Designing a Security Function that Works
It’s all about the user experience. Steve Jobs made it cool at Apple. Architects have been doing it since architecture become a profession. Retailers employ it to sell you more stuff. Online retailers, too. Even ASIS International used it when redesigning the format for GSX 2020.
At its heart, user experience is about designing… something… with the intent of making it as easy and pleasurable for users as possible. That something can be anything from software to a nail gun to a process people must follow. One thing about user experience: kind of like security and risk management, you often don’t notice it when it’s done well, but you definitely notice when it’s done poorly (I’m looking at you, airline coach seat designers).
A webinar from Security Management and HID Global, What’s User Experience Got to Do With It? How Creating a Great User Experience Improves Physical Security, examines security practices through the lens of user experience. The webinar is free on-demand with registration. So what’s the secret to an intuitive, easy-to-follow, and user-friendly security design?
In the webinar, Don Campbell and Ian Lowe from HID Global note that security directors should ask themselves the following questions:
- Does the user understand the process and the reason for the process?
- Does the user need detailed instructions to understand the process?
- Does the process seem appropriate to the user?
- Does the user feel more secure?
- Does the user trust your brand?
- Does the user want to follow the process?
The dangers of a poorly designed security process can manifest in several ways. Workers could try to find workarounds, ignore the process, or, worse, try to subvert the process and beat the system. Even if workarounds or subversion are not an issue, a poorly designed security user experience certainly causes morale issues through frustration and waste through inefficiencies.
Campbell presented a personal, quick example. One of them needed to gain access to a building, and a secure spot in that building, in an office in a different city from their work location. Here’s a depiction of that process:
Now, a good user experience, meaning one that cuts out inefficiencies and frustrations, is easy to use and understand, and still accomplishes security goals could look like this:
Campbell and Lowe point out a lot of the complexities that security directors face. It’s complicated enough that there are employees at different locations all with varying levels of permissions or access. In addition, there will be all manner of other classifications of people that security must take into account when developing an access policy an system: visitors in for a meeting, short-term contractors or employees, long-term contractors such as cleaning people, suppliers and delivery people, tenants, customers, and the list could go on. Different locations may employ different systems, or at least have different processes or protocols based on the unique factors of each location. Merger and acquisition activity means different systems and different cultural norms.
The practical advice for security directors looking to build a great security user experience is for them to develop key performance indicators. A simple one applicable to every organization is new employee onboarding: How long does it take to set up? Are new employees granted the accesses they require as soon as they need them? Are there duplicate processes involved?
Digging deeper, security processes and systems are going to be highly dependent on the sector of the organization, the culture of the organization, and size and scope of security needs. When developing the more complex and organization-specific key performance indicators, a guiding principle is to ask the question: Does the risk align with the process? Security has a vital responsibility in organizations centered around risk. The design of the security function, and all adjoining and aligning processes and systems, will go a long way to determining if an organization is positioned to maximize its mitigation and response to those risks.
“Whenever you see a bad user experience, you should dig behind it to see how much it’s costing,” says Campbell. “It’s not just something where we’re doing this to make people feel better.”
When employees work around processes they find encumbering or processes do not fully address the security need necessary, then the security design is introducing risk, and there’s a real potential cost to that. And when processes have unnecessary redundancies built in, cause a work delay because certain approvals or checks are needed, or are complicated and misapplied, an organization can suffer serious losses in waste and inefficiency.