Security as a UX priority: The ROI of cyber safety.

Experiencing the Digital World Safely

We live in an age of increasing physical insecurity with epic challenges like the pandemic and climate change. It will take abundant human ingenuity and hard work to make significant progress in these areas, but it’s worth it!

Similarly, we always need to be vigilant about web-based vulnerabilities that can come from identity theft, internet scams, and dangerous sources of disinformation. Our sense of safety determines the quality of our experience both in the real and digital worlds. Anyone who’s faced years of wrangling with resolving online identity theft would concur that the impact of digital and real-world theft can be equally damaging and stressful.

This post focuses on digital security steps we need to implement after a careful analysis of aspects of user experience. Comprehensive and transparent security models vastly reduce online crime, but also encourage a user’s sense of online safety. This, in turn, benefits website owners because users who feel safe are more likely to return and also to stay on a website longer.

Promoting the Sense of Safety in the Digital Environment

Generally speaking, we feel safer in familiar, clean, organized, and well-designed physical environments populated with friendly individuals. In the digital realm, familiar UI (User Interface) components, proper design elements management, organization, and appropriate photo selection can promote similar positive responses. Interestingly, there are strong parallels between the real and digital worlds in terms of psychological dynamics. Moreover, it’s actually easier to change online user behavior than people you encounter in everyday life.

Safety Awareness: The Role of Design

Street signage in the real world can be confusing for many reasons. But lives depend on your state transportation authority designing signs that are easily, intuitively understood by drivers of different education levels and cultures. Key variables include shape, color, text, and easy-to-recognize international icons.

The same dynamic applies to website users. Colors hit the eye, telling the user how to interpret the beginning of their journey. Designers need to spend careful attention at this stage to evoke favorable responses. For example, warm tones communicate safety; striking color combinations alert the mind. The mind also assimilates the text and copy, the sizing, the font, and the words’ tone. A professional sound supports a stronger sense of trust and overall security. Professional images, locally and culturally recognizable digital assets, and an engaging human tone—these elements tell the user they’re in a safe and familiar zone. Without them, their experience suffers, even if the user can’t vocalize why.

Up the Ante, Secure the Interactions too

When companies handle user data with the seriousness it deserves, everyone stands to benefit. Data breaches don’t just hurt the user; they hurt the brand—costly lawsuits and irredeemable reputation damage await them down the road. A user is a company’s most valuable resource, and strong security practices keep them safe enough to return. A returning user is every
company’s end goal; an investment into cyber security is the best place to begin.

Security often gets a bad rap for adding unwanted complexity to the product development process. This impression is often the result of things like security measures being tacked on at the end as an afterthought, a decidedly lousy strategy. Another cause–designers aren’t typically involved with technical decisions, especially at the operations level.

Add-on security features are counterproductive. A design that does not integrate security features from the ground up is hazardous for the user, stakeholders, and the website owner. Security is now everyone’s responsibility, and no single department should be responsible for implementing or maintaining it. So to persuade business stakeholders, call on as many security advocates as possible, such as fellow designers, product managers, engineers, and those in operations. Teach product managers, engineers, and others how crucial security is to both business and user needs. Once everyone understands what’s at stake, they should all be on board.

There’s a reason highways are full of signs. Similarly, a safe web experience is one in which the user knows how they’re being taken care of, what they’re agreeing to when they engage with the interface, and how the company plans to keep them safe. Safety disclaimers don’t need to invade the user’s experience. But a company’s data policies need to be clear, honest, and easily accessible.

UX and security can and must work together. It takes careful research, but website developers can provide a product that’s both easily navigated and highly secure. Bottom line—you must protect your users from malware by whatever means possible. It’s not only the ethical thing to do; protecting users will help shore up your conversion rate while at the same time saving you from any potential litigation.

Know Your User

Begin your design with a careful assessment of the specific kinds of security your user needs. Focus carefully on your user and how security fits their particular needs. Educate your users on how they can use your security features to protect themselves. Integrate that guidance throughout the website, not in a separate segment. Overall, work to ensure you’re your user onsite experience is as smooth as possible. –It’s interesting to note that it’s easier to change user behavior than people in the physical world. So, with careful communication, you can ‘train’ users to improve their security.

What information do your users share online that might be damaging? How, exactly, do they use your product? Convey to your users that your security features are safe–exactly what is required for them to do business safely. As designers, we have to explain why security precautions are necessary to all development team members (without being alarmist or condescending) and why getting users onboard creates a more secure environment for everyone.

