The importance of usability for secure software
Software security and User Experience Design are both popular subjects in tech media, but they usually draw different audiences and the important space where they overlap gets far less attention. After all, except for high-profile cyber breaches, software security is not nearly as trendy as “UX”. And thank goodness for the trend. Though we’ve come a long way, this 2007 Dilbert comic still holds some hilarious yet painful truth about how much we still need to improve user experience in regard to security measures.
The gulf is understandable. Try reading about secure design principles and you’ll hit necessary technical nuance only decipherable by application security professionals, versus ideas about ease-of-use and pleasure in interacting with a software product that we can all relate to as users.
However, it is precisely that knowledge gap between the security community and the rest of us that makes usability so critical.
Signiant CTO Ian Hamilton recently published an article in SC Magazine on usability as a security feature. While the article is written for IT professionals, it highlights three points that anyone using software in their business should be aware of:
1. Security in the era of cloud services
In today’s cloud era, easy to use SaaS solutions are ubiquitous and accessible anywhere with an Internet connection. If your IT sanctioned software is difficult to use or unintuitive relative to similar services offered for free online (like file sharing), users will default to the insecure, easier to use option. Additionally, as teams become increasingly global, policing unapproved SaaS gets more and more difficult. This has to do with a secure design principle known as psychological acceptability.
As Hamilton explains, “Secure services must be as easy to use as insecure services or users will gravitate to the insecure alternative.”
2. Usability in security features
Likewise, if a system’s security features are difficult to access and/or apply, users will make mistakes or forgo protection all together.
“Another corollary of the psychological acceptability principle,” says Hamilton, “is that human interfaces for security features must be easy to use so users don’t make mistakes in applying security features.”
Highly usable security features have incorporated how user’s intuitively visualize applying security, making the end goal of ensuring asset protection easy to implement and verify without exposing the highly layered and technical process that is required to do so.
3. Investing in security and usability
“Secure by default” is another secure design principle that’s relative to usability, which states that a system should default to the most secure state possible. However, software vendors have traditionally tried to make software more usable by disabling security features in the default configuration.
“Often this allows a vendor to claim that the system is both secure and usable,” says Hamilton, “without investing in making security functions intuitive and easy to use.”
To make the system secure, users would have to enable specific security features, which (as mentioned above) can be difficult to understand and implement or just too much to keep up with. For example, if users must create complex passwords regularly for different systems, they will resort to using the same password or to writing them down.
Today’s software providers need to invest in both security and usability.
As we recognize the critical overlap of security and usability, we also should expect our software vendors to develop products reflecting the best of both worlds.
If you need a large file transfer solution that is both highly secure and highly intuitive, try Media Shuttle for free.
As a hybrid SaaS solution, Media Shuttle brings the advantages of SaaS that users want (easy to use, global performance and familiar web interfaces) as well as what businesses need (cost-effective solution that scales to business fluctuation, no training required and easy to get started without risking a lot of upfront investment). And the hybrid aspect of Media Shuttle allows Signiant to implement much higher security measures.
To find out more about Media Shuttle’s security, check out this white paper.