Cyber security and the importance of usability

There is nothing new or unusual about the need to design usable systems. A whole industry has grown up around the business of making sure that commercial websites and apps are easy to use and deliver the behaviour, such as spending money, that the owners of those websites and apps want to see.

Usable systems generally require three things: the system has to be useful, or at least perceived as useful, by the end user; the system has to be easy to use by the end user; and the system has to be persuasive so that the user to take the actions that the owner desires.

Is cyber security any different?

These three requirements of utility, usability and persuasiveness are seen in cyber security systems. However there are some differences compared with the consumer-facing world. Making sure a cyber security system succeeds is in some ways more important than making a commercial system succeed.

One issue is that the cyber security system has to work for everyone: potentially if just one person fails to use the system properly then the organisation will be put at risk.

In addition cyber security systems are like stable doors – they need to be shut when you want them to be as there is no use locking them after a breach has happened. If an online shop doesn’t work for some reason then the user can go back and try again, but with a cyber security system, if it doesn’t work first time then the damage may be done.

These are stringent requirements. Unfortunately the nature of cyber security means that these requirements are hard to meet:

  • Users have little motivation to comply with security requirements as keeping secure is not their main purpose; indeed security systems are part of a technical infrastructure that may have no real meaning or relevance to the end users
  • Security systems can “get in the way” of tasks and so can be thought of as a nuisance rather than a benefit
  • Security systems are often based on arbitrary and little understood rules set by other people, such as those found in security policies, rather than on the desires of the end user
  • Users may find complying with the requirements of security systems socially difficult as they may force the user to display distrust towards colleagues

These are all challenging issues and any security systems you design need to ask the very minimum of effort from the user if it is to overcome them.

Unfortunately many cyber security systems demand a degree of technical knowledge. For instance they may use jargon: “Do you want to encrypt this document?” will have an obvious meaning to anyone working in IT but may mean nothing to some users.

Furthermore some security requirements may of necessity require a degree of “cognitive overload”: the requirement to remember a strong password (perhaps 12 random characters) is an example. Again this will cause additional difficulty.

Users are not naturally motivated towards cyber security systems. And they may find them hard to use. So how can success – universal and efficient use of systems – be achieved?

Delivering success

Start with the end user. Ensure, through the use of a combination of interviews (including the standard “speak aloud” protocol used by many UX practitioners), observation and expert evaluation identify where the obstacles to successful use of the system are placed. Obviously the usual rules of good usability will apply: consistency, reduced cognitive overload, feedback, and help when mistakes are made.

Learnability is also important. Accept that some form of help may be needed by the user and ensure that this is available, ideally within the system. Help files shouldn’t just tell people how to achieve something but also why it is important.

But for cyber security systems there is also a lot of work to be done around persuasion. This will involve educating the end user about the importance of the system – how it protects their organisation, and how it protects them as individuals.

It will also involve ensuring that the system is credible – that end users realise that the system does what it is supposed to do and isn’t just a tick box exercise or something dreamed up by the geeks in IT to make everyone’s live that little bit harder.

And it will involve demonstrating to the end user that all their colleagues are using the system – and if they don’t use it then they will be out of line with the majority.

“Usability is not enough” is a common theme in retail website design. It is even more important in the design of cyber security systems.









Twenty tips for a great mobile customer experience

With mobile access now accounting for over 15% of web use (and rising) it is increasingly important to ensure that your customers get a satisfying mobile web experience.

That means thinking about the context of use, and planning content and functionality appropriately; for instance to reduce “showrooming” it may be important to ensure that vouchers and special offers are particularly salient on a mobile device.

It means taking account of the nature of the device; for instance the fact that it can easily be moved from portrait to landscape and that it may have telephone and geo-location functionality.

But it also means thinking about design-related customer experience issues, and how these differ from the experience your customers will get when using a fixed PC. That’s what I am covering in this post. So, in no particular order, here are my list of the top twenty ways to improve the customer experience when developing your mobile website.

