Skip to main content

Pacman pie image Julia Solórzano


On practicing Security Experience

What's the difference between viruses, trojans, worms, etc? It doesn't matter. It's all crap no one wants on their computer. Stop teaching users worthless information that they'll never use. Taylor Swift

Image source: @SwiftOnSecurity

The practice of delivering online products and services is ever evolving. We are forced to move alongside the shifting tides of technology. In this changing of the tides, new features are created and implemented. How do these changes impact the security and privacy of users? This question brings up something I’d like to call “security experience”.

For a long while now, the role for maintaining the security and privacy of users has only been designated to Security Operations (SecOps), Site Reliability Engineers (SREs) and/or Engineering practices. These disciplines, and industries, have created standards and guidelines that aim to keep in step with the ever changing landscape that is the web. Their role is meant to ensure that the online products and services are secure and have the users best interest in mind.

Remove this idea from your brain.

Security and privacy of users is everyone’s job and it should be something every person on your team is incorporating into their workflows. So, let’s talk about what I mean when I specifically say “security experience”.

Security experience is the practice of visual designers, content writers and user researchers focusing on the best practices of the security and privacy experience of users. It is the doing of the work traditionally assigned to SecOps or SREs on a given team and incorporating those practices to create a usable, secure experience.

Content is part of our daily experience while interacting with websites and applications. Whether it’s listening to a podcast or making a purchase online, content guides us through various processes and experiences that helps to establish understanding and trust with users. However, in my nearly two decades of experience as a software engineer content is the “thing” that gets changed the most frequently on the web. Let’s go over a specific example to help grok this concept a bit more.

Let’s pretend that you have come to a website to create a new account for a subscription based service you’d like to start using. You start to fill out the form that says to enter the username you’d like to use. You decided to use your email address as your username, since it is easy for you to remember. You complete the account creation process and sign up for your subscription based service - yay! A few weeks into your subscription, you start receiving emails from various services that you have never subscribed to before. You find out that your email address for our account creation of your newly acquired service has shared your email address publicly. You then go to try to change your username, to find out that the username field is not changeable. Yikes! This all could have been prevented if there would have been content that clearly explained that your username would be public and not-changeable.

So, you’ve read this far and maybe I’ve convinced you, and you are wondering how to get started. Here are three tips on how User Experience professionals can get make the shift in to Security Experience:

  1. Learn about your products and/or services security and privacy practices. Start breaking down the silo of UX and Security and learn about your product and/or service’s security. This could look like grabbing a (virtual) coffee or tea with the folks on your team who practice security and privacy on your team. What do they find important? What does their day to day look like? It’s also a great way to meet some super rad and smart people. I might be biased :)
  2. Join your team’s security drills. Most security teams run regular drills as a way to prepare. Join them! Be a fly on the wall and learn how they operate during an incident. This helps you to build empathy and learn how your team operates. It will also give you incentive to how and when users are alerted of incidents.
  3. ABTAS: Always be thinking about security. ALWAYS. With products and/or services shifting to primarily being online, it’s critical for us to ask ourselves in regards to the security of what we are designing, writing and/or researching. How would [x] feature impact the security and privacy of users? What can we do to help ensure we are building the best product possible?

My hope in writing this is to start the conversation for the disciplines of visual design, content writing and user research to incorporate security into their practices. To do so is as irresponsible as creating in-accessible products and services. We hold this responsibility as people “making things on the internet” now more than ever.