UX Design and Asset Security
INTRODUCTION
Technology and Internet have become part of our daily lives. Every day, people release and share different data online, including sensitive personal information and data related to business operations. Technology makes our life more comfortable, but users should understand all potential threats associates with using technology and internet. Cybercrimes, which caused data breaches are not rare and happen quite often. We cannot eliminate cybercrimes, but we should apply all necessary and adequate measures to limit their occurrence.
Increase of security measures decreases usability and interaction with application or website. Security is essential for development a high-quality trustworthy product that will provide asset protection, including personal identifiable information. Each program, application or website develops for a user. Therefore, it is important to fulfill user`s needs and provide great overall user experience (UX) of interaction with the application or website. Should be noted that 88% users are less likely return to the website or open the application after bad user experience. A good design helps to prevent human error and promote security followed behavior, including following rules for passwords. UX design for the software product will improve user experience and build user`s trust for safety of his data asset. At the same time UX designers should consider cybersecurity during the design process. It is important to find a balance in implementing various security measures, usability, delivering good user experience, building user`s trust and promoting safe user`s behavior for better asset protection.
I: ASSET AND AUTHENTIFICATION
Everything that has a value represents an asset. Assets should be protected from unauthorized access, use, disclosure, modification, destruction, and theft. Assets may include people, property, and information. Depending on the value of the asset, we should apply adequate security measures. We will discuss information assets, which include sensitive user`s information in the context of asset security. Therefore, information security represents a process of preventing unauthorized access, use, disclosure, modification, or destruction of information. It is described in three critical security concepts, such as confidentiality, integrity, and availability. Thus, confidentiality limits who can access the data; integrity assures whether the information is in intended state; availability assures whether the information can be accessed.
Before the user attempts to access or modify the information stored on website server, he or she must prove their identity and permission to do it. One of the first lines of defense is to decrease unauthorized access to information asset with methods of authentication. Authentication represents a process of proving the identity after the subject provides information which only the subject may know. For example, we are entering the email and a password to access the website account, the authorization in this case is when the system matched our credentials with credentials in its database and gave us an access, if credentials match up. Therefore, the authentication is the process of determining if the user is, in fact, who he is.
Special categories of security credentials, which used to verify the identity of a user that attempts to gain access, request information, etc. called authentication factor. These factors may include something a user knows, something a user has, something a user is, and where is the user is. Examples of something a user KNOWS include password, passphrase, or answer for a security question. Something that user HAS include preregistered mobile device or physical key card. Something that user IS include measurements of the user`s biological characteristics, such as fingerprints, hand geometry, iris scan, or facial geometry. Also, the access systems may take into account the location of a user, from where he or she is trying to get access. The single-factor authentication requires only one factor to match user with provided credentials. The multifactor authentications require more than one authentication factor. For example, using password and a username to get an access to information asset are single-factor authentication because they represent what a user knows. Multifactor authentication requires use of one or more authentication factors. Thus, two-factor authentication requires two authentication factors. For example, the system requires password and fingerprint to access the information.
Authentication helps to keep networks secure by providing access to only authenticated users. By assuring that only authenticated users gained access to the system, organizations can protect their information assets better. We use authentication whenever we want to know who is using the data asset. Authentication leads to authorization when server determines user`s roles and permissions to use information asset or access the information.
II: UX DESIGN
User Experience (UX) design represents a process of user interaction with a product or a website. The goal of the UX design is to create easy, efficient, relevant design and great overall user experience with the product, website, or software application. In pursuing its goal UX design considers each element that affects user experience, how it makes him feel, how easy for a user to accomplish his desired tasks and goals. UX designers conduct market research, user interviews, user testing, solve different problems, create user flows and user journeys, create design requirements, assure design alignment with standards and policies etc. They are building a bridge between customers and the company and help the organization better understand user`s needs and expectations.