Insist on SSL encryption because having that green lock in the address bar will reassure your users. Implement features that encourage users to choose stronger passwords and remind them to give out as little personal information as possible. These steps will increase trust in your product and services. It also helps when your written content is conversational and non-technical, with graphics that users can easily relate to.

Controlling Your Shared Items

Designing what and how info is shared requires careful thought for products with a strong collaborative component (like Google and Facebook). But any sharing poses a security risk to an organization, so it’s essential to get this feature right. Once something is shared, who can see it? Can they edit and share it? Controlling shared items is critical. It’s safest to default private or no sharing. Access to data should be limited based on what info a user needs to do a task. Product designers can take cues from the healthcare industry by allowing users only to view the info he needs to do his job. The less information they have, the less that can be stolen.

Some developers may believe that collecting as much data as possible is a good thing because it creates a more personalized experience. However, between having more information and security concerns, it’s much safer to prioritize the latter. For the same reason, avoid storing sensitive data to proactively protect your data from breaches. Always ask for permission when you feel you need to ignore this guideline.

To further develop trust before users even sign up, your company should adopt a public security policy that can be found easily on your marketing website. In this policy, explain the steps your organization is taking to protect users’ data.

Using compelling graphics and written content, build in as many positive emotions as possible when users interact with security functions. Copy, graphics, and flow constitute a ‘microinteractional’ flow that nudges the user along.

Always Be Transparent

Be aware of the human tendencies of your users but ensure your security precautions don’t remove their sense of agency. Designers who understand their users’ needs can still create products that provide an immersive experience; a product that prioritizes data security builds trust more easily than one that doesn’t.

Make sure your intentions are transparent. Ensure you inform users of how their data is being used and are upfront about what user actions entail. Users should have a say in what information is collected and give their consent to each bit of data processing. They should also have the right to withdraw this consent when they feel like it. Designers should ensure that users also are informed about third parties that might use their data.


Identification is when you claim to be a specific person online. This typically involves entering an email or username. Authentication, by contrast, is proving who you claim to be. This would involve entering a password or using biometric entry, as with scanning your fingerprint. Security flows are the most disliked element of UX. Logging in, remembering your passwords, two-step authentications, Captcha, etc., are not user-friendly.

Logins are the first wave of defense. They’re also easy to hack, especially when interacting with systems that don’t enforce strict password standards and apps that use emails as usernames. Users don’t want their actions under constant surveillance, but they have no idea what happens behind the scenes.

As a product designer, you want your users to identify and authenticate securely while maximizing their usage and enjoyment of the product. This may seem easy to operationalize, but more often than not, it requires difficult compromises. Security flows are not user-friendly. Logging in to a product is not fun. The best way to view security user flows is through a pain-reward lens. Reducing pain and increasing rewards is a standard concept in UX, but here it takes on special importance because it can lead to better security for your users.

No one likes passwords. Passwords have unwanted side effects, too. To avoid the pain, users often cut corners and create insecure passwords, defeating the whole purpose. Fortunately, we have better options. For example, biometrics have improved the UX of security significantly. You’re already identified by the operating system. Scan your finger or face, and you’re in. The idea is that by minimizing friction and simplifying processes, you can help users make better security choices.

What Designers Can Do to Make Identification Easier and Safer

Strongly encourage your product team NOT to allow one’s email address as a username. Logging in with email is generally considered user-friendly, but it’s not security-friendly. What happens if an attacker breaches your email? Then every system that you are connected with is open to attack. You can still use email to recover a username, but using the email as the only username is a significant security risk.

Encourage users to develop strong passwords. Display a checkbox next to mandatory requirements, plus a strength meter to register the security level. Of course, everything that a person does online creates a potential security threat. Users know this and therefore are less likely to use a contact form with too many entry fields. In fact, research confirms that the conversion rate decreases by an incredible 25% for every additional form field. Another case-in-point– Imagescape reduced their contact form from 11 to four fields and gained a 120% increase in conversions. Additional user information is presumably gathered with future product usage.

Come to an understanding with your sales team during the development phase to understand the minimum information they’d require upfront. You might discover, for instance, that progressive forms help minimize what the user perceives as the effort they’re making to gain access to a product.

