Balancing functionality, usability and security in design
Introduction
When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other.
Defining the Triad in design
A triangle can be used to help explain the relationship between the concepts of security, functionality and ease of use (usability). The use of a triangle is because an increase or decrease in any one of the factors will have an impact on the presence of the other two.
Functionality
It can be defined as the purpose that something is designed or expected to fulfil. For example, increasing the amount of functionality in an application will also increase the surface area that a malicious user can attack when attempting to find an exploitable weakness.
Usability
It can be defined as the degree to which something is able or fit to be used. There is a trade-off between security and usability is commonly encountered in the real world, and often causes friction between users and those responsible for maintaining security. Microsoft had long been targetted by the security community for allowing everyday users to operate the system with administrative or system level permissions, which resulted in any exploit targeting a userland application was immediately given access with full rights. When Microsoft tried to limit this functionality by forcing users to specifically request elevated privileges via User Access Control (UAC) there was a high number of complaints from users who weren’t happy with the extra actions required to complete tasks. As a result, many instructions and guides were created to teach users how to disable the UAC functionality; increasing the ease with use and decreasing the steps needed to perform some tasks but at the expense of disabling an improved security system.
Security
It can be defined as referring to all the measures that are taken to protect a system, application or a device as well as ensuring that only people with permission to access them are able to. For example, a completely secure system would be enclosed within a solid box with no access points, no buttons or interface and be able to block all electromagnetic radiation. But it would then be useless for the user as they wouldn't be able to access it or use the system for its intended function. When implementing security designers have to be aware of the user experience. A study of users from IT-company and bank found that while users state to be motivated and knowledgeable about security many did not perform individual action. They considered security measures to impediments to work. Also, requirements of expected security behaviour and awareness campaigns had little effect on user behaviour. But weakening security to improve functionality and usability will lead any systems or device open to attack so there needs to be a way to maintain ease of usability and functionality without compromising security. A good place to start is with under the hood security design principle such as secure-by default/design, see UK NCSC guidelines for information.
Balancing Requirements
Determining the fine line between security and usability is a hard task for everybody involved in IT security, from software developers to network administrators. The lack of balance between these two items is one of the main reasons that can make a security system fail. For example, when 2-factor authentication (2FA) is implemented on a system or service it enhances security by ensuring that at least two pieces of information are needed to verify the correct user. Generally, when designed well an F2A doesn't impede the user experience if they access to the method the additional verification method. But if the number of steps required to use 2FA is onerous then a user is likely to disable or not use 2FA. Also, when setting up or using 2FA steps should always be prompted to ensure back-ups are in place otherwise the user could end in a situation where they are locked out of their accounts.
There are some key questions that user experience designers and security professionals need to be aware of and to have answers to when designing and setting up a service or system.
For user experience designers the question is: How do you design the security experience to fit the needs of the digital identity? Behind the identity, there is a person with the same basic needs as stated in Maslow’s hierarchy of needs – security among the most critical.
For security professionals, the question is: How do you enable your customers business in an environment, where the speed and comfort override the traditional understanding of security – environment, where user experience overrides security?
Security applications and security policies should be designed to interfere minimally with the normal working flow of the user. If they are too intrusive people tend to bypass them and the systems will fail to achieve their main goal: enforcing security. On a more positive note, users are generally more informed and knowledge about risks and most don’t mind an extra layer of security before they can access their personal information even if that means additional security.
Conclusion
When Balancing functionality, usability and security in design, no functional operating system will never be 100% secure, what every system/security designer and ultimately user must settle on a compromise between acceptable functionality and usability, and acceptable security.
Video Overviews
These online talks give more information and views on this area. Worthwhile to check out for personal interest:
https://www.youtube.com/watch?v=MbDHHEk7MQk
https://www.youtube.com/watch?v=nL61PiSL-Ws
Sources
https://www.veracode.com/blog/security-news/striking-right-balance-between-security-and-functionality
https://blog.infosanity.co.uk/2010/06/12/infosec-triads-securityfunctionalityease-of-use/
https://www.sciencedirect.com/science/article/pii/S01674404806002033
https://www.sciencedirect.com/science/article/pii/S0167404806001532
https://techtalk.gfi.com/security-usability-finding-balance/
https://hackernoon.com/user-experience-vs-cybersecurity-9a8b59f7573a
https://usabilitygeek.com/user-experience-and-security/
When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other.