  1. Think carefully about what you want to do with the home page. It should allow people to get an overview of the whole site. Take care with the fold on the home page (and indeed all pages if possible): designing a home page so that a section finishes neatly at the bottom of a common mobile screen size won’t help people to discover content beneath the fold.
  2. Make sure smartphone users are not prevented from seeing the “classic” version of your site (i.e. the version for fixed PC) . There should be an easy-to-find link to it on your mobile optimised site.
  3. Don’t disable the phone’s “back” button. Instead supplement it with a “soft” back button on every page, as some people will be more likely to trust this.
  4. Where your customers are encouraged to input data, ensure that the data persists if they go backwards in the site or if their connectivity is interrupted in any way (i.e. make sure that they don’t have to input it again if something unexpected happens). This is basic website usability but especially important with mobile devices where data input can be difficult.
  5. Provide navigation that is appropriate for a small mobile device. This doesn’t mean thinking about the navigation options a mobile user will need most (although that’s important). It means thinking about where best to place the navigation and what sort of functionality it should have. Some people recommend putting it at the foot of the page; others providing a cut down or collapsible navigation; and yet others using the home page for navigation and a link back to the home page as the only navigation on all other pages.
  6. Provide a site search box at the top of the home page.
  7. Wherever possible collapse content (e.g. just show the first line or a headline and let people tap on it to expand it) so that people can choose to see more of it but also have an opportunity of seeing plenty of other content options as well.
  8. If you are having to use redirects or links to other versions of the site then make sure they work and deliver the content that your customers will be expecting.
  9. In general mobile sites should be considerably smaller, slicker and faster to load than fixed PC sites. Reduce file sizes even if it means reducing image quality. Reduce the amount of text in the mobile site; people are even less likely to read long screeds of words than they are with the fixed internet. Avoid automatic page refreshes and be very sparing with carousel features. One nice strategy is to write and design the mobile content first and then expand it for tablets and fixed PCs.
  10. Make it easy to see content. Avoid anything that gets in the way of content, especially pop ups and interstitials.
  11. Calls to action should be big and easy to see. Allow sufficient non-clickable space between two or more different calls to action. Make as much of an item clickable as possible. For instance don’t rely on a text link if there is an image that can be made clickable as well.
  12. Make sure your fonts are readable. Avoid reversed-out text and ensure default font sizes are a reasonable size for reading. Ensure plenty of contrast between text and background – remember that people may be reading your text outside in bright sunlight.
  13. Single column layouts work well; use them unless there are particular reasons for having a multiple column layout.
  14. Reduce text input requirements as far as possible. For instance with dates it may be preferable to have drop down menus with radio buttons rather than forcing people to type in a date.
  15. Allow password content to show briefly when the user inputs it so they can confirm they are typing it in correctly. Of course this won’t always be appropriate (e.g. for banking apps) but much of the time this is a good compromise between security and usability.
  16. Consider using quiz questions rather than Captcha text which can be very hard to get right on a small screen.
  17. Avoid horizontal scrolling, especially with text.
  18. Offer captions with video: don’t assume people will be in a position to play audio – or even to hear audio.
  19. Make sure that video plays. If your site has Flash video then you need to offer an alternative format in your mobile site that all devices can play – or adapt your content so the opportunity to play video no longer exists.
  20. Take care with form design. Mandatory fields should be very obvious (little asterisks probably won’t be sufficient) and ideally optional fields (except for optional address fields) should be deleted. Ensure text input boxes are as large as they can be by placing text box labels above the text box rather than to the left.

Of course there is a lot more to designing good mobile sites than the 20 guidelines I have set out above. The people at Smashing Magazine (who know far more about design than I do)  have a huge amount of advice. And User Testing have some very detailed advice about the really important area of form design. But the guidelines above should at least enable non-designers to have an opinion about whether their company’s mobile site is serving their customers well.