Summary of Security Measures–

  • Make sure usernames are not emails. Hackers could get access to any system that uses the same email.
  • Ensure error handling doesn’t compromise the site’s safety.
  • Require strong passwords.
  • Use two-factor authentication every time a bank is involved in a financial transaction. This helps to protect login data and credit card information.
  • Find alternatives to passwords for secure authentication, like biometric authentication.
  • Limit data access to only allow users to view and share what they want.
  • Use end-to-end encryption to build trust.


Adding two-factor authentication is an absolute requirement in almost all cases. Two-factor authentication does slow people down a bit because you are adding a few extra steps. But this is perhaps the most effective means of preventing attacks. At the very least, it alerts the user that someone may be trying to breach their account, thus allowing them to take action.

Proper Screening–Step by Step

Proper security practices require a few critical areas of focus—below are some of the most urgent priorities for user-centric cyber-security.

Data Decoupling—By decoupling data from individual users, companies can still benefit from valuable consumer insights without sacrificing the user’s privacy. Rather than subjecting their users to constant surveillance, anonymizing the data allows companies to understand and optimize user behavior without invading their user’s personal world. Many vendors on the market offer application decoupling solutions. Alternatively, decoupling architecture can be embedded into the website during the design stage.

Expiration Dates—Sometimes, it makes sense to pair the data with the user; consumers want to return to e-commerce websites and interact with their order history or see their payment data saved. Still, it’s vital to have solutions in place to dispense with that data within an appropriate time window. A website’s privacy policy should be made clear to the consumer; they should understand what information is being collected, who will have access, and how long it will be kept.

Encrypted Databases—On the back end, sensitive data entered on a website must be stored in encrypted databases. A responsible practice includes the use of a hypertext transfer protocol secure (HTTPS) to encrypt the data being transmitted from the webserver to the user, preventing attacks from any bad actors from lurking on private or public networks. User data is entered on the HTTPS secure website and stored in the database as random letters and numbers, rather than readable information, protecting the data should the database be compromised.

Where and When to Initiate Authentication

You don’t necessarily have to require users to authenticate every time they use your product. A single sign-in is a great way to enhance the user experience. A great example of how a product optimizes for user experience by delaying authentication is Amazon. It recognizes you from your initial authentication and delivers a customized shopping experience based on your personal history and preferences without requiring you to authenticate each additional time. You can revisit the site and put as many products in your basket as you like without ever entering an email and password. Only right before purchase, when the need for security measures is obvious, do they require you to authenticate. This makes for a low-friction and enjoyable user experience.

Of course, you will still use two-factor authentication when credit card or financial information is being input. For the same reason, If you’re building a financial app, you will need to incorporate some serious security measures. Users are generally OK with doing a bit of extra work to keep their money safe.


A rigorous, multi-step CAPTCHA can ruin your UX. When users get annoyed with needing to prove they’re not a robot, they may well not return to your website in the future. Fortunately, CAPTCHA technology is evolving apace, and there are now less taxing but equally effective alternatives out there.

Companies can use TLS or SSL certificates to further secure their users’ information by improving the encryption strength; the larger the bit strength, the longer it takes to decrypt. Asking for authorization credentials from the user before they access sensitive information, and using CAPTCHA security measures to prevent machine tampering, are other powerfully effective ways of thwarting spam and unwanted, outside data extraction.

Alert Users to Phishing and Other Malware Attacks

Phishing is a scam where criminals impersonate legitimate organizations via email, text, or other means to steal sensitive information, sometimes demanding ransom for their return. To protect against phishing, UX designers should create pop-ups that alert users in a way that doesn’t halt their browsing.

Users are experts at avoiding things they dislike. Don’t let security fall into that category. Set up smart perimeters While authenticated, users can carry out critical actions that change the state of their account, such as updating settings and making purchases. When they’re not authenticated, they’re logged out and can’t do anything account-related.

Remember that statistically speaking, your users’ greatest security vulnerability probably stems from their creating bad passwords, not from some nation-state actor operating quantum computers to hack their system. Also, remember that more security doesn’t always lead to more secure users. If poorly designed, it can lead to a product that is too secure for anyone to use.

The Greatest Risk—Human Error

Data breaches are an unfortunate reality of doing business today. But they are avoidable. An incredible eight out of 10 enterprise data breaches can be traced to human error. This isn’t just about careless users. It’s also a design problem. As designers, our job is to be the users’ protector. It’s not enough to make them feel safe when using our product; we must ensure they are safe. Though easier said than done, security must be deeply ingrained