{"id":697729,"date":"2020-10-13T11:32:28","date_gmt":"2020-10-13T18:32:28","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?post_type=msr-blog-post&p=697729"},"modified":"2020-10-14T09:25:47","modified_gmt":"2020-10-14T16:25:47","slug":"designing-user-experiences-that-support-security-and-compliance","status":"publish","type":"msr-blog-post","link":"https:\/\/www.microsoft.com\/en-us\/research\/articles\/designing-user-experiences-that-support-security-and-compliance\/","title":{"rendered":"Designing user experiences that support security and compliance"},"content":{"rendered":"

By Megan Brown (opens in new tab)<\/span><\/a><\/p>\n

\"\"

Photo credit: iStock<\/p><\/div>\n

While it may\u00a0<\/span>not appear to be the case<\/span>, when it comes to\u00a0<\/span>s<\/span>ecurity<\/span>\u00a0<\/span>and<\/span>\u00a0<\/span>c<\/span>ompliance<\/span>, providing\u00a0<\/span>a good<\/span>\u00a0end user experience\u00a0<\/span>is<\/span><\/i>\u00a0top of mind for enterprise decision-makers.<\/span>\u00a0<\/span>Why is the user experience (UX)\u00a0<\/span>in<\/span>\u00a0this\u00a0<\/span>area<\/span>\u00a0so important?\u00a0<\/span>To be effective, Information Workers (IWs) must use security and compliance\u00a0<\/span>features,\u00a0<\/span>and<\/span>\u00a0use them correctly. Otherwise, the solutions the organization has invested in don\u2019t provide the intended value<\/span>\u00a0in helping the organization remain safe, secure, and compliant<\/span>.\u00a0<\/span>Stated<\/span>\u00a0well by\u00a0<\/span>a<\/span>\u00a0decision-maker<\/span>:<\/span>\u00a0\u201c<\/span>No one wants to do compliance, right? It\u2019s the worst part of everyone\u2019s job \u2026 but it\u2019s the thing that\u2019s most important, so we need to make it as simple as possible.\u201d<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

When doing user<\/span>\u00a0<\/span>research<\/span>\u00a0on security\u00a0<\/span>and<\/span>\u00a0compliance experiences in<\/span>\u00a0Microsoft Office,\u00a0<\/span>we\u2019ve uncovered learnings about how to design better experiences in this space.<\/span>\u00a0<\/span>Through focus groups, usability studies, and customer conversations, we have been\u00a0<\/span>hearing themes\u00a0<\/span>about the top areas to focus on when designing end user facing security\u00a0<\/span>and<\/span>\u00a0compliance features.\u00a0<\/span>These areas of focus demonstrate the<\/span>\u00a0need for\u00a0the design\u00a0to achieve these five tenets:\u00a0<\/span>Understandable<\/span><\/b>,\u00a0<\/span>Efficient<\/span><\/b>,\u00a0<\/span>Habituating<\/span><\/b>,\u00a0<\/span>Discreet<\/span><\/b>, and\u00a0<\/span>Beautiful<\/span><\/b>.\u00a0<\/span>\u00a0<\/span><\/p>\n

These design principles represent a subset of tenets from the\u00a0<\/span>UI Tenets & Traps<\/span> (opens in new tab)<\/span><\/a>\u00a0framework, a heuristic framework<\/span>\u00a0<\/span>for evaluating user interfaces<\/span>\u00a0(UI)<\/span>\u00a0t<\/span>hat, when followed, can quickly and effectively improve a design.<\/span>*<\/span>\u00a0Read on to learn their significance in the context of the\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance<\/span>\u00a0space<\/span>.<\/span>\u00a0<\/span><\/p>\n

Fi<\/span><\/i><\/b>ve\u00a0<\/span><\/i><\/b>design\u00a0<\/span><\/i><\/b>tenets<\/span><\/i><\/b>\u00a0for end user security and compliance experiences<\/span><\/i><\/b>\u00a0<\/span><\/p>\n

    \n
  1. Understandable<\/span><\/b><\/li>\n<\/ol>\n

    \u201cWhen a UI is understandable, the user is aware of the actions they can take because the UI contains concepts that are learned quickly.\u201d \u2013 UI Tenets & Traps<\/span><\/i>\u00a0<\/span><\/p>\n

