Can Security and Simplicity Co-Exist?
“If you want people go to our app 10 times a day, release a virus every hour and they will do just that.”
When I was working on a consumer mobile security product, there was a huge debate around the product goals among different stakeholders. The Product Manager wanted to increase user engagement inside and outside of the app by gamifying it. The more users go into the app to scan their devices, the more points users would get. Users could then trade those points for gift cards or other rewards. It may have sounded like an interesting idea, because who would not want free stuff. However, is it a security product we are building or a rewards app? I still remember my coworker responded, “if you want people to go to our app 10 times a day, release a virus every hour and they will do just that.”
Start with understanding the users’ behaviors.
The common reason why many users think security products are not intuitive is because these products are not usually designed around the users’ behaviors. If we want users to do something, we have to make sure they care about it first. We could start the product design conversation by observing what people use their devices for, how many tasks people perform daily on their devices, and how our product can fit in without interrupting their normal behaviors.
Be simple. Be invisible.
A consumer security product needs to work seamlessly in the background without requiring much user action. Let’s say that you hired a security guy to ensure your safety. Instead of watching your home and taking appropriate action, the security guy called you every hour and told you to check the backyard, check the bathroom, check the swimming pool, etc. In the end, you spent money to feel safer but became busier and more stressed as a result.
A good security product is an invisible one.
You may be the security expert, but you are not the user.
Most security products are designed by a bunch of security experts, who sit in a room and think of all the possible solutions. They come up with rules and tasks for users to follow without having any concern about how those would fit in the users’ daily workflow.
The University of Maryland’s Usable Security course mentions that physicians working at the hospital tended to leave the computers on their wheeled carts logged in as they move from room to room. In order to make sure sensitive information on these computers would only be accessed by authorized people, proximity sensors were installed on the carts. If the doctors walked away for a certain amount of time, the computers would be automatically logged out. Physicians found this interruption to their workflow to be so frustrating that “they started putting styrofoam cups over the proximity detector so it wouldn’t know when they walked away.” The proposed solution actually caused more problems and compromised security because those who came up with the idea did not put themselves in the users’ shoes. Had they taken the time to observe and understand the physicians’ routines, they could have created a better solution could have been created.
“To build a good security product, the user behaviors and experiences should be considered from the beginning. In fact, the technology and the user experience should always go together.”
Usefulness = Utility + Usability
According to usability 101, a useful product should have two factors: usability and utility. Utility means providing features that users need to complete their job (what they come to the product for). This falls into user research, sales, market research,.. Usability is comprised of 5 quality components:
- Learnability: Can user complete their basic tasks when using the products for the first time?
- Efficiency: Once users are familiar with the design, how fast can they perform tasks?
- Errors: How many errors do users make and how easily can they recover from them?
- Memorability: When users return to the design after a while, how easily can they reestablish proficiency?
- Satisfaction: How pleasant is it to use the design? What do users prefer?
It’s not easy to have utility and usability work hand-in-hand when designing a product. Often, companies focus on utility and ship what they believe the users need without thinking about how they actually use the products.
“If security stops people from doing their job, they will find a way to get around it”
New security products and technology come out every day. There are tons of things users need to do in addition to their daily workflow. We should not add more burden to the users but educate and encourage them in a natural way to make them feel it’s not hard to be secure. It can be fun sometimes. How do we do that? Follow my next post :)