Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Friction Affliction: How to Balance Security With User Experience

There's a fine line between protecting against suspicious, malicious, or unwanted activity and making users jump through hoops to prove themselves.

Joshua Goldfarb, Field CISO

January 6, 2021

3 Min Read
(Image: fotogestoeber via Adobe Stock)

As "defenders," security professionals are laser-focused on protecting our organizations from the ongoing risks and threats they constantly face.

But sometimes this comes at the expense of something incredibly important: user experience. Why is this so important? For one, when confronted with untenable restrictions and difficult processes, people tend to find ways to work around that friction – which worsens the organization’s security posture.

Increased friction also results in user frustration and the tendency to give up more quickly. For an online business, for example, this might result in fewer purchases, lowering its revenue and profit.

While we never want to compromise the security posture of the organizations we defend, we can often improve usability – i.e., reduce user friction – without increasing risk. Here are a few suggestions.

Recognize Known Good Users
It's no secret that passwords do not, in and of themselves, provide an adequate level of security. Enter multifactor authentication (MFA), which challenges users to prove who they are via several authentication steps. MFA is sometimes required by regulation or policy, but also to increase account security at login and other important times.

If, on the other hand, we recognize a user, why should we trouble them to prove who they are? Reliably recognizing known good users makes it easier to recognize unknown or malicious users. This helps us focus on what we’re supposed to be focused on when it comes to authentication, rather than rigid, draconian rules and policies that merely inconvenience legitimate, paying customers.

Recognize the Clues Legitimate Users Leave Behind
One way we can recognize known legitimate users is by paying attention to the clues they give us and leveraging technologies, such as fraud prevention and adaptive authentication tech, that allow us to act on those clues. We can bucket these clues into three main categories: the data associated with a device, the data associated with the user's environment, and the data associated with how that person behaves and interacts with our site.

As we begin to collect and analyze data from a large number of users coming from a variety of devices and environments with differing behavioral profiles, we begin to learn a lot about expected patterns of behavior and departures from those patterns. When a user is behaving as we would expect a legitimate user to, we can dial back on challenging them, thus providing them a smoother online experience.

Recognize the Clues Cyberattackers and Fraudsters Leave Behind
Just as legitimate users leave clues, so do cybercriminals. If we’ve done a good job learning how legitimate users usually behave, we can leverage that knowledge to understand how attackers and fraudsters typically behave. This helps us block and/or challenge their sessions and transactions, ultimately saving money by reducing the organization's loss to fraud. In other words, whereas we want to reduce friction for legitimate users, we want to drastically increase friction for attackers and fraudsters – we don’t want to let them operate within our applications.

Security teams often get an unfair rap as the “department of no.” But part of managing risk often means turning down or modifying proposals that introduce too much of it into the organization. Implementing a safe and effective means to reduce friction without adversely affecting security and increasing risk is the key to increasing customer satisfaction, the organization's bottom line, and confidence in the security team.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights