The key role played by UX in cybersecurity
Published on: 23 12 2020
Maybe we should be viewing cybersecurity not as a restriction, but as a regular habit. However, if we expect the user sitting between the keyboard and the chair to become a strong link in the digital health chain, we need to provide them with tools that make them enthusiastic about this role. And UX can make this an area in which companies can make a difference.
1993 is the date when the concept of user experience was born. Its godfather was Don Norman, who “wanted to cover all aspects of the person’s experience with the system”. The whole approach behind this concept is to give users a desire to appropriate a tool, assimilate all aspects of it and derive benefit from it. This “User eXperience” (UX) can now be applied to any area, and is of particular interest in companies’ digital strategies. When used to promote effective cybersecurity, UX can prove to be a real asset, reinforcing a company's defensive approach and its employees’ digital confidence.
Successful cybersecurity also involves UX
UX is not solely an issue for “the end user”. It is equally important for administrators to adopt and take ownership of a product. We should therefore identify two main groups of UX beneficiaries in the cyber world: the technical user (administrator) and the end user. “There are interfaces for administrators and interfaces for business. In both cases, the goal of the UX is to ensure they can be used by everyone – remaining simple for an average user and more complex for an expert,” explains Sébastien Viou, Cyber-Evangelist Consultant at Stormshield. An administrator will need a security solution with a good UX to make it easier to administer agents within the IT equipment pool, implement security policies and monitor events. Another key cybersecurity point: a good UX will help the administrator to reduce potential configuration errors for security tools – which immediately become vulnerabilities for the company. And in terms of the end user, the UX must make it easy for them to appropriate a product, understand it and want to use it; and there are even times when the experience should simply become “transparent”. We should therefore be promoting a cybersecurity approach that uses the UX, taking into account the reality of the user requirements on which it is based.
In both cases, the goal of the UX is that interfaces can be used by everyone – remaining simple for an average user and more complex for an expertSébastien Viou, Cyber-Evangelist Consultant at Stormshield
The UX is also assuming an increasingly important role in the design of cybersecurity solutions. And, as Guillaume Poupard, Director-General of the ANSSI cybersecurity agency, stated in 2018: “You have to make digital security sexy; in other words, understandable.” “You need to understand what you are trying to secure, the threats you're dealing with, and the resources you have, and you need to involve people who are not part of the cybersecurity inner circle.”
You have to make digital security sexyGuillaume Poupard, Director-General of the ANSSI
Cyber-user-friendly: bringing sexy to cybersecurity solutions
Cyber culture and UX are really the same thing. An effective cyber culture is a culture that provides for the adoption of security solutions by employees according to their sensitivity. Publishers must take this requirement into account in the design of their products and develop them by adopting a business approach, rather than a technical one. Technology is a resource, but the UX must be built around an understanding of users’ day-to-day lives. So how can we make these products more “user-cyber-friendly”? The cyber community and publishers are working towards this goal, and a number of initiatives are already in place.
UX design sessions have started to appear, enabling publishers to work with partners and customers to challenge their solutions. The goal underpinning this approach is to be able to refocus or refine a product during its design, or improve an existing product, to ensure it is efficient and intuitive to use. These sessions are intended to develop a user interface that is more in tune with its users’ business activities and needs. “Before we develop graphical interfaces for our Stormshield Data Security solution, we develop mockups that we test on a panel of users,” explains Jocelyn Krystlik, Business Unit Data Security Manager at Stormshield. “The idea is to bring together people who are cybersecurity product customers, and other people who aren't, to challenge the publishers.”
UX testing is also in widespread use. The aim of this procedure is to present users with a solution in real time and analyse their reactions to the product. This makes it possible to determine whether the solution is intuitive or not, and adjust it as needed. Some publishers also provide collaborative platforms on which their customers are encouraged to test products and share their feedback and comments. Virginie Ragons, UX/UI Designer at Stormshield, believes that “security solutions are generally found at the heart of complex ecosystems, and the goal is to provide users with harmonised interactive working practices and an intuitive interface in order to facilitate the achievement of the original objective.”
The goal is to provide users with harmonised interactive working practices and an intuitive interface in order to facilitate the achievement of the original objectiveVirginie Ragons, UX/UI Designer Stormshield
Another key issue of publishers in the age of UX: getting the pre-configuration of their solutions right. To what end? To avoid the old mistake of overloading interfaces with options that will not be used, and to identify in advance what will be used the most, and make it more prominent in the solution. This stage is critical, because the way publishers design an interface guides user choices.
Kaspersky claims that more than 90% of security incidents are attributable to human error. Suffice it to say that for successful cybersecurity, the last word on security products’ UX should go to the user. And that user, it seems, should also have the last word on trends, with changing usage habits and therefore a design that should evolve accordingly, as Sébastien Viou points out: “20 years ago, it was all done via the command line. After that, security solutions took the form of fat clients, and now the trend is towards thin clients, with aesthetic interfaces. UX is following the general evolution of the web itself.”
Cybersecurity and UX: the key trends
By moving towards thin clients, and even devices with no agent at all, it is possible to adapt to new uses such as digital nomadism and the widespread use of teleworking. “At Stormshield, we have applied this agentless concept with our data encryption solution, which can now be used directly from the browser. We now refer to Agentless Encryption in our Stormshield Data Security product,” Jocelyn Krystlik explains. “Because data encryption is an important issue that can affect a wide range of people within a company, it is vitally important to have the right solutions to support these groups and teach them how to use them.”
Employee empowerment is another key trend in UX. End users will be increasingly called upon to play a role in delivering security within their organisations. There is a tendency for the concept of cybersecurity to be extended to cover all business areas, and not just technical departments. All users must be able to play a role in this area. And here again, UX becomes a key component of digital hygiene: the right tools are required to support this trend. For example, UX needs to provide administrators with efficient, traceable methods of collecting and reporting information. Meanwhile, end users need to be able to supply information, most importantly to administrators. And indeed, they may need to be given a bigger role in making the security-related decisions that have in the past been the preserve of technical departments.
UX therefore has many qualities, and there is a strong benefit to incorporating it into corporate cybersecurity and digital transformation strategies. Furthermore, an increasing number of cybersecurity companies are publicising UX and the key role it plays in their products. For example, the Hypori company has breathed new life into its security solution for mobile devices with the help of UX. Or the Callsign company, which has developed an authentication solution entirely designed by and for users.
Interfaces with a simplified, intuitive design, fewer operations for users to perform, more appropriate architectures... UX? Definitely a cyber trend to follow.