Over the last six months, we’ve been updating our Usable Security Audit Methodology to better reflect our current practices, the advances in our fields of interest, and accessibility as a core principle. Through an inventory of our tools and practices, surveying the field to find similar work we admire, and workshops with close collaborators and community members, we revamped our approach, which we’re now calling our User Experience Toolbox for Risk Mitigation and Accessibility.
By sharing our auditing approach and inviting collaboration, feedback, and community input, we also aim to provide software teams in the digital rights, human rights, and internet freedom spaces – including researchers, coaches, creators, designers, product managers, and engineers – with a set of resources that can be useful and adaptable to their unique context.
Evolving our approach
Beginning in 2014, Superbloom (then Simply Secure) worked with the Open Technology Fund Secure Usability and Accessibility (SUA) Lab to address what we perceived as the shortcomings of so-called “traditional’’ security audits and usability assessments, especially as they relate to open-source software projects. Traditional technical security audits serve a valuable purpose, namely identifying potential vulnerabilities in software code design and implementation. However, these audits do not traditionally focus on the socio-technical aspects of a tool that make systems insecure, e.g. the usability of a tool. We worked to close this gap by creating an audit methodology that evaluated security and privacy through the lens of user experience and usability. Since its creation, we have used this methodology as a framework for working with tools to improve security through usability and design.
But, a lot has changed – both for us at Superbloom and within our practitioner ecosystems – since 2014. With support from OTF SUA Lab and advice from Accessibility Lab, we set out to update the framework to better reflect the needs and values of our team and community.
Putting trust first
In today’s landscape of increasingly riskier digital experiences, successful software development requires more than just functionality and aesthetics. The multifaceted challenges faced by software teams require prioritizing user experiences while carefully addressing potential harms and respecting human rights. We designed this Toolbox to move beyond a set of heuristics that attempt to bridge usability, security, and accessibility towards a more holistic and modular approach to understanding and mitigating risk within human-centered tool design and development.
Our goal with this Toolbox is to foster trust among all stakeholders involved in the user experience being designed within a given tool or project. By empowering the users of these resources to evaluate the accessibility, risk, and security of the software tools and projects they work on through the lens of user experience and usability, we hope that practitioners learn to better prioritize the needs of the software’s intended users while addressing the vulnerabilities associated with its development.
Accessibility as a core principle
Special thanks to Accessibility Lab for advising on and providing resources for this Toolbox!
Accessibility practices and audits often happen in addition to, not in concert with, usable security reviews, and sometimes they don’t happen at all or are treated as afterthoughts or “nice to haves,” excluding huge swathes of people from their right to digital tools and information, not to mention basic dignity and equity. As UX practitioners, we’ve learned that there is interplay, overlap, and synergistic benefits between each of these aspects, and therefore, we sought to center accessibility as a core principle in this framework:
- The security and accessibility of your product are critical aspects of usability: If your software is not accessible, it is not truly usable; if your software is not secure, it is not truly usable; if your software is not usable, it is not truly effective.
- Usability 🤝 Security 🤝 Accessibility: We hope to warn against and work to break down the sometimes false dichotomies that arise when attempting to make software that is usable, secure, and accessible. For example, teams are often warned or worried that accessibility comes at the cost of security or usability. These concepts are mutually beneficial and dependent on one another, and importantly, non-competing.
- The benefits greatly outweigh the perceived and real costs: Making software that is usable, accessible and secure increases users, trust, and the legitimacy of the product. Considering these aspects as early as possible in a development cycle saves teams countless hours of work refactoring when problems arise later. Accessibility compliance can save a company or organization from discriminating against users and potential noncompliance litigation. All of these three aspects are green flags to funders looking to support sustainable software.
Our toolbox will evolve with our community
Our approach will shift over time in response to emergent technological considerations and best practices in human-centered design, as well as in response to feedback and contributions from the wider community. We intend for this resource to be updated annually at a minimum, and will continue to add resources via the Superbloom learning hub and our blog.
We enthusiastically encourage our community to contribute ideas, resources, and feedback to this framework. To do so, you may join us on Slack, contribute to the project on GitHub, or send us an email at [email protected].
Be sure to check out the full methodology here:
- User Experience Toolbox for Risk Mitigation and Accessibility
- Accessibility and Usability Heuristic Review
Credits
Project Contributors: Ngoc Trieu, Philliph Drummond, Veszna Wessenauer, Katie Wilson, Molly Wilson, Nancy Reyes, Saptak Sengupta, Georgia Bullen.
With support from the Open Technology Fund Secure Usability and Accessibility Lab.