Heidi Trost: Human Centered Security

Tue Mar 25 2025

In our conversation with security UX expert Heidi Trost, we learn about the metrics we can use to measure the quality of the security experience, why the login/password recovery is so broken—even for companies that are good at UX design—and some ways to approach user testing for security.

Summary

Podcast Summary: Design Better - Episode Featuring Heidi Trost on Human Centered Security

Podcast Information

Title: Design Better
Host: The Curiosity Department, LLC (co-hosted by Eli Woolery and Aaron Walter)
Description: Design Better explores the intersection of design, technology, and the creative process through conversations with inspiring guests across various creative fields. The podcast aims to help listeners hone their craft, unlock creativity, and master the art of collaboration.
Episode Title: Heidi Trost: Human Centered Security
Release Date: March 25, 2025

Introduction to the Episode

In this episode of Design Better, co-hosts Eli Woolery and Aaron Walter engage in a profound discussion with Heidi Trost, the author of "Human Centered Security: How to Design Systems that Are Both Safe and Usable." Heidi brings a unique perspective to the table by merging her expertise in user experience (UX) research with cybersecurity, challenging the conventional notion that humans are merely the weakest link in security infrastructures.

Guest Background and Motivation

Aaron Walter introduces Heidi Trost, highlighting her recent publication and her focus on designing secure and resilient systems without solely blaming users for security breaches. This conversation stems from shared frustrations with the cumbersome aspects of security implementations, such as password recovery systems, even within well-designed platforms like Apple.

Notable Quote:

Heidi Trost [00:02]: "You have kind of the user's focused attention during onboarding and setup, and their decisions at this point in time could mean whether or not their account gets compromised later."

The Complexity of Designing Security UX

Heidi delves into why crafting a user-friendly security experience is challenging. She outlines a dynamic ecosystem involving three primary players:

Alice (End User): Interacts with the system and makes security-related decisions.
Charlie (Security UX): Represents the security mechanisms that can sometimes hinder Alice’s experience.
Threat Actors: Seek to exploit vulnerabilities by manipulating Alice.

Heidi explains that the interplay among these players creates a constantly evolving landscape where improving security measures often leads to new challenges.

Notable Quote:

Heidi Trost [07:01]: "The design of the system influences what Alice does. What Alice does influences what the threat actor does. It's this constantly changing ecosystem that's very dynamic."

Scope of Security in UX Design

When discussing the broader scope of security beyond just login experiences, Heidi emphasizes that security impacts every stage of the user journey. From initial interactions like reading privacy policies to ongoing activities such as setting up two-factor authentication, each touchpoint presents opportunities to enhance or weaken security.

Key Points:

Onboarding and Signup: Initial setup is critical as users make decisions that affect their long-term security.
Password and Authentication: Challenges with password complexity and the integration of password managers can hinder user experience.
Ongoing Interactions: Regular tasks like account recovery and responding to security alerts are pivotal moments where user experience can significantly impact security outcomes.

Notable Quote:

Heidi Trost [10:14]: "UX security impacts end users at every part of the user journey, right? So if you think about when users are considering even using or buying your product, they're reading your privacy policy... these are places where you're making security and privacy choices."

Metrics and Frameworks for Measuring Security UX

Heidi introduces Adam Szostak's threat modeling framework as a foundational tool for assessing and improving security user experiences. The framework involves:

Define What Security and Privacy Mean: Establish clear definitions tailored to the product and its users.
Identify High-Impact Areas: Focus on touchpoints like signup, login, and personal information handling where security decisions are critical.
Assess Potential Risks: Analyze what can go wrong at each touchpoint from both user and threat actor perspectives.
Collaborative Problem-Solving: Use "How might we" statements to foster cross-disciplinary collaboration in finding solutions.

Notable Quote:

Heidi Trost [19:56]: "Remembering the security user experience is not something that we want to tackle all by ourselves. It's a cross disciplinary collaboration, cross disciplinary effort."

Enhancing Cross-Disciplinary Collaboration

Heidi stresses the importance of integrating insights from various teams—UX, security, engineering, and legal—to create a balanced and effective security strategy. She advocates for early and continuous collaboration to ensure that security measures are both robust and user-friendly.

