We don't have to sacrifice usability for security.
While I was working at a Health IT company, we often ran into situations where we it looked like we needed to make trade-offs between security and usability. But as someone passionate about UX, I couldn't help but feel that there was a way to accomplish both goals simultaneously, or at least lessen the blow.
During my HCI Master's program, I took a class entitled 'Usable Privacy and Security,' the curriculum for which was developed by Lorrie Cranor, currently the Chief Technologist at the US Federal Trade Commission. Though we're still far from solving this dilemma, I've developed skills in understanding the intersect between these two important fields.
My take on the usable security dilemma:
Initially a class project for our 'Usable Privacy and Security' course, our project on the intersection between risk homeostasis and computer security won a Distinguished Poster Award at the 2016 Symposium on Usable Privacy and Security.
A Usable Security Case Study
As a Product Manager/UX Designer at DrFirst, I was tasked with coming up with new features for Akario Backline, an secure, HIPAA-compliant instant messaging HIPAA-compliant platform for healthcare providers, based upon user/customer feedback.
We encountered a lot of pushback from our mobile PIN feature, which asked users to set up a 4-digit PIN for the app.
Through research, we found that our user base was very security-conscious, and aware of the need to protect patient information on their phones: most of them already had a protective PIN on their phone.
We decided to add an additional feature to the administrative portion of the platform. It allowed administrators to make the Akario Backline mobile PIN optional for their users. To add to the release, we also added another security feature: making the web inactivity logoff optional.
The Result :
Several of our customers made the PIN optional, and our user base was happier. Our Legal team was happy as well, since the liability was now on the hospital administrator.