Gaming the system for a better experience
I play a lot of video games and one of the things I’ve noticed is that when you first start playing, the game often keeps you from venturing into places where you’re likely to fail. Sometimes, this comes in the form of an obstacle you can’t pass unless your character has achieved a higher level of ability, sometimes it’s a guardian that won’t let you into an area with tougher challenges, and so forth. This model tends to keep you from giving up on a game because you die too often.
That got me thinking: is there an equivalent model we can use for providing more access in our corporate or application environments? Using a combination of authentication and access privileges, it seems we ought to be able to create an environment in which we start them off with less complicated capabilities in our systems and software, then gradually “unlock achievements” for them as they demonstrate competency within our world.
I love the notion of “gamification” of the user experience using a similar model as it can help users not only stay engaged appropriately, it can keep them engaged longer because they will feel a sense of accomplishment over time.
One of the biggest challenges I see here is that many security teams focus a lot on policies, controls, and limiting what users can do – I refer to this as the “clinical” view of security. In doing so, they often miss the mark on what the user community needs to be and feel successful in their jobs – what I think of as the “practical” view of security.
In the future, I think user experience design (UX) will become an increasingly important part of the security team. If you’re not familiar with UX, it is a discipline that focuses on the goals, workflows, and interactions of users – all with the goal of reducing friction and increasing the chances of success as people interact with your systems and processes.
Not only will a UX-centric approach make using our systems more enjoyable, I believe it will increase security. The more fun it is to interact with our systems, and the less friction we introduce on the path to users’ goals, the more likely our security controls will be used rather than circumvented.
This also enforces the need to think of the system of security rather than an isolated point within security. That is why authentication and a persistent identity strategy are key – we want to provide users with a consistent experience throughout their entire journey within the environments we control, and we want any restrictions or challenges to feel appropriate to the user.
Of course, another area games use to keep you engaged is rewards. In games, those come in the form of gold, weapons, armor, achievements, and notoriety on the leaderboard. In a corporate environment, I’d probably lean more toward achievements and notoriety where possible, and reward people who make the right choice to support the risk posture and security objectives of the business.
In closing, I encourage you to think about the future of how users interact with your systems, how you can use authentication and access as a way to help them feel like they are being rewarded as they improve in their ability to be secure, and embrace the user experience in your security strategy.