The Overlooked Truth: User Experience in Cybersecurity

Evangelists-Javvad MalikWe live in a world where the term "cybersecurity" tends to make folks either shiver with anxiety or yawn with boredom.

The narrative has always been about hacking, phishing, and all sorts of digital skullduggery. However, the overlooked truth is that users don't adopt best security practices because they’re designed without the slightest nod to the user experience.

It's a bit like asking someone to squeeze through a medieval castle's portcullis just to check their email; the intention is good, but the execution, well, not so much.

The UX Problem in Security Design

User experience (UX) is the secret sauce that makes any interaction with technology not just bearable, but enjoyable. A lot of Apple’s initial success was down to Steve Job’s obsession with aesthetics and simplicity. The way the software was designed, the physical hardware, even unboxing the product feels like a special experience. 

Imagine visiting a theme park with rides designed by engineers who think safety means taking you through a safety briefing, putting on fire proof clothing, spending 30 minutes strapping you in, and another 15 minutes checking you individually. Only to go on a rollercoaster which stays perfectly horizontal and never exceeds 3mph (about 5 km/h for my European friends). Sure, you'll be safe, but would you ever go there again? That’s what bad UX in cybersecurity feels like—a grim endurance test where users are belted and buckled into layers of protocols, each  more confounding than the last.

Think about it—every time you try to log into a system and encounter a security barrier that feels like jumping through flaming hoops, a little part of your soul dies. And that’s not because the controls are inherently painful, but because we’re not considering what it’s like to be on the other side of those hoops.

The Case of Multi-Factor Authentication

Let's put the spotlight on Multi-Factor Authentication (MFA), our darling child of modern security. MFA is like the ultimate bouncer at an exclusive club, demanding not just your ID, but a secret handshake, biometric scan, and maybe a quick blood sample. Yes, it keeps out the riff-raff, but it also makes getting inside a total hassle.

Let’s look at another example. You need to transfer some money online, and after entering your username and password, you get a prompt for a code sent to your phone. You wait… and wait. Finally, the code arrives, but by the time you type it in, it’s expired. So you try again, each time feeling your irritation levels rise like mercury in an Arizona summer. Sure, your account is safer, but your disposition? Not so much.

The Case of Patching

Keeping your devices and software up to date and fully patched is also a great idea. But how many times have you put off an update for days, weeks, or maybe even longer because you know that as soon as you hit update, that device is not only going to be unusable for the next hour, but when it does finally return to life, you have to navigate a list of handy tips, and menu items which have moved around to obscure locations. 

Yes, updates are important, but not at the expense of nearly half a day's work. 

Balancing Security and Usability

This brings us to the eternal struggle between security and usability—each one dancing to a different beat, much like a relationship where one partner is a neat freak and the other, enjoys living in what they like to refer to as an ‘organised mess’. We need a harmonious blend where security measures don’t send users running for the hills. A good example of this is Face ID, where you just glance at your phone, and voila, you’re in. It’s secure, but doesn’t make you fumble about for a security token or type codes in a frenzy.

In the physical world, look at the humble seatbelt. There was a time when people resisted using them—bulky, uncomfortable, and forgetful. Then came the seatbelt design evolution: sleeker, easier and non-intrusive. Now, almost everyone abides by the law, snapping their seatbelt on without a second thought. And if that doesn’t work, most modern cars will beep at you annoyingly until you do put it on. Security designers need to take a page out of that design revolution’s playbook: make it simple, make it fast, make it seamless.

The Netflix of Security

Imagine a world where cybersecurity is intuitive and almost invisible, like a well-designed Netflix queue that just knows what you want to watch next. Instead of slamming users with captcha puzzles or labyrinthine password policies, creators should be thinking about adapting to the user. Adaptive authentication, adaptive training that is delivered to the people who need it <when> they need it, VPNs that will automatically connect when you leave your trusted network. 

Understanding the Human Element

In the end, getting users to embrace solid security practices isn’t about browbeating them with fear or burying them in complexity. It’s about creating a seamless and enjoyable experience that makes security feel like a natural extension of their online behaviour. Just as effective seatbelt and UX transformations have shown us, the key lies in designing with empathy and intelligence. As security professionals, our aim should be to choreograph a dance where usability and security move together in perfect harmony, ensuring safety doesn't come at the expense of sanity.

Security controls shouldn’t just be functional, but dare I say, delightful. Let’s make cybersecurity as smooth as a jazz riff and as intuitive as breathing—because that’s when users will not just adopt, but actually love, staying safe online.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing, MFA

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews