Cybersecurity by usability: How user-friendly design strengthens security
Cybersecurity by Usability combines security and user-friendliness. Find out how user-centered design reduces risks and creates security acceptance.
Security and usability: an apparent contradiction
Cybersecurity and usability are often perceived as opposing forces. To increase security, complex passwords, multi-level authentication processes, strict access controls and detailed requirements for user behavior are implemented. However, if you look at the behavior of the average user, two characteristics can be quickly identified.
Their average affinity for technology is significantly lower than that of the developers who design the systems. In addition, strict requirements on user behavior cause frustration and confusion. As a reaction of defiance, users may be careless with their security practices or show indifference to the security measures. A study published in the Zeitschrift für Arbeitswissenschaft describes this correlation: safety measures that slow down work processes or restrict employees’ freedom of action are often met with rejection and can lead to avoidance behavior.
The consequences: Avoidance behavior and safety fatigue

The result is catastrophic from a cybersecurity perspective. Security functions such as lock screens or login functions are deliberately deactivated. Users use easy-to-remember passwords across multiple accounts or write them down on a sticky note right next to the system. In practice, cybersecurity ensures less rather than more security. Bypass behavior is therefore a practical problem that many security architectures underestimate. An international survey by Proofpoint of 7,500 employees and 1,050 security experts shows that around two thirds of all employees deliberately disregard common and known security practices, thereby exposing their company to increased risks of cyber attacks. Research on security fatigue proves that this is rarely due to malicious intent: as the number of security-related decisions increases, the conscious implementation of rules decreases significantly and circumvention behavior increases. In this context, researchers speak of an avoidance of security-relevant requirements.
The approach: cybersecurity by usability
This is precisely where our approach comes in: Cybersecurity by Usability begins with the integration of security measures into the everyday lives of users. Where security concepts treat people primarily as a risk factor that must be controlled by specifications, we supplement this perspective with a second one. Security must be geared towards people, not the other way around. This results in an understanding of information security that is anchored in the internationally discussed fields of usable security, security UX and human-centered cybersecurity and which we consistently translate into our solutions for access and identity management.

This is particularly practical where authorizations, identities and access are controlled. Self-service functions for password resets, automated authorization assignment and traceable recertification processes make security tangible for users without burdening IT operations. The focus is on ensuring that security is not perceived as a disruptive element, but as a natural part of digital interaction. User-friendly authentication and clear access management thus reduce the typical frictional losses when logging in and assigning rights without lowering the level of protection.
The ideal state is achieved when users consciously use security aspects because using them involves less effort and more convenience than deliberately doing without them. This is precisely where security acceptance arises and thus an important basis for ensuring that security concepts are actually put into practice in everyday life. How well this approach works can be seen in practice. Our BAYOOSOFT Access Manager is widely accepted in daily use because users can manage authorizations, identities and password resets independently and without long waiting times. This makes cybersecurity by usability a tangible experience in everyday working life.
User-friendly design for more cybersecurity
User-friendly design plays a key role in the implementation of cybersecurity by usability. Users should be involved in the design process from the outset so that security aspects are not seen as an afterthought. Methods such as user research, prototyping and usability testing help to test operating concepts against real usage requirements at an early stage. In the BAYOONET Group, we work closely with our sister company UID, which has specialized in UX design and human-centered product development for over 25 years. Just a few principles can significantly increase the quality of a product’s safety aspects.

Separation of identification and authentication
A password is required for authentication, but not for identification. The motto for identification should be: easy to remember, hard to crack. A five-digit PIN with a limited number of attempts and a gradually expanding input window until the next attempt is much more secure in many contexts than a large number of complex passwords. Context-sensitive authentication takes up precisely this idea by adapting authentication mechanisms to the context and risk profile.
Reduction of required safety-relevant user knowledge
A secret that users do not know cannot be leaked or lost. In the context of the respective application, it must therefore be analyzed whether and how the users must be involved in security-relevant processes. Wherever technically possible, critical information should remain in the system instead of being the responsibility of individuals. This not only reduces the risk of human error, but also the cognitive burden for users.
User feedback during data processing
A major security risk is irrational user behavior. Anyone who feels insecure under time pressure or due to a lack of feedback from the system tends to be aggressive, click multiple times or make hectic corrections. It is precisely these reactions that lead to incorrect use of the product, for example by accidentally or repeatedly executing functions, or even to data manipulation or data loss. Visible feedback loops during ongoing processes provide security and prevent operating errors.
Clear error messages
Software is not error-free. However, users should not be left alone in the event of an error. Clear information on cause and effect prevents the irrational user behavior described above and provides guidance in precisely those moments when users would otherwise resort to unsafe workarounds. Comprehensible error communication is therefore not a design detail, but a concrete contribution to information security.
Visual identification of user and admin as well as test and live environment
Parallel open applications quickly cause confusion, especially when users are under time pressure to make settings. It becomes critical, for example, if they unknowingly adjust configurations and operations on a live environment instead of a test environment. A clear visual separation of security-critical roles and environments prevents such operating errors and is one of the most effective measures against unintentional data manipulation in complex system landscapes.
