Organisations face the challenge of implementing robust security measures without compromising user experience. In the Secure by Design principles 4. Design Usable Security Controls emphasises the need to create security solutions that are not only effective but also intuitive and frictionless for users.
Security vs. Usability
Security and usability are often seen as opposing forces. Security controls are designed to protect, while usability focuses on enabling users to perform tasks efficiently. The common narrative suggests that you can either have a highly secure system that frustrates users or a user-friendly system that leaves holes in your defences. But this misses a key point: poor usability leads to poor security.
When controls are too complex or restrictive, users will bypass them. They’ll find shortcuts, or worse, they’ll abandon the system altogether and use ‘shadow IT’ for handling and sharing sensitive data. On the other hand, overly simplistic controls may not provide adequate protection against threats.
Not a Balancing Act
The idea that security and usability are opposing forces needing a delicate balance is outdated. At Nine23, we believe that it’s not a trade-off—both are absolutely necessary. In fact, spending money on cyber security should be seen as a ‘business enabling’ investment.
Security should never come at the expense of user experience, and usability should never weaken security. The two must work in harmony, ensuring that users can perform their tasks efficiently without compromising security.
Our approach isn’t about finding middle ground between usability and security; it’s about creating solutions where neither has to be sacrificed.
Bad Design Leads to Bad Security: Enabling the End-User
At Nine23, we’ve seen firsthand the consequences of complex and restrictive controls. Following his own experiences, Stuart Mckean Nine23 CEO and Founder, both as an Infantry Soldier and as an Aviator, found himself using his own equipment to do his job(s) more effectively.
Stuart brought new insights to bear on the challenges of cyber security from an end-user perceptive. He believes that effectively enabling the end-user should be put first in any solution after experiencing the problem many employees face in using todays IT equipment to do their jobs more effectively and securely.
Case Studies
In highly regulated and compliant industries i.e. Central Government, Law Enforcement and Defence Industry, security cannot fail—but neither can the tools. End-users need to focus on their mission, not wrestle with clunky systems or complex security measures. That’s why we design secure solutions that fit seamlessly into their daily operations.
- Ministry of Defence Data Breach (May 2024): A significant data breach occurred where the personal information of serving UK military personnel was accessed. The breach targeted a payroll system, exposing names and bank details of both current and past armed forces members.
- Cyber Security Breaches Survey 2024: According to the latest survey, cyber security breaches remain a common threat, with half of businesses and around a third of charities reporting some form of breach or attack in the last 12 months. The most common type of attack was phishing.
- General Trends in Data Security Incidents: The Information Commissioner’s Office (ICO) regularly publishes information on data security breaches reported by various organizations. These reports help highlight trends and common vulnerabilities
- Police Service of Northern Ireland (PSNI) Data Breach (August 2023): The PSNI accidentally released the personal details of all 9,400 officers and staff. This breach included names, ranks, and other sensitive information, leading to significant security concerns
- Ministry of Defence (MoD) Payroll System Hack (May 2024): A hack targeted the MoD’s payroll system, compromising personal information such as names and bank details of both current and past armed forces members
- UK Government Email Compromise (March 2024): A phishing attack led to the compromise of several government email accounts. This incident highlighted the ongoing threat of social engineering attacks and the need for robust email security measures
Conclusion
To effectively implement both usability and security, organisations must adopt a user-centric approach where security is integrated seamlessly into the user experience. Organisations need to understand user behaviour and incorporate security into the design process, ensuring controls are fit for purpose and aligned with the way people work. Regular user research, feedback, and testing are key to making this happen.
Image by freepik
