Human-Centered Security
How to Design Systems That Are Both Safe and Usable
In our interconnected world, we face a complex cybersecurity ecosystem where digital vulnerabilities can have far-reaching consequences. Threats to digital infrastructure often impact critical physical systems, potentially causing real-world harm. With AI agents set to handle extensive personal information, data security and privacy are more crucial than ever.
Human-Centered Security targets professionals designing digital products that handle sensitive data: UX designers, engineers, and product managers. It’s also for those responsible for securing organizational data and systems: security engineers, CISOs, CIOs, and teams focused on risk management, legal, privacy, and compliance.
These professionals influence security-related behaviors and possess deep knowledge of threats to their products or organizations. This places a significant responsibility on them to design resilient systems that encourage safer outcomes. As the stakes continue to rise in our digital landscape, their role in protecting users from evolving cybersecurity risks becomes increasingly vital.
This book will help you:
- Focus on areas of the user experience where security impacts users the most. These are places where users are signing up, configuring a product for the first time, handling customer or patient data, or when confronted with a security or privacy-related message or warning, to name a few.
- Understand the dynamics of the security ecosystem. Looking at the security ecosystem from a single vantage point won’t work. Instead, you need to understand how the system design impacts users, how user actions prompt changes to the system design, how threat actors take advantage, how threat actors actions prompt changes to the system design, how users react, and on and on.
- Find your security UX allies. Think of a Venn diagram, with circles representing the security team, the UX team, the product team, the engineering team, the legal and privacy teams, as so on. To improve the security user experience, these circles must overlap. In other words, each group’s expertise and perspective are required to understand and design for the dynamic cybersecurity ecosystem.
- Ask better questions when talking to your cross-disciplinary team. These questions will help your team anticipate how users might react and how threat actors might take advantage.
- What to consider when designing for secure outcomes. The book examines some of the most common security user experience issues.
- Embrace iteration. Users will do things you didn’t expect or account for. Even more importantly, threat actors will act in ways you couldn’t have predicted. What was effective yesterday might not be as effective today.
In our interconnected world, we face a complex cybersecurity ecosystem where digital vulnerabilities can have far-reaching consequences. Threats to digital infrastructure often impact critical physical systems, potentially causing real-world harm. With AI agents set to handle extensive personal information, data security and privacy are more crucial than ever.
Human-Centered Security targets professionals designing digital products that handle sensitive data: UX designers, engineers, and product managers. It’s also for those responsible for securing organizational data and systems: security engineers, CISOs, CIOs, and teams focused on risk management, legal, privacy, and compliance.
These professionals influence security-related behaviors and possess deep knowledge of threats to their products or organizations. This places a significant responsibility on them to design resilient systems that encourage safer outcomes. As the stakes continue to rise in our digital landscape, their role in protecting users from evolving cybersecurity risks becomes increasingly vital.
This book will help you:
- Focus on areas of the user experience where security impacts users the most. These are places where users are signing up, configuring a product for the first time, handling customer or patient data, or when confronted with a security or privacy-related message or warning, to name a few.
- Understand the dynamics of the security ecosystem. Looking at the security ecosystem from a single vantage point won’t work. Instead, you need to understand how the system design impacts users, how user actions prompt changes to the system design, how threat actors take advantage, how threat actors actions prompt changes to the system design, how users react, and on and on.
- Find your security UX allies. Think of a Venn diagram, with circles representing the security team, the UX team, the product team, the engineering team, the legal and privacy teams, as so on. To improve the security user experience, these circles must overlap. In other words, each group’s expertise and perspective are required to understand and design for the dynamic cybersecurity ecosystem.
- Ask better questions when talking to your cross-disciplinary team. These questions will help your team anticipate how users might react and how threat actors might take advantage.
- What to consider when designing for secure outcomes. The book examines some of the most common security user experience issues.
- Embrace iteration. Users will do things you didn’t expect or account for. Even more importantly, threat actors will act in ways you couldn’t have predicted. What was effective yesterday might not be as effective today.
Testimonials
“Trost’s Human-Centered Security is an opportunity to reexamine not just what security behaviors are, but how we design for them, translating applied behavioral science into a practical method for security designers.”
—Matt Wallaert
Founder at BeSci.io and author of Start at the End: How to Build Products That Create Change
“Human-Centered Security is an excellent blend of human factors, design, and cybersecurity. As a human factors security researcher, I have been looking for more content in this space from different perspectives. Seeing a book written from a designer/UX/UI perspective is refreshing and is helpful to understand how products can be developed with cybersecurity in mind.”
—Nikki Robinson, DSc, PhD
Author of Mind the Tech Gap and Effective Vulnerability Management, lead security architect at IBM and adjunct professor
“In this much-needed work, Heidi offers a comprehensive exploration of balancing human-centric design and security practices, particularly from the lens of user experience. She delves into the intricate relationship between security, design, and human behavior within a threat-laden digital ecosystem through captivating storytelling. Heidi masterfully unpacks the complexities that arise when trying to create secure systems that are also intuitive and user-friendly. Additionally, she provides practical, actionable strategies to reduce confusion and enhance the balance between usability and security.”
—Calvin Nobles, PhD
Portfolio vice president and dean/Human Factors expert
“This is an excellent introduction to human-centered security thinking, and a step-by-step guide to developing security that people can and want to use.”
—M. Angela Sasse, PhD
Professor of Human-Centered Security, Ruhr University Bochum
“Human-Centered Security provides an accessible overview of the user’s security ecosystem that demystifies the often overly complex and intimidating world of security and privacy. This book provides clear guideposts and resources for anyone designing for security or with security in mind, which should be everyone.”
—Lindsey Wallace PhD
Director of Design Research and Strategy, Cisco Securit
Table of Contents
Chapter 1: Security Impacts the User Experience
Chapter 2: The Players in the Security Ecosystem
Chapter 3: Beware of Unintended Consequences
Chapter 4: Find the Right People, Ask the Right Questions
Chapter 5: Design for Secure Outcomes
Chapter 6: Design Access
Chapter 7: Learn and Iterate
Chapter 8: Your Users are Relying on You
Frequently Asked Questions
These common questions about security and their short answers are taken from Heidi Trost’s book Human-Centered Security. You can find longer answers to each in your copy of the book, either printed or digital version.
Where does security impact the user experience?
Security impacts the user experience in nearly every part of the user journey. (Check out Chapter 1, “Security Impacts the User Experience,” for more details.)
