After raining on your parade and then telling you to be a better marketer and that everyone already hates you, we're gonna dial up the crazy this week and propose something that I've never heard anyone in security seriously propose: put some real energy into good user experience.

If your strategy is to push people to standard solutions and invest your effort toward protecting those solutions, you need to make the standards easier than the one-off choices. How do you make a solution easy to use? Once again, we steal ideas from an existing discipline dedicated to solving this problem: User Experience (UX) and User Interface (UI) design.

I love Crazy!

Let's get to it.

UX Basics: Consider the Rock

Let's indulge in some philosophy. Products deliver value by making it easier to do something. If you need to fasten two pieces of wood with a nail, a decently-shaped rock is much easier than using your fingers, a hammer is better than the rock, and a nailgun is better than either.

But a nailgun is less useful than hammer or rock if you need to pound a stake deep into the ground. The degree to which a product makes it easier to perform a task (and thus its value) is tied directly to the intended task.

Further, different people approaching the same task will find different designs most helpful.

Your Mission

Mission Impossible

In User Experience Design, you tailor the product's features and design so that the intended use is as easy as possible. The UI/UX profession has standardized on User Stories as the best place to organize and methodically explore how different kinds of people might use the product so they can make sure the design decisions match.


A User Story starts with an archetype of a person. It details that person's background, skill level, and goal. Sophisticated shops will often have hundreds of User Stories for a full-featured software product.

The most important part of each story is the "why." What is their goal? What are their motivations?

The UI designer then considers how easy it would be to achieve each User Story in the current product. The product should:

  • Work in the way the user expects it. They shouldn't need a manual and negative points for surprises.
  • Organize information and options in the way they expect.
  • Only give them information relevant to their purpose.
  • Still be easy to use if the user is distracted.
  • Not depend on users reading any explanations or tips.
  • Require the least effort/clicks/time to get what they want done.
  • Minimize choices. If a decision is required, the most common choice should be defaulted.
  • Draw attention to the most important parts of an interface by visually de-emphasizing everything else.

The Value

User Stories are one of the cheapest and best ways of identifying opportunities to improve your product's usefulness to your intended customer. If you want to make your user's product experience better, they are one of the best places to start.

User Stories are fundamentally thought experiments and are most useful when they accurately capture the headspace, skills, and perspectives of your intended users. You can increase the accuracy by including support staff when generating User Stories – they have practical experience in the sorts of people who use it. Beware selection bias, though: support often over-estimates the proportion of User Stories who have trouble with the system because they call the most. Including interested leaders or their delegates can also broaden the accuracy and breadth of the User Stories; they should know the composition and expertise of their teams.

Accuracy can be further improved by periodically asking for feedback within the interface. You will get the same selection bias because users provide most feedback when things go wrong.

Advanced Techniques

If you're ready for better accuracy at higher cost, consider interface testing; where you ask people outside of the product team to try it and watch how well it works. You can even set modern webapps to record user behavior on your site to determine where they get stuck.

As with any continuous improvement, don't spend resources collecting information if you're not ready to use it. Unactionable data is just a liability and has hidden costs. Start with the easy wins and ratchet your way up.

Next Steps

How have you modelled the experience of your users? What has been successful? What didn't work? I'd love to hear about it; leave a comment below or drop me a line. Join me next time as we demo User Stories with a model product, then pull useful lessons for improvement from them.

Further resources

  • Joel on Software's guide to UI. A good primer based heavily on key concepts from Don't Make me Think and Design of Everyday Things.
  • Design of Everyday Things – hugely influential, it popularized several concepts that have become foundational to good UX.
  • Don't Make Me Think – extended concepts from Design of Everyday Things to computer interface design. Enormously popular in the UX profession. Accessible and short.
  • Seminal Toyota Production System books: Good user experience is mostly just the modern application of the efficiency-driving principles of Lean developed at Toyota in the 50s - 70s. Some modern sources explicitly draw this parallel.