    Why make it Understandable?<\/span><\/b>\u00a0<\/span>W<\/span>hen\u00a0<\/span>I<\/span>W<\/span>s\u00a0<\/span>have a limited understanding\u00a0<\/span>of how to\u00a0<\/span>uphold security and compliance<\/span>, they cannot\u00a0<\/span>reliabl<\/span>y<\/span>\u00a0do so<\/span>\u00a0for their organization<\/span>.<\/span>\u00a0<\/span>Unfortunately,\u00a0<\/span>it is not uncommon for\u00a0<\/span>IWs<\/span>\u00a0to<\/span>\u00a0<\/span>lack knowledge in two\u00a0<\/span>key<\/span>\u00a0areas: (1) the tools, more specifically that they exist and how to use them, and (2) general knowledge of compliance rules and security best practices. While IT departments<\/span>\u00a0do<\/span>\u00a0send out training material, organizations are<\/span>\u00a0still<\/span>\u00a0experiencing\u00a0<\/span>lack<\/span>\u00a0of engagement with the tools and incorrect\u00a0<\/span>u<\/span>se,<\/span>\u00a0leaving assets unprotected or with inadequate protection.<\/span>\u00a0<\/span><\/p>\n

    \"\"How might\u00a0<\/span>a design<\/span>\u00a0reduce complexity\u00a0<\/span>for\u00a0<\/span>IWs<\/span>?<\/span>\u00a0<\/span>Conduct user research to understand<\/span>\u00a0what the end users do and do not already know, then<\/span>\u00a0use<\/span>\u00a0the<\/span>\u00a0terms<\/span>\u00a0that are familiar to users<\/span>\u00a0in the\u00a0<\/span>UI<\/span>.\u00a0<\/span>If<\/span>\u00a0<\/span>it is necessary to introduce new concepts<\/span>,\u00a0<\/span>provide\u00a0<\/span>a<\/span>\u00a0way for\u00a0<\/span>users<\/span>\u00a0to lear<\/span>n<\/span>\u00a0about them.<\/span><\/p>\n

      \n
    1. Efficient<\/span><\/b><\/li>\n<\/ol>\n

      \u201cA UI is efficient when users perceive that they are doing things in a minimal number of steps.\u201d \u2013 UI Tenets & Traps<\/span><\/i>\u00a0<\/span><\/p>\n

      Why make it Efficient?<\/span><\/b>\u00a0Productivity is often at odds with\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and<\/span>\u00a0<\/span>c<\/span>ompliance. When IWs are trying to accomplish their work, any security or compliance step that gets\u00a0<\/span>in the way<\/span>\u00a0feels like a burden<\/span>.<\/span>\u00a0<\/span>This\u00a0<\/span>often\u00a0<\/span>leads\u00a0<\/span>to\u00a0pushback\u00a0and help desk calls. On the flip side, when these features are too subtle or do not appear within their main workflows,\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance is often ignored by IWs.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

      This issue has been a longstanding\u00a0<\/span>challenge<\/span>\u00a0in\u00a0<\/span>the space<\/span>, impacting some of the most essential initiatives<\/span>.\u00a0<\/span>A<\/span>\u00a0<\/span>d<\/span>ecision-maker explained,\u00a0<\/span>\u201cWhen we implemented multifactor auth it was not [culturally]\u00a0<\/span>accepted. [People complained]<\/span>,<\/span>\u00a0\u2018It\u2019s a nightmare.\u2019 \u2018It takes forever.\u2019 It was a massive shift to the security side with pushback.\u201d<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

      \"\"How might\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance experiences appear within the user\u2019s flow in a way that feels seamless and friction-free?<\/span> L<\/span>ook for opportunities to reduce unnecessary steps, text, and graphics\u2013apply \u2018fierce reduction\u2019.<\/span>\u00a0<\/span><\/p>\n

        \n
      1. <\/b>Habituating<\/span><\/b><\/li>\n<\/ol>\n

        \u201cA UI is habituating when, over time, the user does things automatically. This quick learning and understanding create a familiarity that encourages future use & enhanced efficiency in task performance.\u201d \u2013 UI Tenets & Traps<\/span><\/i>\u00a0<\/span><\/p>\n

        Why make it\u00a0<\/span><\/b>Habituating<\/span><\/b>?<\/span><\/b>\u00a0<\/span>O<\/span>rganizations\u00a0<\/span>find it challenging\u00a0<\/span>to teach IWs to use<\/span>,<\/span>\u00a0<\/span>consistently\u00a0<\/span><\/i>use<\/span>, and\u00a0<\/span>correctly\u00a0<\/span><\/i>use<\/span>\u00a0security and compliance features<\/span>.\u00a0<\/span>Complex and inconsistent systems add to this problem<\/span>, increasing cognitive load and making it difficult to\u00a0<\/span>learn and\u00a0<\/span>establish\u00a0<\/span>habits.<\/span>\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