Defining the Triad in design
A triangle can be used to help explain the relationship between the concepts of security, functionality and ease of use (usability). The use of a triangle is because an increase or decrease in any one of the factors will have an impact on the presence of the other two.
Functionality
It can be defined as the purpose that something is designed or expected to fulfil. For example, increasing the amount of functionality in an application will also increase the surface area that a malicious user can attack when attempting to find an exploitable weakness.
Usability
It can be defined as the degree to which something is able or fit to be used. There is a trade-off between security and usability is commonly encountered in the real world, and often causes friction between users and those responsible for maintaining security. Microsoft had long been targetted by the security community for allowing everyday users to operate the system with administrative or system level permissions, which resulted in any exploit targeting a userland application was immediately given access with full rights. When Microsoft tried to limit this functionality by forcing users to specifically request elevated privileges via User Access Control (UAC) there was a high number of complaints from users who weren’t happy with the extra actions required to complete tasks. As a result, many instructions and guides were created to teach users how to disable the UAC functionality; increasing the ease with use and decreasing the steps needed to perform some tasks but at the expense of disabling an improved security system.
Security
It can be defined as referring to all the measures that are taken to protect a system, application or a device as well as ensuring that only people with permission to access them are able to. For example, a completely secure system would be enclosed within a solid box with no access points, no buttons or interface and be able to block all electromagnetic radiation. But it would then be useless for the user as they wouldn't be able to access it or use the system for its intended function. When implementing security designers have to be aware of the user experience. A study of users from IT-company and bank found that while users state to be motivated and knowledgeable about security many did not perform individual action. They considered security measures to impediments to work. Also, requirements of expected security behaviour and awareness campaigns had little effect on user behaviour. But weakening security to improve functionality and usability will lead any systems or device open to attack so there needs to be a way to maintain ease of usability and functionality without compromising security. A good place to start is with under the hood security design principle such as secure-by default/design, see UK NCSC guidelines for information.
Balancing Requirements
Determining the fine line between security and usability is a hard task for everybody involved in IT security, from software developers to network administrators. The lack of balance between these two items is one of the main reasons that can make a security system fail. For example, when 2-factor authentication (2FA) is implemented on a system or service it enhances security by ensuring that at least two pieces of information are needed to verify the correct user. Generally, when designed well an F2A doesn't impede the user experience if they access to the method the additional verification method. But if the number of steps required to use 2FA is onerous then a user is likely to disable or not use 2FA. Also, when setting up or using 2FA steps should always be prompted to ensure back-ups are in place otherwise the user could end in a situation where they are locked out of their accounts.
There are some key questions that user experience designers and security professionals need to be aware of and to have answers to when designing and setting up a service or system.
For user experience designers the question is: How do you design the security experience to fit the needs of the digital identity? Behind the identity, there is a person with the same basic needs as stated in Maslow’s hierarchy of needs – security among the most critical.
For security professionals, the question is: How do you enable your customers business in an environment, where the speed and comfort override the traditional understanding of security – environment, where user experience overrides security?
Security applications and security policies should be designed to interfere minimally with the normal working flow of the user. If they are too intrusive people tend to bypass them and the systems will fail to achieve their main goal: enforcing security. On a more positive note, users are generally more informed and knowledge about risks and most don’t mind an extra layer of security before they can access their personal information even if that means additional security.
Conclusion
When Balancing functionality, usability and security in design, no functional operating system will never be 100% secure, what every system/security designer and ultimately user must settle on a compromise between acceptable functionality and usability, and acceptable security.
Video Overviews
These online talks give more information and views on this area. Worthwhile to check out for personal interest:
https://www.youtube.com/watch?v=MbDHHEk7MQk
https://www.youtube.com/watch?v=nL61PiSL-Ws
Sources
https://www.veracode.com/blog/security-news/striking-right-balance-between-security-and-functionality
https://blog.infosanity.co.uk/2010/06/12/infosec-triads-securityfunctionalityease-of-use/
https://www.sciencedirect.com/science/article/pii/S01674404806002033
https://www.sciencedirect.com/science/article/pii/S0167404806001532
https://techtalk.gfi.com/security-usability-finding-balance/
https://hackernoon.com/user-experience-vs-cybersecurity-9a8b59f7573a
https://usabilitygeek.com/user-experience-and-security/
which organisation would concentrate on funcyionality ,security ans usability equally?
ReplyDelete