Security design: Stop trying to fix the user

On the tendency of security approaches to rely on somehow educating users on this complex problem.

I’ve read dozens of studies about how to get people to pay attention to security warnings. We can tweak their wording, highlight them in red, and jiggle them on the screen, but nothing works because users know the warnings are invariably meaningless. They don’t see “the certificate has expired; are you sure you want to go to this webpage?” They see, “I’m an annoying message preventing you from reading a webpage. Click here to get rid of me.”…

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do.

The same could be said for usability of any kind — but it seems especially vital in this case.

Via Khürt Williams.



  1. The reason security approaches keep doing this is because, time and again, security teams have been finding that not educating the user simply makes for worse security. It might not be great user-friendliness, but the average company needs a fair bit of user-friendliness to compensate for poor security actions. As for why they don’t, for example, block pages instead of merely warning people… …the companies I’ve seen do block entire categories of site that is clearly egregious to expected corporate use, but have to permit a considerably larger number of edge cases to avoid being inundated by requests to unblock the wide number of sites that people in working environments typically use these days. That’s before considering consumer use, where any sort of blocking is taken with resentment at best.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.