There is a common misconception that users must trade simplicity and usability in exchange for protection from cyber risks. However, in search of the right balance between security and usability, a key concept has been missed. It is increased usability that promotes stronger security. Usability should not be equated with simplicity in the technology world. Simple to use security solutions that are intuitive and seamlessly embedded into everyday tasks, will allow non-technical employees to support the organization’s cybersecurity strategy. Without clearly thought out security control design, the organization will face low adoption rates which will result in a higher exposure to cyber risks.
The relationship between usability and adoption rates
Usability has a direct impact on adoption rates. If a new process is confusing or difficult to use fewer people will use it. Low adoption rates will greatly hinder the success of a security initiative. Additionally, If employees are not operating a service to its full capacity, the organization is not achieving a return on the technology investment. The main problem with the typical built-in security systems is that they are only effective if the user alters their process with extra steps. Most non-profit employees are often working with a limited budget and tight labor force. Additionally, more tenured employees become used to their existing work processes and routines. As a result, forced changes in procedures may result in confusion and a reluctance to follow the new process.
For example, Outlook includes an email encryption feature which requires additional steps from the user to complete. On other email systems, users are required to create an account and log onto a separate portal in order to receive their secure mail. In this scenario, barriers are placed in front of the users which in turn lowers likelihood of adoption.
Becoming an Enabler: Striking the Balance
The focus must be on adopting technology controls which are integrated into the existing way of working, intuitive and easy to use. Security engineers must take the user experience into account when developing or modifying a security control. The following questions should be discussed:
- Do we understand the user’s current business process?
- What is the level of risk associated with this process?
- How does the technology we are introducing / changing support the process?
- How will the proposed control impact this process?
- If the process must be modified, how will the users be trained?