The term UX design was invented by cognitive scientist Donald Norman, who stated that “User experience encompasses all aspects of the end-user’s interaction with the company, its services, and its products.” In his book “The Design of Everyday Things” Don Norman describes how some things that we use in everyday life may create a user confusion. For example, identical glass doors without signifiers create confusion whether to push or pull the door to open. Don Norman states that the cause of most of the problems come from complete absence of understanding the design principles that are necessary for computer human interaction. Individuals, including developers, who did not study human behavior think that it is very simple and that all the people need is to read instructions. However, not all users think as logically as engineers.
UX design process represents an iterative method that helps continuously improve and polish design. The process includes stages that iterates and involve stakeholders who evaluate design on each stage. Usually, the UX design include six stages:
1. Understand requirements, create user personas, and define use cases.
2. Research, which includes analysis of competitors, research latest trends and check guidelines.
3. Sketch. This stage includes gathering ideas, draw and evaluate wireframes.
4. Design, which involves design images, creating prototypes, and defining UX guidelines.
5. Implement functionality and build experience.
6. Evaluation, which involves performing usability testing, creating audit reports, and identifying improvements.
UX design helps to make decision that decrease user resistance, which causes security concerns. According to Information Security Breaches Survey, 8 out of 10 security breaches committed because of human error. Don Norman stated that in most of the cases a human error caused by poor design. Thus, UX designers work to identify points of data vulnerability and involve stakeholders during the design process. At the same time designers are pursuing a goal to minimize number of steps that are necessary to complete task, which can prevent user to achieve his goal quicker and keep users immersed in website content.
The information security should be built from the beginning. Stakeholders and designers must reach agreements from the planning stage that security embedded in each aspect of the design. When designers work with security specialists, they can create a website or software application that is safe and user friendly.
III: UX DESIGN AND CYBERSECURITY
When we design a software application or a website, there is a requirement to consider the functionality, usability, and security. We can use a triangle visualization to demonstrate relationship between these concepts. Thus, the increase or decrease of any of the factors, it will affect other factors.
Imagine a situation if a software application or a website do not require password and email or username to log in. It looks easy to use, but has lack of security. Imagine another situation where we need to authenticate our credentials every few minutes using CAPTCHA codes. This example looks more secure but irritating for a user that creates a bad user experience and no one will be interested in using a website or software application. This is the reason why organizations need to learn how to balance UX design and security. The connection between user experience and security studies by a discipline called Human Computer Interaction and Security (HCISec). Security professionals should remember that while implementing the system security, they should think about users. Security professionals and UX designers should work in tandem for producing the best result.
We can compare UX designers with interpreters. UX designers should understand all technical requirements and deliver them to the user in understandable form. UX designers should focus on user expectations and understand user behavior. Usually, a user has limited knowledge about cybersecurity. According to Nick Babich, 45% of all users had multiple registrations in the system and 160,000 users requested their password every day. Interesting fact that 75% of these users never completed the purchase they started after they were requested to enter their password. Users can feel frustration of necessity to memorize long, complicated passwords. Therefore, they use an easy password or do not use a password and create a risk for security of information asset.
For encouraging users to follow security guidelines, which can protect their information asset from data breaches, UX designers create different solutions. For example, a single sign-on (SSO) option, which represent an authentication method that enables users to authenticate with multiple accounts by using one set of credentials. The disadvantage of the SSO is that if the hacker gets an access to one user`s account, he will gain access to all accounts. However, without following any security measures, everybody can get an access to the information. What is better? Depending on value of the information asset, we should adjust security measures. However, to have at least some level of security is better than not having it at all. Another method that UX designers suggest is sending links to the emails. These links used to sign into the website and play role as authentication.
Important part of the user-friendly design is that it can encourage users to follow security measures for asset security and to provide straight forward explanation of how a security measure works. All security notifications, labels, validations, etc. should be concise, diplomatic, and understandable. The practices to improve website security and user experience may include:
· Transparency. It is important to make sure that users know what data gathered by the website and why. It is a good practice to provide a link to the privacy policy. Most of the people will not be willing to take time to read it.
