A Usable Security Review is a report to help a software team make its tool more usable and useful for its target users, while at a minimum helping preserve – and ideally enhancing – privacy and security.
We work closely with technical teams to craft an individual research plan that answers their questions and meets their needs. However, this isn't a security audit of your code - we evaluate privacy and security through the lens of user experience and usability. We analyze what users see and do, so that we can make targeted recommendations for improvements. A Usable Security Review is a complement to, not a replacement for, a comprehensive security audit of your code.
What a Usable Security Review Includes
- Understanding who are the tool’s desired, likely, and/or actual users (or “target” users)
- Understanding relevant threats (threats users are likely to face, threats that the tool seeks to mitigate, and threats that the tool cannot mitigate against, but that users might expect it to)
- Analyzing the tool’s user experience heuristically (through an expert review)
- Analyzing the tool’s user experience empirically (through user studies)
- Making actionable recommendations to the software team to help them improve the tool’s design in response to review and study results
Phases and Outputs
Phase 1: Understanding the Background
The first phase is to understand your tool's background goals. This includes identifying the tool’s target users and its threat model. It also includes understanding the tool’s position in its competitive landscape and the development team’s priorities for UX improvement. Our steps are:
- Identifying target users
- Scoping threats
- Benchmarking and competitive analysis
- Evaluation priorities
Phase 2: Heuristic Evaluation (expert review)
As well as experience in UX best practices, our evaluators understand the relevant security/privacy design patterns and their common pitfalls. This expertise, and the ability to review the app in the context of background information about the team's and target users’ threat models, is what distinguishes a usable security review from a traditional UX review.
Phase 3: Empirical Evaluation
A key step in evaluating and improving a user experience is to put it in front of real users. Based on the questions the software development team wants to answer, Simply Secure selects appropriate usability testing techniques. In a Usable Security Review, our goal is to determine whether users accurately understand the threat model, and whether they can perform key security-related tasks with comprehension. For example, it’s not enough for a user to be able to successfully generate a key if she does not understand what that key is for or how she should manage it in the future.Usability methods may include:
- Cognitive walkthroughs
- Semi-structured or group interviews
- Task analysis
- Diary / prompted in situ studies
- Surveys or questionnaires
Learn more in a report about our Usable Security Audit Methodology.