Edit

423.5 User-centred security

Design secure systems that respect user needs, anticipate mistakes, and build trust through clear and consistent behaviour.

Overview

Security is not just a technical issue—it’s also a human one. Even the most secure software can be compromised if users don’t understand how to use it safely. That’s why secure design must account for the capabilities, experience, and expectations of real users.

User-centred security focuses on building systems that are secure by default, but also usable, transparent, and forgiving. It aims to support—not punish—users who make mistakes or operate under pressure.

Targets

In this topic, students learn to:

  • Evaluate how user capability and experience influence secure design

  • Identify common usability barriers that lead to unsafe behaviour

  • Apply design strategies that reduce the likelihood of user error

  • Balance security with accessibility and workflow requirements

Syllabus references

Secure software architecture

Designing software

  • Describe how the capabilities and experience of end users influence the secure design features of software

Why user context matters

Users are often:

  • In a hurry or distracted

  • Untrained in technical systems

  • Frustrated by interruptions or restrictions

These factors lead to risky behaviour such as:

  • Reusing or writing down passwords

  • Ignoring warnings or clicking through prompts

  • Turning off security features to get work done

Systems that ignore user context tend to be less secure, because users bypass or resist them.

Strategies for user-centred security

1. Minimise friction

  • Use single sign-on (SSO) or password managers to reduce login fatigue

  • Avoid excessive or unnecessary prompts

  • Support biometrics or device-based trust when appropriate

2. Provide helpful feedback

  • Explain errors clearly (e.g. “Password too short” instead of “Invalid”)

  • Offer safe defaults instead of confusing choices

  • Avoid security jargon (e.g. use “secure this account” instead of “enable 2FA”)

3. Anticipate and contain mistakes

  • Auto-save unsent data in secure drafts

  • Provide confirmation screens before irreversible actions

  • Roll back dangerous changes where possible

4. Design for trust

  • Use consistent visual design and branding

  • Clearly indicate when data is encrypted or private

  • Avoid dark patterns or manipulative UX

5. Respect accessibility

  • Ensure prompts, authentication steps, and alerts work for users with:

    • Vision or motor impairments

    • Cognitive or language challenges

    • Low digital literacy

Examples of user-focused design

Bad Practice
Better Practice

Forcing complex passwords with no guidance

Provide a password strength meter and phrase suggestion

Auto-logout with no warning

Offer a countdown and a "stay signed in" button

Hiding security settings deep in menus

Place important security actions on the main dashboard

Summary

  • Users play a central role in the effectiveness of secure systems

  • Good security design supports user goals and minimises friction

  • Anticipating mistakes and reducing complexity leads to safer behaviour

  • Secure software must be designed with empathy, clarity, and trust

Previous423.4 Secure APIs and authenticationNext430 Reasons for securing software

Last updated

Was this helpful?