        If we can ensure users interact with a security system\u00a0<\/span>the same way every time<\/span>\u00a0<\/span>and remov<\/span>e<\/span>\u00a0unnecessary decision points<\/span>, they can more easily\u00a0<\/span>build<\/span>\u00a0security and compliance habits<\/span>\u00a0<\/span>and use the system with less thinking required<\/span>.<\/span>\u00a0<\/span>In addition to reducing effort, it can reduce the chance of\u00a0<\/span>error<\/span>,<\/span>\u00a0<\/span>lead<\/span>ing<\/span>\u00a0to better outcomes<\/span>\u00a0for the organization<\/span>.\u00a0<\/span>\u00a0<\/span><\/p>\n

        During the design process, how might we leverage systems thinking and an eye for coherence throughout the system to improve end user habituation?<\/span>\u00a0<\/span>When you\u00a0<\/span>find<\/span>\u00a0redundancy,\u00a0<\/span>streamline the experience by\u00a0<\/span>p<\/span>rovid<\/span>ing\u00a0<\/span>just one way for actions to be completed\u00a0<\/span>to improve learnability<\/span>.<\/span>\u00a0<\/span>When you\u00a0<\/span>find<\/span>\u00a0inconsistenc<\/span>ies<\/span>,\u00a0<\/span>fix it by\u00a0<\/span>presenting the\u00a0<\/span>labels and controls\u00a0<\/span>in the same manner and location whenever the user encounters them.<\/span>\u00a0<\/span><\/p>\n

          \n
        1. Discreet<\/span><\/b><\/li>\n<\/ol>\n

          \u201c\u2019Unwanted disclosures\u2019 violate the tenet of \u2018discreet’ by sharing user information, causing unwanted attention, or disrupting others …\u00a0<\/span><\/i>[and] can result in physical and\/or emotional harm and embarrassment if users unknowingly share information beyond their trusted community, poor brand image and press, as well as expensive lawsuits.\u201d \u2013 UI Tenets & Traps<\/span><\/i>\u00a0<\/span><\/p>\n

          Why make it Discreet?<\/span><\/b>\u00a0In the context of\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance experiences, a discreet system prevents oversharing of information, which in turn can prevent embarrassment and harm to the IW and the organization.<\/span>\u00a0<\/span><\/p>\n

          IWs<\/span>\u00a0<\/span>may\u00a0<\/span>intentionally or unintentionally\u00a0<\/span>overshare information<\/span>,\u00a0<\/span>not realizing the\u00a0<\/span>risk of their actions<\/span>.\u00a0<\/span>One<\/span>\u00a0<\/span>security professional<\/span>\u00a0<\/span>commented<\/span>,<\/span>\u00a0\u201cThe issue is my users aren\u2019t aware. They send all [information] when a [recipient] only needs\u00a0<\/span>some<\/span>\u00a0<\/span>\u2026 They have too much faith the system will protect\u00a0<\/span>them<\/span>\u00a0and they make poor choices.\u201d<\/span>\u00a0<\/span><\/p>\n

          \"\"How might we\u00a0<\/span>design experiences that\u00a0<\/span>prevent IWs from accidentally oversharing information\u00a0<\/span>and guide them to make better choices<\/span>?<\/span>\u00a0<\/span>As a starting point, ensure\u00a0<\/span>the user\u00a0<\/span>is aware of what information<\/span>\u00a0is being shared<\/span>\u00a0<\/span>and\u00a0<\/span>to whom<\/span>, as well as the sensitivity of the information<\/span>\u00a0and its required\u00a0<\/span>protections<\/span>.<\/span>\u00a0<\/span><\/p>\n

            \n
          1. Beautiful<\/span><\/b><\/li>\n<\/ol>\n

            \u201cAn \u2018unattractive appearance\u2019 violates the tenet of \u2018beautiful\u2019\u00a0<\/span><\/i>\u2026 [and]\u00a0<\/span><\/i>can result in negative emotions from users, less forgiveness, more difficultly to use interfaces, longer task times, user abandonment of the interface or system, etc.\u201d \u2013 UI Tenets & Traps<\/span><\/i>\u00a0<\/span><\/p>\n

