Globe with pictures of people, global communication network

Microsoft XC Research

Designing user experiences that support security and compliance

Share this page

By Megan Brown (opens in new tab)

Photo credit: iStock

While it may not appear to be the case, when it comes to security and compliance, providing a good end user experience is top of mind for enterprise decision-makers. Why is the user experience (UX) in this area so important? To be effective, Information Workers (IWs) must use security and compliance features, and use them correctly. Otherwise, the solutions the organization has invested in don’t provide the intended value in helping the organization remain safe, secure, and compliantStated well by a decision-maker: “No one wants to do compliance, right? It’s the worst part of everyone’s job … but it’s the thing that’s most important, so we need to make it as simple as possible.”  

When doing user research on security and compliance experiences in Microsoft Office, we’ve uncovered learnings about how to design better experiences in this space. Through focus groups, usability studies, and customer conversations, we have been hearing themes about the top areas to focus on when designing end user facing security and compliance features. These areas of focus demonstrate the need for the design to achieve these five tenets: UnderstandableEfficientHabituatingDiscreet, and Beautiful 

These design principles represent a subset of tenets from the UI Tenets & Traps (opens in new tab) framework, a heuristic framework for evaluating user interfaces (UI) that, when followed, can quickly and effectively improve a design.* Read on to learn their significance in the context of the security and compliance space. 

Five design tenets for end user security and compliance experiences 

  1. Understandable

“When a UI is understandable, the user is aware of the actions they can take because the UI contains concepts that are learned quickly.” – UI Tenets & Traps 

Why make it Understandable? When IWhave a limited understanding of how to uphold security and compliance, they cannot reliably do so for their organization. Unfortunately, it is not uncommon for IWs to lack knowledge in two key areas: (1) the tools, more specifically that they exist and how to use them, and (2) general knowledge of compliance rules and security best practices. While IT departments do send out training material, organizations are still experiencing lack of engagement with the tools and incorrect use, leaving assets unprotected or with inadequate protection. 

How might a design reduce complexity for IWs? Conduct user research to understand what the end users do and do not already know, then use the terms that are familiar to users in the UIIf it is necessary to introduce new conceptsprovide a way for users to learn about them.

  1. Efficient

“A UI is efficient when users perceive that they are doing things in a minimal number of steps.” – UI Tenets & Traps 

Why make it Efficient? Productivity is often at odds with security and compliance. When IWs are trying to accomplish their work, any security or compliance step that gets in the way feels like a burden. This often leads to pushback and help desk calls. On the flip side, when these features are too subtle or do not appear within their main workflows, security and compliance is often ignored by IWs.  

This issue has been a longstanding challenge in the space, impacting some of the most essential initiativesA decision-maker explained, “When we implemented multifactor auth it was not [culturally] accepted. [People complained], ‘It’s a nightmare.’ ‘It takes forever.’ It was a massive shift to the security side with pushback.”  

How might security and compliance experiences appear within the user’s flow in a way that feels seamless and friction-free? Look for opportunities to reduce unnecessary steps, text, and graphics–apply ‘fierce reduction’. 

  1. Habituating

“A UI is habituating when, over time, the user does things automatically. This quick learning and understanding create a familiarity that encourages future use & enhanced efficiency in task performance.” – UI Tenets & Traps 

Why make it Habituating? Organizations find it challenging to teach IWs to use, consistently use, and correctly use security and compliance featuresComplex and inconsistent systems add to this problem, increasing cognitive load and making it difficult to learn and establish habits.   

If we can ensure users interact with a security system the same way every time and remove unnecessary decision points, they can more easily build security and compliance habits and use the system with less thinking required. In addition to reducing effort, it can reduce the chance of error, leading to better outcomes for the organization 

During the design process, how might we leverage systems thinking and an eye for coherence throughout the system to improve end user habituation? When you find redundancy, streamline the experience by providing just one way for actions to be completed to improve learnability. When you find inconsistenciesfix it by presenting the labels and controls in the same manner and location whenever the user encounters them. 

  1. Discreet

“’Unwanted disclosures’ violate the tenet of ‘discreet’ by sharing user information, causing unwanted attention, or disrupting others … [and] can result in physical and/or emotional harm and embarrassment if users unknowingly share information beyond their trusted community, poor brand image and press, as well as expensive lawsuits.” – UI Tenets & Traps 

Why make it Discreet? In the context of security and compliance experiences, a discreet system prevents oversharing of information, which in turn can prevent embarrassment and harm to the IW and the organization. 

IWs may intentionally or unintentionally overshare informationnot realizing the risk of their actionsOne security professional commented, “The issue is my users aren’t aware. They send all [information] when a [recipient] only needs some … They have too much faith the system will protect them and they make poor choices.” 

How might we design experiences that prevent IWs from accidentally oversharing information and guide them to make better choices? As a starting point, ensure the user is aware of what information is being shared and to whom, as well as the sensitivity of the information and its required protections. 

  1. Beautiful

“An ‘unattractive appearance’ violates the tenet of ‘beautiful’ … [and] can result in negative emotions from users, less forgiveness, more difficultly to use interfaces, longer task times, user abandonment of the interface or system, etc.” – UI Tenets & Traps 

Why make it Beautiful? Even a little bit of visual design can go a long way. So often do security and compliance features focus on utility and suffer from an unattractive appearance. The risk of an unattractive appearance is that (1) for an optional security and compliance experience, it doesn’t get used or is used incorrectly, and (2) for a mandatory experience that IWs are forced to use, it creates friction and discontent between IWs and those responsible for the security and compliance posture of the organization.  

How might we design security and compliance features with a thoughtful visual design that aids in the ease of use? Apply a modern visual design consistently throughout the experienceone in which form and function work together to improve the user experience. 

The takeaway  

The choices IWs make impact the security and compliance posture of their organization. Good UX for end users is necessary for supporting organizations. The more that these systems and tools are understood, and successfully integrated into daily processes, the safer and more secure organizations will remain. 

While achieving simplicity in an inherently complex space is a challenging effort, our hope is that by providing more information about these tenets and the context in which they exist, product developers of any discipline will be able to create better end user experiences.  

References 

*https://uitraps.com/ (opens in new tab) – UI evaluation tool based on a large body of knowledge that researchers and designers can use to improve the quality of UI.  

How does this measure up to your experience in designing user experiences? Have you used the UI tenets and traps? If so, what did you think of them? Let us know! Tweet us @MicrosoftRI (opens in new tab) or like us on Facebook (opens in new tab) and join the conversation.

Megan Brown is a user researcher and product planner on the XC Planning & Research team. She works on experiences that span the Microsoft Office suite including security & compliance, collaboration, and privacy. Before Microsoft, Megan studied Psychology at Duke University, where she also taught Computer Science 101 to undergraduate students as a teaching assistant. She enjoys work that brings together multiple disciplines, and collaborating closely with designers, program managers, and engineers to bring thoughtful user experiences to life.