How can we sugarcoat the security pill to sweeten the user experience?
CYBERSECURITY isn’t what it used to be. Safeguarding the information of our companies and customers used to be the sole concern for those of us in the profession—but no longer. Now, we must consider the user experience, as well.
Digital is poised to pervade every facet of life not only because it makes living easier, but also because it’s fun—by design. Likewise, to do security right, we’ve got to ask not just whether it works, but if it’s user-friendly—simple to navigate, reliable, and pleasurable to use.
To get there, we might ask what we can learn from other professions. We might put on not only our thinking caps, but also, at various times, an artist’s beret, Sherlock Holmes’ deerstalker, a brigadier general’s helmet, a blackjack dealer’s visor. We might need a psychologist’s couch, a teacher’s yardstick, and a coach’s whistle, as well. And that’s only the beginning. A few examples:
Meteorologists track weather systems and consider past events to forecast where those systems will go, how they’ll behave, and what risks they pose. Other industries, including retail stores and Wall Street, use trend-tracking maps, as well, and no wonder. Providing an organized, big-picture view, maps are easy to understand. Should we in information security do the same, using data-generated maps to assess where the next systems attack might come from, who might be targeted, and the nature of the breach? This would give the user a useful “big-picture” look at security threats—past, present, and future.
The pharmaceutical industry uses RFID chips to track drug shipments, and law enforcement places them in certain medication bottles to capture thieves, giving customers an added measure of confidence and safety. What if our systems tagged data in a similar fashion, tracking it wherever it goes and allowing users to retrieve theirs—to snatch it back from hackers or even recall files sent in error? Not only would users know precisely where their information was going and who was viewing it—invaluable to law enforcement—but they’d have the power to erase it instantly, hopefully before it reaches the “darknet,” the Internet’s black market.
Credit-card companies in Europe offer “smart cards” with debit, credit, and phone-card features. If lost or stolen, these cards self-destruct after a number of failed attempts to access their data. Could we program our data to self-destruct when someone tries to view it on an unauthorized device? Like the best security measures, this feature would protect a user’s information automatically, with no effort on their part.
The entertainment industry has already figured out how to transform the security experience. One group of popular theme parks has eschewed the cumbersome password in favor of colorful bracelets that identify their wearers with a swipe of the wrist, unlock hotel rooms, simplify purchases, and make efficient and effective security more enjoyable to use.
Most people don’t want to think about breaches, identity theft, or hackers. As UC San Diego physician-scientist Ajit Varki argues in his 2013 book Denial, avoiding the negative is a natural human tendency. The risks we encounter every time we log on are very real, but our users don’t want to be reminded of that. Taking a cue from other professions, can we consider our customers’ convenience and even their delight while keeping their information safe? How can we sugarcoat the security pill to sweeten the user experience?