How to improve user experience without compromising securityTake a look at some of the ways UX and website security can complement each other to make for better overall experiences for users.
In a fiercely competitive industry, user experience (UX) is one area where retailers can differentiate themselves and win customer loyalty.
UX design is a means to reducing friction between users and what they want to do (or more accurately, what the business wants them to do). UX is thus vital to influencing metrics like conversion rate, time on site, page views and basket size. Using retail as a prime example, the faster, easier, and more appealing it is for users to add items to their cart and checkout, the more likely they are to do so.
However, the easier this process is for users, the easier it is to automate. This makes cart abuse and scalping a simple attack type for bot operators.
UX vs security: Are they at odds?
It can seem like design and security are in competition for business prioritization. This should not be the case, though. Both must work together to succeed overall.
Good security practices are complementary to UX in that a security breach would have disastrous consequences financially, operationally and on customer perception of a brand, which are all factors UX is supposed to positively influence.
Good UX design can also play a positive role in site security by steering users away from irresponsible security practices such as poor password hygiene. UX can inform users of good security measures in place.
This post will take a high-level look at some of the ways UX and security can complement each other to make for better overall experiences for users.
UX + Security: Complementary tactics
Minimize third party code where possible
Web users and privacy advocates are concerned about the amount of information cookies collect about us, and security professionals are unanimous on the potential risk of embedding third party content in sites.
Simplify elements and remove complexity
The more complex a system is, the more difficult it is to secure. Adding complexity often adds attack vectors for adversaries to exploit. From a UX design perspective, complex systems can be overwhelming, confusing or add friction for users.
Try to reduce the number of elements on each page, the number of steps a user must take to achieve their goals, and the number of calls each request must make before returning a result.
Collect less user data, or only collect what is needed
In the current era of the internet, data (specifically personal and behavioral data) is viewed as gold dust. Certainly, this makes sense for sites like Facebook, where the main means for profit is selling hyper targeted advertising based on the demographics of its users.
But the value of the data you collect about your customers must be weighed up against the risk to security and disruption to UX it might cause.
Collecting excessive amounts of data, especially via registration forms, kills conversion rates because customers may be uncomfortable sharing so much information, or may simply not want to spend the time filling in superfluous details that have nothing to do with their desire to purchase an item.
Plus, the more data a business collects, the bigger the target they are to criminals. Adversaries can use personally identifiable information (PII) to carry out identity theft, account takeover on other sites, or financial fraud.
Encourage users to practice good password hygiene
UX is primarily used to drive sales and keep users on websites longer, but there are additional benefits to UX. It can also be used to deliver important messaging that benefits both the user and the business, such as security advice and notices which can protect users.
For example, an account registration form might enforce a strong passwords policy (e.g., must contain at least eight characters, including upper- and lower-case letters, numbers, and special characters). The UX design on this page can make this process frustrating or simple depending on how it is implemented.
For example, a good practice would be to show a colored bar that turns from red to orange to green as the typed password gets stronger. Users could even see the company’s mascot get happier in an animation as they type a stronger password. This has the UX benefit of amusing the customer rather than frustrating them, whilst strengthening security.
Don’t add latency where you can help it
This is closely tied to the previous points about removing complexity and third-party tags, as these things tend to add latency to systems.
Latency is the enemy of conversion rate optimization, page view goals and revenue generation. Countless studies by industry heavyweights like Google and Amazon corroborate the theory that even a minor delay in page load times affects customer engagement and is bad for business.
Every millisecond counts, so every team, whether UX or security, must be held accountable for introducing anything that adds latency.
Client-side solutions and additions to a site are likely to add latency as they force browsers to load more content and make pages heavier, for example.
Have a “latency budget” and carefully weigh up the benefits of adding excessive latency with any new feature or solution.
Understanding and controlling malicious traffic
Whilst not a design element or a feature, web pages loading quickly is an essential part of good user experience. Even if latency is considered when adding features to a website, many sites start to slow down if they are overloaded with traffic.
An overloaded site could be caused by a successful marketing campaign, or a flood of demand from customers. But with around 50% of web traffic now automated, it’s likely that bots are at least partly to blame for overloaded websites.
Aside from clogging up web servers and slowing down pages, bot traffic is often malicious in its intent. Bots visiting in high volume could be attempting any number of attacks of concern to your security team, including:
- Content scraping
- Credential stuffing
- Account takeover
- Checkout abuse
Gaining visibility over the intent of the traffic not only has obvious security benefits, but can also help free up server resources, speeding up the site and keeping customers happy.
website being exploited by bots?