From Sebastian Wittor

Cybersecurity and usability are often perceived as opposing forces. To increase security, complex passwords, multi-level authentication processes, strict access controls and user behavior requirements are implemented. But if you look at the behavior of the average user, two characteristics are easy to identify:

  • Their average affinity for technology is significantly lower than that of the system developers.
  • Strict requirements on user behavior cause frustration and confusion among users, who may become careless with their security practices or indifferent to the security measures as a reaction of defiance.

The result is catastrophic from a cybersecurity perspective. Security functions, such as lock screens or login functions, are deliberately deactivated. Users simply use memorable passwords across accounts, or even write them on a Post-It and place it next to the system. And so cybersecurity ensures less rather than more security.

The approach: cybersecurity by usability

The approach of effective cybersecurity by usability begins with the integration of security measures into the everyday lives of users. This could include the implementation of biometric authentication methods, such as fingerprint or facial recognition, or the use of user-friendly password managers. The focus is on ensuring that security is not perceived as a disruptive element, but as a natural part of digital interaction.

The ideal state is achieved when users consciously use security aspects, as using them involves less effort and more convenience than deliberately dispensing with them.

User-friendly design for more cybersecurity

User-friendly design plays a key role in the implementation of cybersecurity by usability. Users should be involved in the design process from the outset to ensure that safety aspects are not seen as an afterthought. Just a few points increase the quality of the safety aspects of the product:

  • Separation of identification and authentication

    A password is required for authentication, but not for identification. The device should be used for identification: Easy to remember, hard to crack. For example, a 5-digit pin with a limited number of attempts and an ever-increasing window until the next entry is much more secure than a large number of passwords.

  • Reduction of required safety-relevant user knowledge

    A secret that users do not know cannot be leaked or lost. It is therefore important to analyze in the context of the respective application whether and how users need to be involved in safety-relevant processes.

  • User feedback during data processing

    A major security risk is irrational user behavior. Users behaving illogically due to aggressiveness can lead to incorrect use of the product due to accidental or multiple execution of product functions or even data manipulation or loss.

  • Clear error message

    Software is not error-free. But users should not be left alone in the event of an error. Clear information on cause and effect prevents the irrational user behavior described above.

  • Visual identification of user and admin as well as test and live environment

    Parallel open applications quickly cause confusion, especially when users are under time pressure to make settings. It becomes critical, for example, if they unconsciously adapt configurations and operations in a live environment instead of a test environment.

Conclusion

The combination of cybersecurity and usability is essential in order to create a truly secure product. Developers should understand that user-friendliness and security are not a compromise. Instead, they should be seen as inseparable elements that go hand in hand to ensure effective safety for users.

By seamlessly integrating security into the usability of the product and applying user-centered design, we can create products that are safe and easy to use at the same time.

Sebastian Wittor
 Cybersecurity Expert

Sebastian Wittor is cybersecurity expert at BAYOOMED and has been supporting our customers in the secure development of their medical devices as Project Manager Medical Engineering for over three years.