Key Strategies:

Early Involvement: Engage all relevant teams from the outset to align objectives and understand constraints.
Ongoing Communication: Maintain open channels between teams to address emerging security challenges collaboratively.
Balancing Security and Usability: Strive to protect user information without imposing unnecessary friction in the user experience.

Notable Quote:

Heidi Trost [15:11]: "You have to find that balance of we're protecting information, right? And by protecting information, we're protecting humans."

User Testing in Security UX

Addressing the difficulties in user testing for security features, Heidi offers practical advice:

Leverage Secondary Research: Utilize existing studies in usable security and privacy to inform your testing approach.
Incorporate Security Observations in Non-Security Studies: Integrate security-related questions and observations into general UX research to avoid influencing user behavior.
Utilize Internal Insights: Gather feedback from customer-facing teams like customer success and product management to understand security pain points.
Ethical Considerations: Ensure that security testing does not negatively impact users or make them feel compromised.

Notable Quote:

Heidi Trost [24:41]: "Security and privacy issues have like visceral impacts on people. ... You want to leave your participants better than when they started."

Understanding Passkeys vs. Traditional Passwords

Heidi explains the concept of passkeys as an alternative to traditional passwords, emphasizing their potential to enhance both security and usability. Passkeys utilize biometric authentication methods or device-based authentication to streamline the login process, reducing the reliance on complex and often forgotten passwords.

Key Points:

Passkeys: Authenticate using the same method as device login (e.g., facial recognition, fingerprint).
Advantages: Simplifies the user experience by eliminating the need to remember multiple passwords.
Challenges: User confusion and lack of awareness hinder the adoption of passkeys, despite their benefits.

Notable Quote:

Heidi Trost [29:08]: "A passkey might actually be the best option for her [Alice], might actually be a more usable option for her. But she's looking at this prompt and being like, I don't even know what this is."

Personal Insights and Inspirations

Towards the end of the episode, Heidi shares her personal reading and viewing preferences, highlighting a shift from security-focused literature to more diverse genres like science fiction. She mentions enjoying "Hail Mary" by Andy Weir and watching the series "Severance," which enrich her creativity and provide a balanced perspective outside her professional focus.

Conclusion and Further Resources

Heidi Trost concludes by directing listeners to her LinkedIn profile, where she publishes a weekly newsletter, and her podcast, "Human Centered Security," available on major platforms like Apple Podcasts and Spotify. She emphasizes the importance of continuous learning and cross-disciplinary collaboration in advancing both security and user experience.

Notable Quote:

Heidi Trost [32:09]: "LinkedIn is probably the best place to find me. So I publish a newsletter on LinkedIn just about every week."

Final Thoughts

This episode of Design Better offers a comprehensive exploration of the intricate relationship between user experience and cybersecurity. Heidi Trost provides valuable insights into designing security systems that are not only robust but also user-friendly, advocating for a holistic and collaborative approach. By addressing common pain points and proposing actionable strategies, Heidi equips designers and organizations with the knowledge to create more secure and resilient products.

For those interested in enhancing their understanding of human-centered security design, Heidi Trost's "Human Centered Security" is a recommended read, available through Rosenfeld Media.

Connect with Heidi Trost:

LinkedIn: Heidi Trost
Podcast: Human Centered Security

Support the Podcast:

Become a Premium subscriber at designbetterpodcast.com

End of Summary

Summary

Podcast Summary: Design Better - Episode Featuring Heidi Trost on Human Centered Security

Podcast Information

Title: Design Better
Host: The Curiosity Department, LLC (co-hosted by Eli Woolery and Aaron Walter)
Description: Design Better explores the intersection of design, technology, and the creative process through conversations with inspiring guests across various creative fields. The podcast aims to help listeners hone their craft, unlock creativity, and master the art of collaboration.
Episode Title: Heidi Trost: Human Centered Security
Release Date: March 25, 2025

Introduction to the Episode

Guest Background and Motivation

Notable Quote:

Heidi Trost [00:02]: "You have kind of the user's focused attention during onboarding and setup, and their decisions at this point in time could mean whether or not their account gets compromised later."

The Complexity of Designing Security UX

Heidi delves into why crafting a user-friendly security experience is challenging. She outlines a dynamic ecosystem involving three primary players:

Alice (End User): Interacts with the system and makes security-related decisions.
Charlie (Security UX): Represents the security mechanisms that can sometimes hinder Alice’s experience.
Threat Actors: Seek to exploit vulnerabilities by manipulating Alice.