            Why make it Beautiful?<\/span><\/b>\u00a0Even a little bit of visual design\u00a0<\/span>can go a long way<\/span>.<\/span>\u00a0<\/span>So often do\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance features focus on utility\u00a0<\/span>and<\/span>\u00a0suffer from an unattractive appearance.<\/span>\u00a0The risk of an unattractive appearance is that (1) for an optional\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance experience, it doesn\u2019t get used or is used incorrectly, and (2) for a mandatory experience that IWs are forced to use, it creates friction and discontent between IWs and those responsible for the\u00a0<\/span>s<\/span>ecurity\u00a0<\/span>and c<\/span>ompliance posture of the organization.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

            \"\"How might <\/span>we design<\/span>\u00a0security and compliance<\/span>\u00a0features\u00a0<\/span>with a thoughtful<\/span>\u00a0visual design that<\/span>\u00a0<\/span>aids in the ease of use<\/span>?<\/span>\u00a0<\/span>A<\/span>pply a<\/span>\u00a0<\/span>modern visual design\u00a0<\/span>consistently throughout the experience<\/span>\u2013<\/span>one\u00a0<\/span>in which form and function work together to improve the user experience.<\/span>\u00a0<\/span><\/p>\n

            The takeaway\u00a0<\/span><\/i><\/b>\u00a0<\/span><\/p>\n

            The choices\u00a0<\/span>IWs<\/span>\u00a0make\u00a0<\/span>impact\u00a0<\/span>the security and compliance posture of their organization.<\/span>\u00a0<\/span>Good UX for end users is\u00a0<\/span>necessary for supporting<\/span>\u00a0organizations.\u00a0<\/span>The more that these systems and tools are\u00a0<\/span>understood, and successfully integrated into daily processes, the safe<\/span>r<\/span>\u00a0and more secure organizations will remain.<\/span>\u00a0<\/span><\/p>\n

            While achieving simplicity in an inherently complex space is a challenging effort, our hope is tha<\/span>t<\/span>\u00a0<\/span>by\u00a0<\/span>providing more information about<\/span>\u00a0<\/span>these<\/span>\u00a0tenets and the context\u00a0<\/span>in which they exist, product\u00a0<\/span>developers of any discipline<\/span>\u00a0will be able to\u00a0<\/span>create better\u00a0<\/span>end user experiences.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

            References\u00a0<\/strong><\/p>\n

            *https:\/\/uitraps.com\/ (opens in new tab)<\/span><\/a><\/span>\u00a0–\u00a0<\/span>UI<\/span>\u00a0evaluation tool<\/span>\u00a0based on<\/span>\u00a0<\/span>a large body of knowledge<\/span>\u00a0that\u00a0<\/span>researchers and designers<\/span>\u00a0can use\u00a0<\/span>to improve<\/span>\u00a0the quality of UI.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

            How does this measure up to your experience in designing user experiences? Have you used the UI tenets and traps? If so, what did you think of them?<\/strong> Let us know!<\/strong>\u00a0Tweet us\u00a0@MicrosoftRI (opens in new tab)<\/span><\/a>\u00a0or\u00a0like us on Facebook (opens in new tab)<\/span><\/a>\u00a0and join the conversation.<\/strong><\/p>\n

            Megan Brown is a user researcher and product planner on the XC Planning & Research team. She works on experiences that span the Microsoft Office suite including security & compliance,\u00a0<\/span><\/span>collaboration, and privacy.\u00a0<\/span><\/span>Before Microsoft, Megan studied Psychology at Duke University, where she also taught Computer Science 101 to undergraduate students as a teaching assistant. She enjoys work that brings<\/span><\/span>\u00a0<\/span><\/span>together\u00a0<\/span><\/span>multiple disciplines, and collaborating closely with designers, program managers, and engineers to bring thoughtful user experiences to life.<\/span><\/span>\u00a0<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

            When doing user research on security and compliance experiences in Microsoft Office, we\u2019ve uncovered learnings about how to design better experiences in this space. Through focus groups, usability studies, and customer conversations, we have been hearing themes about the top areas to focus on when designing end user facing security and compliance features. <\/p>\n","protected":false},"author":38703,"featured_media":697687,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","msr-content-parent":616842,"msr_hide_image_in_river":0,"footnotes":""},"research-area":[],"msr-locale":[268875],"msr-post-option":[],"class_list":["post-697729","msr-blog-post","type-msr-blog-post","status-publish","has-post-thumbnail","hentry","msr-locale-en_us"],"msr_assoc_parent":{"id":616842,"type":"group"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-blog-post\/697729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-blog-post"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-blog-post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/38703"}],"version-history":[{"count":3,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-blog-post\/697729\/revisions"}],"predecessor-version":[{"id":697903,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-blog-post\/697729\/revisions\/697903"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/697687"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=697729"}],"wp:term":[{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=697729"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=697729"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=697729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}