. For example, when all of the yes and no buttons on a web page or application appear in a monotone color, the error window is larger. The lack of a basic explanation of a security feature and instructions on how to use it can undermine good choices. Moreover, it is essential to limit choices – or at least reduce unnecessary choices – especially when a person is visiting a site for the first time. This includes forcing users to perform tasks such as accepting push notifications or creating an account.
“Whatever design format you use, it should promote safety and avoid overwhelming people,” says Tyler Klein, executive director of experience at digital design firm Robots & Pencils.
The challenge is amplified when companies do business globally. “Different colors, shapes and patterns have different meanings in different countries or cultures. You have to think carefully about those things,” he says.
Designs on security
All design elements should point to strong yet easy to use security controls. A primary goal is to avoid bypass culture. “The idea is to frustrate the attackers, not the users,” says Lindholm.
A great site, app, or item builds trust, says Klein. It explains things clearly and displays security features intuitively. “You don’t want any doubt in the minds of users that they’re doing the right thing,” he says.
A good example of a secure design is a password creation box that provides instant feedback. When a person enters various letters, numbers, and symbols, the box displays a green checkmark or a red X next to it. When used with a plain text viewer, it’s even better – the user doesn’t have to guess what makes a good password or worry about what they’re typing. In the end, the user is not subjected to repeated failures and forced to start over.
The secure design also extends to emails and SMS. It may include things like displaying a partial account number or other non-sensitive information to help substantiate the validity of the message. A growing number of companies have also started using a security banner that displays important information, such as telling users to refrain from clicking on links in their email or saying that they will never ask for sensitive information over the phone.
The common denominator, says Lindholm, is that a well-designed website, app, or email message brings clarity and attention to the right information at the right time. Critical information is highly visible in virtually every element, including relative size or hierarchy of objects, colors and shapes, screen position, and white space. These elements, she says, “catch the eye or help a user navigate a screen or flow.”
in the flow
Design experts say good security follows a path called progressive disclosure. It aims to provide the appropriate level of security checks at the right time. More complex information or workflows appear only when needed.
For example, Klein says a retailer can personalize an experience and allow someone to put things in a shopping cart with few security checks. However, when the person wants to make a purchase or interact with their account, they must log in. more money.
Along the way, proper clues are paramount. Just as an elevator light indicates that it has been requested and what floor it is currently on, best practice design techniques inform users. This may mean creating a checklist with green lights as items are completed, or it may include texting and emailing.
“When websites or apps violate these general rules, users have difficulty completing tasks and make unexpected errors,” says Lindholm.
As Fagbemi says, “You want to do everything possible to encourage the right behavior. Design elements combined with the right processes and workflows can lead to much better security.”