Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    The Overlooked Truth: User Experience in Cybersecurity

    Evangelists-Javvad MalikWe live in a world where the term "cybersecurity" tends to make folks either shiver with anxiety or yawn with boredom.

    The narrative has always been about hacking, phishing, and all sorts of digital skullduggery. However, the overlooked truth is that users don't adopt best security practices because they’re designed without the slightest nod to the user experience.

    It's a bit like asking someone to squeeze through a medieval castle's portcullis just to check their email; the intention is good, but the execution, well, not so much.

    The UX Problem in Security Design

    User experience (UX) is the secret sauce that makes any interaction with technology not just bearable, but enjoyable. A lot of Apple’s initial success was down to Steve Job’s obsession with aesthetics and simplicity. The way the software was designed, the physical hardware, even unboxing the product feels like a special experience. 

    Imagine visiting a theme park with rides designed by engineers who think safety means taking you through a safety briefing, putting on fire proof clothing, spending 30 minutes strapping you in, and another 15 minutes checking you individually. Only to go on a rollercoaster which stays perfectly horizontal and never exceeds 3mph (about 5 km/h for my European friends). Sure, you'll be safe, but would you ever go there again? That’s what bad UX in cybersecurity feels like—a grim endurance test where users are belted and buckled into layers of protocols, each  more confounding than the last.

    Think about it—every time you try to log into a system and encounter a security barrier that feels like jumping through flaming hoops, a little part of your soul dies. And that’s not because the controls are inherently painful, but because we’re not considering what it’s like to be on the other side of those hoops.

    The Case of Multi-Factor Authentication

    Let's put the spotlight on Multi-Factor Authentication (MFA), our darling child of modern security. MFA is like the ultimate bouncer at an exclusive club, demanding not just your ID, but a secret handshake, biometric scan, and maybe a quick blood sample. Yes, it keeps out the riff-raff, but it also makes getting inside a total hassle.

    Let’s look at another example. You need to transfer some money online, and after entering your username and password, you get a prompt for a code sent to your phone. You wait… and wait. Finally, the code arrives, but by the time you type it in, it’s expired. So you try again, each time feeling your irritation levels rise like mercury in an Arizona summer. Sure, your account is safer, but your disposition? Not so much.

    The Case of Patching

    Keeping your devices and software up to date and fully patched is also a great idea. But how many times have you put off an update for days, weeks, or maybe even longer because you know that as soon as you hit update, that device is not only going to be unusable for the next hour, but when it does finally return to life, you have to navigate a list of handy tips, and menu items which have moved around to obscure locations. 

    Yes, updates are important, but not at the expense of nearly half a day's work. 

    Balancing Security and Usability

    This brings us to the eternal struggle between security and usability—each one dancing to a different beat, much like a relationship where one partner is a neat freak and the other, enjoys living in what they like to refer to as an ‘organised mess’. We need a harmonious blend where security measures don’t send users running for the hills. A good example of this is Face ID, where you just glance at your phone, and voila, you’re in. It’s secure, but doesn’t make you fumble about for a security token or type codes in a frenzy.

    In the physical world, look at the humble seatbelt. There was a time when people resisted using them—bulky, uncomfortable, and forgetful. Then came the seatbelt design evolution: sleeker, easier and non-intrusive. Now, almost everyone abides by the law, snapping their seatbelt on without a second thought. And if that doesn’t work, most modern cars will beep at you annoyingly until you do put it on. Security designers need to take a page out of that design revolution’s playbook: make it simple, make it fast, make it seamless.

    The Netflix of Security

    Imagine a world where cybersecurity is intuitive and almost invisible, like a well-designed Netflix queue that just knows what you want to watch next. Instead of slamming users with captcha puzzles or labyrinthine password policies, creators should be thinking about adapting to the user. Adaptive authentication, adaptive training that is delivered to the people who need it <when> they need it, VPNs that will automatically connect when you leave your trusted network. 

    Understanding the Human Element

    In the end, getting users to embrace solid security practices isn’t about browbeating them with fear or burying them in complexity. It’s about creating a seamless and enjoyable experience that makes security feel like a natural extension of their online behaviour. Just as effective seatbelt and UX transformations have shown us, the key lies in designing with empathy and intelligence. As security professionals, our aim should be to choreograph a dance where usability and security move together in perfect harmony, ensuring safety doesn't come at the expense of sanity.

    Security controls shouldn’t just be functional, but dare I say, delightful. Let’s make cybersecurity as smooth as a jazz riff and as intuitive as breathing—because that’s when users will not just adopt, but actually love, staying safe online.

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Phishing, MFA

    Javvad Malik

    ABOUT JAVVAD MALIK

    Javvad Malik is the Lead Security Awareness Advocate at KnowBe4 and is based in London. Malik is an IT security professional with over 20 years of experience as an IT security administrator, consultant, industry analyst and security advocate. He is also a multi-award winner and is currently a Guinness World Records holder for the most views of a cybersecurity lesson on YouTube in 24 hours.

    Read more from Javvad »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews