Syllabus Point
- Describe how the capabilities and experience of end users influence the secure design features of software
Software security must be designed around the people who use it. Features need to be strong enough to protect data, but also simple and clear enough for users to understand, adopt, and use correctly.
User-Centred Design and Security
User-centred design is an approach that places the needs, limitations, and behaviours of end users at the centre of the design process. When applied to security, it means building features that users will actually engage with rather than avoid or bypass. A security feature that is too complex or confusing will often be ignored, which can introduce vulnerabilities.
Simplicity means reducing friction - authentication steps, warnings, and access controls should be as straightforward as possible without compromising protection. Clarity ensures that users understand what a security feature is doing and why, such as explaining why a password must meet certain criteria. Transparency means being honest with users about how their data is used and what security measures are in place, which builds trust and encourages compliance.
End User Behaviour (Unintentional)
It is important to anticipate unintentional user behaviour so that safeguards can prevent security lapses caused by human error. Users do not always make secure choices, and software should be designed to guide and protect them even when they do not realise the risk they are taking.
| Behaviour | Why it is bad | Solution |
|---|---|---|
| Weak password practices | Makes it easier for attackers to gain unauthorised access | Implement strong password policies |
| Phishing | Users may be tricked into revealing sensitive information | Educate users to identify phishing attempts |
| Skipping updates | Leaves users vulnerable to known security flaws | Provide clear messages and automatic updates |
| Bypassing security | Weakens the overall security of the system | Make access control methods easy to use |
How End Users Influence Secure Design Features
The technical skill level and experience of end users directly shapes which security features are appropriate and how they should be implemented. A system used primarily by technical professionals can employ more sophisticated authentication mechanisms, while a consumer-facing application must prioritise ease of use to ensure that security features are adopted rather than avoided.
User-friendly authentication should offer options such as two-factor authentication or biometric login rather than forcing all users through the same rigid process. Role-based access control should reflect the actual roles users hold within the system, granting only the permissions needed for their tasks. Less experienced users may require training, onboarding guidance, or in-app prompts to help them understand and comply with security requirements. Regular user feedback and usability testing reveal whether security features are being understood and used correctly, or whether they are creating confusion that leads to insecure workarounds.
Examples of Security Features
Password managers reduce the cognitive burden of maintaining strong, unique passwords by storing and auto-filling credentials securely. Multi-factor authentication (MFA) adds an additional layer of verification beyond the password, such as a one-time code sent to a mobile device, significantly reducing the impact of stolen credentials. Single sign-on (SSO) allows users to authenticate once and access multiple systems without logging in repeatedly, balancing convenience with security by centralising authentication management.
User-Centred Security Testing
Security features should be tested not only for technical correctness but also for usability. Key questions to evaluate include whether the feature is easy to understand without technical background knowledge, whether it provides clear and timely feedback when the user does something that affects security, whether it is convenient enough that users will not look for ways to bypass it, and whether it minimises cognitive load - meaning users can complete secure actions without feeling overwhelmed or confused.
Accessibility and Ease of Use
Security features must be accessible to all users, including those with disabilities. This means supporting screen readers and full keyboard navigation so that authentication and access controls can be used without a mouse. Visual design should be clear and unambiguous, using sufficient contrast and readable font sizes. Instructions should be written in plain language that does not assume technical knowledge, ensuring that all users can engage with security features confidently.
User Feedback
User feedback is a valuable source of insight throughout the development lifecycle. It can reveal usability issues that cause users to disengage from security features, highlight gaps where the software fails to communicate risks clearly, and surface opportunities to improve the wording of instructions or the design of security prompts. Gathering feedback through surveys, usability testing, and support channels helps developers continuously refine security features to be both effective and user-friendly.
Related Resources
Keep Progressing
Use the lesson navigation below to move through the module sequence.
