Usable Security Review

A specialized offer to improve ease of use for software with a security component, including both heuristic and empirical evaluation.

A Usable Security Review is a report to help a software team make its tool more usable and useful for its target users, while at a minimum helping preserve – and ideally enhancing – privacy and security.

We work closely with technical teams to craft an individual research plan that answers their questions and meets their needs. However, this isn't a security audit of your code - we evaluate privacy and security through the lens of user experience and usability. We analyze what users see and do, so that we can make targeted recommendations for improvements. A Usable Security Review is a complement to, not a replacement for, a comprehensive security audit of your code.

What a Usable Security Review Includes

Phases and Outputs

Phase 1: Understanding the Background

The first phase is to understand your tool's background goals. This includes identifying the tool’s target users and its threat model. It also includes understanding the tool’s position in its competitive landscape and the development team’s priorities for UX improvement. Our steps are:

Phase 2: Heuristic Evaluation (expert review)

As well as experience in UX best practices, our evaluators understand the relevant security/privacy design patterns and their common pitfalls. This expertise, and the ability to review the app in the context of background information about the team's and target users’ threat models, is what distinguishes a usable security review from a traditional UX review.

Phase 3: Empirical Evaluation

A key step in evaluating and improving a user experience is to put it in front of real users. Based on the questions the software development team wants to answer, Simply Secure selects appropriate usability testing techniques. In a Usable Security Review, our goal is to determine whether users accurately understand the threat model, and whether they can perform key security-related tasks with comprehension. For example, it’s not enough for a user to be able to successfully generate a key if she does not understand what that key is for or how she should manage it in the future.

Usability methods may include:

Learn more in a report about our Usable Security Audit Methodology.