5 Practices for Securing User Confidence
As UX designers, we are customer advocates. We design systems, products, and tools that are as beautiful as they are usable. We bend technology into new forms to compensate for gaps in human abilities. We act as a creative buffer between technical complexity, unreliability, and inelegant processes or patterns. We turn bad mechanics into better forms. It’s downright noble.
Products and services are always vulnerable to customer attrition, and users bail for many reasons. Much of UX design and product optimization focuses on acquisition and retention through continual improvements. We focus on usability, elegance, simplicity, functionality, and brand value. Typically, UX designers spend less time improving security or operational integrity. For example, when was the last time you iterated on how user data is archived, or asked users about their sense of security when using your products?
If you’re a financial institution, the answer is probably (hopefully), ”Very recently.” But what about community sites, mobile social networks, collaboration tools, or games? Most hacks and security breaches happen to these “softer” targets and brands, but it’s not the site or database that is the victim—it’s the customer. And the company responsible for the product also suffers.
So how can we better secure the products we create and, ultimately, the loyalty and trust of our customers? Here are five practices to consider:
1. Designers Must Own (or Co-Own) Security
Security is not the concern of someone else, it’s the concern of everyone. Every feature needs to be designed with safety in mind. Empathize with your users, who may be savvy or may be accident-prone. Also take a walk in the shoes of a hacker.
For example, how much ownership do you take of password storage logistics? Do you see it as a technical problem or a design problem? Are you aware of the security differences of a password recovery feature versus password reset in a web application? The distinction is not trivial, as one requires passwords to be stored in plain text, opening a very tempting attack vector for criminals.
Learn about the common exploit types and study social engineering to better understand the risk your users face when using the products you design.
2. Over-Communicate the Requirements
Many attacks are purely technical, and outside the control of most designers. Still, describe your acceptance criteria for safety and integrity just as you describe it for response time or interface scaling. List the promises you want to make, implicitly or explicitly, to your users. Total data encryption? No personal information storage? Secure administration? Protection from spam? Security of all future offline backups? Security policies enforced for other users and admins? Your developers will follow best practices, but often the best practices are the problem. Be specific, and own the safety of your users.
In your use cases, be sure to include negative scenarios. What does a hacker see when trying to guess a password? Does the message change the fifth time they guess? The twentieth? Do you tell them which field is incorrect (user name or password)? A single error message, in an attempt to be friendly, may give away hints that help attackers tune their attacks.
Be sure to think these experiences through and specify behavior. Design a system that makes the experience painful for attackers but pleasant for your customers.
3. Focus on the Big Picture
Work with the whole team to determine the promise, the message, and the response plan for when something goes awry. Make sure that everyone cares about the entire experience, not just their respective slices of the product. Address the tension between usability and security as a team, on every feature and interaction. Products, interfaces, and experiences are meant to have shorter lives than the businesses they benefit and the customer relationships they create, so think long-term. A single publicized breach can damage years of great work.
It’s a good idea to review publicized attacks on similar products or services with your team. Ask everyone to look at your product in light of those published exploits.
4. Boost User Confidence with Attention to Detail
Does the lack of polish in some part of your system imply that you lack attention to detail? What does lack of attention to detail say about your appreciation for security?
Imagine yourself boarding a commercial flight. As you take your seat, you note that the last passenger left trash in the seat-back pocket in front of you. What feelings are caused by this minor discourtesy? Annoyance? Mistrust of the airline, the crew, and everyone responsible for the airplane? A sudden fear of fiery death? If the crew missed the trash, maybe they overlooked a more important detail, too? Whatever you’re thinking, the airline’s disregard of a small non-critical detail may cause distrust in the entire operation.
Find the forgotten details, and design them nicely. Polish and attention paid to the less sexy parts of a product go a long way to prove that nothing has been ignored. Apple invented the “Sad Mac” face to give a friendly, cute experience to a severe system error on the classic Macintosh platform. Contrast that with the technical, developer-designed “Blue Screen of Death” on most Windows computers. Which approach conveys that thought has gone into failure scenarios? Follow Apple’s lead and craft an experience thoroughly.
5. Continually Revisit Security
Every new feature opens up new ways of using and abusing products. Include conversations around security in all new iterations. When usability starts to suffer, fork your product and experiment with new ways of solving problems. It's no different than other iterative work, and no less fun.
If you do find yourself under attack, make sure your team learns from the experience. Interview customers affected by the attack and ask how the event has changed their perception of your product or company. Don’t let a valuable research opportunity pass you by, especially when it comes at such great cost.
A sense of security is larger than password protection. It’s the faith that a product can be trusted and is designed well, from identity to usability to responsiveness to safety. It’s the role of a designer to treat all of those concerns as fundamental and create a product that delivers value time and time again. It may seem premature or pessimistic to focus on security early on, but there are thousands of malicious people out there perfecting their attacks and each new product is a new target. Make sure you’re there as a customer advocate, planning for the good times as well as the bad.