423.5 User-centred security

Design secure systems that respect user needs, anticipate mistakes, and build trust through clear and consistent behaviour.

Overview

Security is not just a technical issue—it’s also a human one. Even the most secure software can be compromised if users don’t understand how to use it safely. That’s why secure design must account for the capabilities, experience, and expectations of real users.

User-centred security focuses on building systems that are secure by default, but also usable, transparent, and forgiving. It aims to support—not punish—users who make mistakes or operate under pressure.

Targets

In this topic, students learn to:

Evaluate how user capability and experience influence secure design
Identify common usability barriers that lead to unsafe behaviour
Apply design strategies that reduce the likelihood of user error
Balance security with accessibility and workflow requirements

Syllabus references

Secure software architecture

Designing software

Describe how the capabilities and experience of end users influence the secure design features of software

Why user context matters

Users are often:

In a hurry or distracted
Untrained in technical systems
Frustrated by interruptions or restrictions

These factors lead to risky behaviour such as:

Reusing or writing down passwords
Ignoring warnings or clicking through prompts
Turning off security features to get work done

Systems that ignore user context tend to be less secure, because users bypass or resist them.

Strategies for user-centred security

1. Minimise friction

Use single sign-on (SSO) or password managers to reduce login fatigue
Avoid excessive or unnecessary prompts
Support biometrics or device-based trust when appropriate

2. Provide helpful feedback

Explain errors clearly (e.g. “Password too short” instead of “Invalid”)
Offer safe defaults instead of confusing choices
Avoid security jargon (e.g. use “secure this account” instead of “enable 2FA”)

3. Anticipate and contain mistakes

Auto-save unsent data in secure drafts
Provide confirmation screens before irreversible actions
Roll back dangerous changes where possible

4. Design for trust

Use consistent visual design and branding
Clearly indicate when data is encrypted or private
Avoid dark patterns or manipulative UX

5. Respect accessibility

Ensure prompts, authentication steps, and alerts work for users with:
- Vision or motor impairments
- Cognitive or language challenges
- Low digital literacy

Examples of user-focused design

Bad Practice

Better Practice

Forcing complex passwords with no guidance

Provide a password strength meter and phrase suggestion

Auto-logout with no warning

Offer a countdown and a "stay signed in" button

Hiding security settings deep in menus

Place important security actions on the main dashboard

Summary

Users play a central role in the effectiveness of secure systems
Good security design supports user goals and minimises friction
Anticipating mistakes and reducing complexity leads to safer behaviour
Secure software must be designed with empathy, clarity, and trust

Previous423.4 Secure APIs and authentication Next430 Reasons for securing software

Last updated 5 months ago

Was this helpful?

hashtagOverview

hashtagTargets

hashtagSyllabus references

hashtagWhy user context matters

hashtagStrategies for user-centred security

hashtag1. Minimise friction

hashtag2. Provide helpful feedback

hashtag3. Anticipate and contain mistakes

hashtag4. Design for trust

hashtag5. Respect accessibility

hashtagExamples of user-focused design

hashtagSummary