Viewing Cyber Security through a UX Lens
Recently I attended a panel in Austin TX with three leaders in the cyber security startup market. I wanted to learn how some of the best minds in cyber security are thinking about individual users and how they can be part of protecting themselves and their companies from increasingly common attacks on their privacy.
The week before the cyber security panel in Austin, my daughter who is working on Capitol Hill this summer as intern for a U.S. Rep attended a House Intelligence Committee hearing about the DNC cyber attack and 2016 US presidential election. She had emailed me her summary and the link to watch the testimonies. I watched the video of Jeh Johnson, former Secretary of Department of Homeland Security (DHS), testify about cyber security.
Johnson said he believes that politically divided democracies are vulnerable to cyber security attacks. He challenged elected officials to get educated about cyber attacks. He also stated that counter terrorism and cyber security need to be front burner issues of the DHS. Representatives and Senators, on both a state and national level, also need to be educated and spread awareness to their constituents, their voters. This Spring the Texas legislature unanimously passed a bi-partisan bill called the Texas Cybercrime Act that makes it a first-degree felony for a person to deliberately prevent someone else from getting online and allows law enforcement additional tools in the fight against ransomware and other cybercrimes. After listening to the Johnson testimonies and knowing about Texas’ new legislation, I wanted to know more about how User Experience design methodologies could be incorporated into software to help prevent cyber crimes.
The timing of the Austin Cyber Security meet up and panel the following week of the testimonies was happenstance. I knew the Austin cyber security industry is growing, with many successful local startups making headway, including Duo Security, Rapid7, and NSS Labs. Duo’s co-founder and CTO Jon Oberheide and two other startup leaders, HD Moore and David Endler, organized the Duo Talk panel to discuss startups, venture, and cyber security.
I went to learn about Duo and how these companies are focusing on the everyday user to help fight the battle for Internet security. I wanted to know their thoughts on how User Experience design and content in software could help. As it turned out, the audience was asking more questions on the challenges of being a start up, so UX Design only occurred once initiated by one of the panelists as an imperative investment.
Security Is A Hard Problem
As a UX Designer, I’m interested in cyber security and especially how my work can help improve it. Before I dive into the DuoTalk panel, lets review why Security Is A Hard Problem.
Everyday Jane walking down the street doesn’t understand cyber security, what it is, how it impacts her, how she’s vulnerable, how her vulnerability has a domino effect and makes those around her at-risk, and what she can do as prevention. The cyber security industry is full of jargon. Jane may have heard of some of the jargon like virus, maybe even malware, spyware and firewall. Phrases like “identity theft” probably resonate with her because it’s a personal implication, but not much more. The word Malware is a combination of the words “malicious” and “software” and describes anything that has a malicious impact on your software: this could be a virus or a worm, or a Trojan, a type of software that seems legitimate. All of these words can have a foreign feel to a user and hard to relate to if you’re just a normal, non-techy person.
Most of us have been affected by cyber attacks, even if it was from a distance through being a customer at a business; maybe it was the Target or Neiman Marcus breaches a few years back and we all had to get new credit cards. What a hassle! The perception is that security is a company’s problem and responsibility to solve, but it’s not necessarily all about the company.
The solution can start with the individual user. For example, it’s our responsibility to download software updates, but many don’t. Many very smart people do not update their software. A civil engineer told me he once didn’t download all of his iPhone updates because he doesn’t like the new interfaces. App visuals change so rapidly, sometimes almost too frequently, and for most users, change is hard. The industry thinking seems to be “users will adapt to the changes.” But are they? Sometimes, sometimes not, it depends upon the user and his motivations and behavior.
UX isn’t just design and flow. UX is a critical part of effective cyber security
What if the content were human-focused with valuable, concise and understandable explanations that an update would help prevent his phone from being attacked? Maybe more people would update their personal software if they were educated on the security benefit. That content is a UX Designer’s job. UX is important in cyber security. Content is becoming more of the interface. UX designers create clear content, hierarchy of information, and interactions based on the user’s behavior and on the company’s business goals.
Security Through The UX Lens
The DuoTalk panel focused mostly on startup business procedures with about 70 entrepreneurs in the audience. Most were asking the seasoned startup chiefs about business procedures like when they should hire a lawyer and about the patent industry. Coincidentally, the DuoTalk cyber security panel was June 27, the same night as the global ransomware attack, Petya, that started in the Ukraine exploiting old versions of Microsoft Windows and quickly spread to over 60 countries.
I attended to hear about cyber security so I asked a very open-ended question about their impression of day’s global attack. My question was hastily dismissed. A joke was made about a prior WannaCry attack, and the panel moved onto another business how-to question.
The fact that my question wasn’t answered is a challenge with the cyber security and cyber attack world. The cyber security world is secretive, and for good reason. The intent might be to protect users or be a defense from subsequent attacks. People still need education on cyber security and how they can individually be part of the defense.
In hindsight, my question may have received a thoughtful answer if I had been more direct and specifically asked how UX Design, or lack thereof, could help secure users and mitigate the impact of a cyber attack. The Petya attack had just exploded that morning and a raw subject. The panel leaders are in the business of protecting businesses and people and a global ransom attack is probably when it hits the fan.
Security must be a priority when designing all sites, not just e-commerce. Design is a valuable investment for cyber security and all companies. UX designers should make online security tasks intuitive and easy for Everyday Jane to understand and implement.
UX at the Security Table
I think UX has a critical role to play in closing the gap between the technical implementation of cyber security and driving good user behaviors that are essential to the overall security solution. UX needs to have a seat at the table. UX is not forgotten, but since both cyber security and user experience are fairly recent priorities within the last decade, it will take time for the two tactics to be fully blended by both businesses and consumers.
One simple UX re-design solution that could propel waves of change: passwords. UX content and visuals can clearly state why the user needs to create a strong personal password, while keeping the password requirements simple. UX is not just aesthetics — it’s how a site functions, and security is one of the main functions. UX design, usability and online security have a symbiotic relationship. Design is part of the solution and will have an impact on cyber security, particularly when UX is viewed as an important part of the process. We have to make Everyday Jane’s online security easy for her, and the ripple effect will make a difference.