System Usability, Security, and Privacy: A Beautiful Union

December 2, 2015 Zach Schmitt

Originally published on The Compliance & Ethics Blog

In this sociotechnological age, the digital revolution in our midst now bears counterbalancing concerns for security and privacy. User utility is no longer just thought of as the overall experience and benefit of IT products and services. System protection is now a primary consideration, however, employing security and privacy safeguards without disrupting usability can be a serious challenge.

"User utility is no longer just thought of as the overall experience and benefit of IT products and services."

Human-computer interaction and security (HCISec) is the computer science study that explores the interrelationship between usability and security and privacy. Many believe that usability is the inverse of security and privacy; the easier a system is to use, the less protected it is. HCISec proposes that the three concepts can be made synergistic if certain principles and methodologies are carried through the development life cycle. A security and privacy framework is intended to make undesirable actions and incidents more difficult, and usability aims to make desirable actions and incidents easier for the user. So it may be true to say that improving one can also improve the other. Usability and system fluidity should minimize unintentional and involuntary actions. Secured, privatized systems should prevent and mitigate undesirable use. To deliver on this duality, innovators, developers, security personnel, and privacy counsel must lock arms and embrace security and privacy from design to implementation.

Security by Design

System development, like in conventional architecture, must carefully take into account the environment in which systems will be built and used. Security blueprinting should start in the concept phase and controls should be employed based on the risk environment. System protection mechanisms are too often ineffective or seem cumbersome because they’ve been bolted on towards the end of the development life cycle and fail to respect associated risks. Controls ought to be tailored like user experience and interaction features are based on study and analysis. Identify what a user’s required aptitude, attention, vigilance, and motivation must be. Consider how memorable and repetitive the controls are. Recognize the social context.

Privacy by Design

Like security, privacy must on the docket at the start of system development as well to successfully promote accountability and transparency. A privacy control framework should be developed to address both potential and actual risks by default. Effectively educating users and providing assurance through multi-layered notice, intuitive consent options, adequate disclosures, and rightful data collection, use, and retention practices will reduce user apprehension; ultimately contributing to a better overall feeling of usability.

Symbiosis between usability, security, and privacy truly depends on prioritization and first understanding that these concepts can complement each other if approached properly. It really is a matter of culture; if your organization can accept that development may require more research, planning, collaboration, and man hours to ultimately build a better product or service.

The question is: can you fairly measure usability, security, and privacy as they truly must be weighed?

About the Author

Zach Schmitt

A manager with Schellman, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has BAs in Accounting & Information Systems and Marketing Management.

Previous Article
IAPP Practical Privacy Series Recap
IAPP Practical Privacy Series Recap

IAPP Practical Privacy Series Recap: Common Shortcomings of Incident Management and Breach Notification Pro...

Next Article
Schellman's Avani Desai Featured on IIA AuditChannel.tv
Schellman's Avani Desai Featured on IIA AuditChannel.tv

Avani Desai, Schellman’s Chief Marketing and Communications Officer, provides a brief overview of privacy t...