· Inform users about phishing and other online frauds. UX designers can create pop-ups or banners to keep users informed about the latest phishing and fraud techniques.
· Two-factor authentication. Overuse of CAPTCHA verification can lead users to complain and abandon the website. UX designer should use discretion in making decision about necessity of two-factor authentication.
· Encourage strong passwords. UX designers use password checker tools that can be integrated to registration process to help users to create stronger password.
· Inform users about SSL encryption. Transparency about security measures is more likely create user trust.
CONCLUSION
Browsing Internet and using technology that has internet connection, users share different information, including personal identifiable data. This information represents an asset, that should be protected. Thus, it is important to implement adequate security measures for preventing unauthorized data access, its manipulation, and theft. One of such security measures is authentication, which represents a process of proving the identity after the user provides information that he or she are in control of. Authentication is a process of proving user`s identity.
Each software application or a website is made for a particular audience of users. If the user will be disappointed with the software or a website, he can abandon the website or stop using a software. According to Lorenzo Ermigiotti, 88% users are less likely to return to the website after bad user experience. It is important to understand user`s frustrations and needs for providing overall good user experience. UX design can help to build trust between users and the organization. UX design represents a process of user interaction with a product or a website. The goal of the UX design is to design a product that is easy to use, pleasant to look, and have good functionality. While designing software application or a website, we should consider functionality, usability, and security. Thus, the increase or decrease on any of the factors will affect other factors.
UX design and cybersecurity are not mutually exclusive, contrary, for better quality of a product, these fields should work in balance. UX design is important for protecting assets by promoting particular user`s behavior for improving cybersecurity. UX designers create different solutions for encouraging users to follow security guidelines for information asset protection from data breaches. According to Information Security Breaches Survey, 8 out of 10 security breaches committed because of human error. Don Norman, the inventor of the UX design, stated that in most of the cases a human error is caused by poor design.
References:
1. Deane, A. J., & Kraus, A. (2021). The Official (ISC)2 CISSP CBK Reference (6th ed.). Sybex.
2. Norman, D. (2013). The Design of Everyday Things: Revised and Expanded Edition (Revised ed.). Basic Books.
3. Ermigiotti, L. (2022, February 11). 7 Ways to Use UX Design to Enhance User Data Security. Codemotion Magazine. https://www.codemotion.com/magazine/uncategorized/ux-design-enhance-data-security/#:%7E:text=UX%20design%20and%20cybersecurity%20are,in%20each%20line%20of%20code.&text=While%20data%20privacy%20and%20ensuring,building%20trust%20among%20your%20customers.
4. Stevens, E. (2022, February 19). What Is User Experience (UX) Design? Everything You Need to Know. CareerFoundry. https://careerfoundry.com/en/blog/ux-design/what-is-user-experience-ux-design-everything-you-need-to-know-to-get-started/
5. Minhas, S. (2021, May 14). User Experience Design Process - UX Planet. Medium. https://uxplanet.org/user-experience-design-process-d91df1a45916
6. Moyers, S. (2018, May 17). Improving Security with Better UX Design. Web Design & Digital Marketing Tips. https://www.spinxdigital.com/blog/improving-security-with-better-ux-design/
7. Brown, J. (2019, September 23). The Art of Balancing User Experience and Security. Usability Geek. https://usabilitygeek.com/user-experience-and-security/
8. Naithani, A. (2021, July 27). Balancing UX with Security | Loop11. Loop11 | Easiest Online Usability Testing Tool. https://www.loop11.com/balancing-ux-with-security/
9. Cadzow, A. (2019, June 10). Balancing functionality, usability and security in design. C3L Security. https://blog.c3l-security.com/2019/06/balancing-functionality-usability-and.html
10. 7 UX Design Tips for Improving Users Data Security. (2021). DigglesCreative. Retrieved 2022, from https://www.digglescreative.com/blog/7-ux-design-tips-for-improving-users-data-security.html