Historically, more often than not, effective security came at the expense of usability. And usability came at the expense of security. Many continue to go by the notion that there is no way to achieve both effective security and usability simultaneously. It just does not work.
Additionally, it’s often thought that a solution to offer effective security must be complex and if it is easy to use or uncomplicated, this must mean that it can’t provide effective security.
Moreover, usability has always trumped security. Organizations and their employees want and need solutions that are easy to use and efficient — and not a hindrance to their performance. Cumbersome solutions (many legacy security solutions fall into this category) cause users to default from using them as they obstruct their tasks and negatively impact workflows and efficient functioning.
Hence, security often suffers when complex unusable security products are used.
It’s imperative that security is met at all levels
With the increase in cyberthreats, the accumulation of valuable data within organizations, the evolution of data protection regulations, and the exposure of frequent high-level data breaches, businesses are being pushed to ensure that security procedures are met to protect their data, their business, and their reputation.
Businesses must enforce security practices and the use of protective technologies. Business must also ensure that users securely manage and process data. This is now mostly encouraged from the top down, even if it means that usability suffers. The ways of the past, when employees side-stepped security to achieve usability, can no longer happen.
It’s now imperative that organizations ensure that security is met at all levels. Security culture is encouraged within organizations and a new way of thinking and doing is established so that data can be protected.
Organizations may fear that usability has to take a backseat in the face of achieving security (as it did historically), but this does not need to be so and does not need to be accepted as such.
Both security and usability can and must be realized simultaneously. Usable security results in a more secure organization. So, the aim should be to achieve usable security — and nothing less can be accepted.
Security depends on usability
Security should support and enable better business and should not hinder business functioning, staff, or negatively impact efficiency. Additionally, it should not result in the cost of doing business to rise significantly. There does not need to be a trade-off.
Security needs to be usable — if a solution is easy to use employees will choose to work securely over choosing not to. Security needs to motivate a positive experience, and this is what a usable product does.
The highest levels of security can only be achieved with equivalent highest standards of usability. They depend on one another. Fortunately, advanced modern solutions and products are making effective security with improved user experience possible. Good security is futile if the solution is unusable. Security requirements must be satisfied while maximizing usability to deliver effective protection as intended.
How modern solutions are achieving effective and usable security
Now more than ever, security is a critical requirement for most organizations. Data protection regulations, like the GDPR, other legislation, and best practices instill that security is built-in to organizations processes and culture. Security by design is encouraged.
For security and usability to successfully work alongside one another, security cannot be a constraint but must be an enabler. In the past, when a priority was placed on security without consideration for usability, this resulted in the failure of those solutions and less secure environments and processes.
Modern technologies that are succeeding to provide usable security, hold usability as a fundamental element of security, and by incorporating the following five criteria are helping organizations to accomplish effective security alongside usability.
1. Secure by design and by default
Legacy security products often failed because usability was not treated as an equally important design priority. Security and usability can’t be added once the technology has been developed but should be an integral part of the product design process from the start.
Usable security does not only refer to end-user experiences. Usable security should embody the entire security product process from creation through to end-user usability. This may include the design, development, configuration and product maintenance etc. It also concerns things like how an organization functions and uses policies and processes as well as factors that influence how people approach their work, and approach security at work.
As encouraged by the GDPR, security by default is a fundamental factor in achieving usability as well as a secure product. Solutions that have been designed and created to be both secure and usable from initiation can be relied upon to carry these features through all aspects. Out of the box, these products are usable and secure. Security should not depend on users using products in a certain way either.
Security tools should be as flexible as possible to allow organizations to create the best user experience suited to their organization and their users while maintaining the best possible security. Solutions that are secure by design and by default will have reflected usability as part of their design process and placed emphasis on incorporating controls for improved user experience. So, the solution represents an effective design whereby constructive actions that encourage security are simple to perform, and destructive ones are hindered.
Now, with secure and usable products organizations can meet users’ needs as well as business security and operational objectives.
2. Incorporation of security controls that empower users and enhance user experience
Generally, users are drawn toward flexible controls and features, security that integrates with how they work rather than add-on procedures that require time and effort to learn how to operate them.
Users want to work in the manner that they are comfortable with. They do not want to be required to change how they go about fulfilling their day-to-day tasks. There are multiple ways to achieve a task and security should be accommodating of this. Security should encourage users to make better security choices, but should not require drastic changes to functioning to achieve security.
Considerations for multiple means of authentication to provide choice and varied levels of security, risk-based features whereby security can be heightened or reduced depending on circumstances and requirements and usable verification so that verification does not become an obstacle to usability, which it can if not appropriately balanced, are all important security and usability considerations.
User-friendly controls that make use of technology advancements like biometrics (fingerprints, facial recognition, etc.) for better user experience should also be considered.
Additionally, an agile architecture that lends itself to continuous adaptation is necessary so that a solution can adapt and advance to meet future needs in a uncomplicated and workable way.
3. Usable interface
It’s important to ensure that any interface is easy to navigate with little thought. It should be logical and practical to use. If options are permitted, the more secure routes or choices should be encouraged by making them the default or the most natural path for a user to follow.
A solution should be intuitive, so that users do not need to decide on how to use a product to ensure security. Instead, a product should work to remove security decisions from users as much as possible. A simple solution, that’s less dependent on user action to work, will be more effective as the room for error is significantly reduced.
A good interface design elevates security as it lessens the liability on users.
4. Practical and operational real-world security
Practical security encourages secure working. Security should be practical and work in real-world applications and scenarios with real people who make mistakes. It is useless if it only looks good on paper or is aspirational, but does not apply to real-world situations. Workable security is fundamental to security success, especially today and into the future for businesses to get the protection they need.
5. Consideration for processes, functioning, and data flows
Technologies that provide usable security consider these aspects during the design process. So, they can create fitting solutions that offer usability and security for a variety of applications.
Solutions that adequately match tasks and situations are essential. Just like multiple products exist to impart security, various ways exist to fulfill tasks — not all solutions will suit all scenarios, but that is OK. Ensuring that products chosen to tackle each task achieve usable security will provide the best possible security. Layer solutions if required, but without adding complexity. Keeping security uncomplicated will favor better results.
Security and usability do not need to be seen as trade-offs
Businesses can build solutions, applications, and products that provide effective security and at the same time boost usefulness and convenience for users. These solutions do exist.
Organizations can achieve effective security through uncomplicated easy-to-use solutions. Security and usability no longer need to be viewed as trade-offs as technology companies are implementing systems that improve security and usability concurrently.
If users are presented with the appropriate security solutions to match their tasks, in a way that makes sense to them and requires uncomplicated but obvious use to achieve the security intended by the solutions, it will require little effort for users to work more securely and effective security and usability can be accomplished together.
Featured image: Shutterstock
1 thought on “Security vs. usability: Does there have to be a compromise?”