Heidi explains that the interplay among these players creates a constantly evolving landscape where improving security measures often leads to new challenges.

Notable Quote:

Heidi Trost [07:01]: "The design of the system influences what Alice does. What Alice does influences what the threat actor does. It's this constantly changing ecosystem that's very dynamic."

Scope of Security in UX Design

Key Points:

Onboarding and Signup: Initial setup is critical as users make decisions that affect their long-term security.
Password and Authentication: Challenges with password complexity and the integration of password managers can hinder user experience.
Ongoing Interactions: Regular tasks like account recovery and responding to security alerts are pivotal moments where user experience can significantly impact security outcomes.

Notable Quote:

Heidi Trost [10:14]: "UX security impacts end users at every part of the user journey, right? So if you think about when users are considering even using or buying your product, they're reading your privacy policy... these are places where you're making security and privacy choices."

Metrics and Frameworks for Measuring Security UX

Heidi introduces Adam Szostak's threat modeling framework as a foundational tool for assessing and improving security user experiences. The framework involves:

Define What Security and Privacy Mean: Establish clear definitions tailored to the product and its users.
Identify High-Impact Areas: Focus on touchpoints like signup, login, and personal information handling where security decisions are critical.
Assess Potential Risks: Analyze what can go wrong at each touchpoint from both user and threat actor perspectives.
Collaborative Problem-Solving: Use "How might we" statements to foster cross-disciplinary collaboration in finding solutions.

Notable Quote:

Heidi Trost [19:56]: "Remembering the security user experience is not something that we want to tackle all by ourselves. It's a cross disciplinary collaboration, cross disciplinary effort."

Enhancing Cross-Disciplinary Collaboration

Key Strategies:

Early Involvement: Engage all relevant teams from the outset to align objectives and understand constraints.
Ongoing Communication: Maintain open channels between teams to address emerging security challenges collaboratively.
Balancing Security and Usability: Strive to protect user information without imposing unnecessary friction in the user experience.

Notable Quote:

Heidi Trost [15:11]: "You have to find that balance of we're protecting information, right? And by protecting information, we're protecting humans."

User Testing in Security UX

Addressing the difficulties in user testing for security features, Heidi offers practical advice:

Leverage Secondary Research: Utilize existing studies in usable security and privacy to inform your testing approach.
Incorporate Security Observations in Non-Security Studies: Integrate security-related questions and observations into general UX research to avoid influencing user behavior.
Utilize Internal Insights: Gather feedback from customer-facing teams like customer success and product management to understand security pain points.
Ethical Considerations: Ensure that security testing does not negatively impact users or make them feel compromised.

Notable Quote:

Heidi Trost [24:41]: "Security and privacy issues have like visceral impacts on people. ... You want to leave your participants better than when they started."

Understanding Passkeys vs. Traditional Passwords

Key Points:

Passkeys: Authenticate using the same method as device login (e.g., facial recognition, fingerprint).
Advantages: Simplifies the user experience by eliminating the need to remember multiple passwords.
Challenges: User confusion and lack of awareness hinder the adoption of passkeys, despite their benefits.

Notable Quote:

Heidi Trost [29:08]: "A passkey might actually be the best option for her [Alice], might actually be a more usable option for her. But she's looking at this prompt and being like, I don't even know what this is."

Personal Insights and Inspirations

Conclusion and Further Resources

Notable Quote:

Heidi Trost [32:09]: "LinkedIn is probably the best place to find me. So I publish a newsletter on LinkedIn just about every week."

Final Thoughts

For those interested in enhancing their understanding of human-centered security design, Heidi Trost's "Human Centered Security" is a recommended read, available through Rosenfeld Media.

Connect with Heidi Trost:

LinkedIn: Heidi Trost
Podcast: Human Centered Security

Support the Podcast:

Become a Premium subscriber at designbetterpodcast.com

End of Summary

wavePod

Heidi Trost: Human Centered Security

Powered by Wave AI

Summary

Introduction to the Episode

Guest Background and Motivation

The Complexity of Designing Security UX

Scope of Security in UX Design

Metrics and Frameworks for Measuring Security UX

Enhancing Cross-Disciplinary Collaboration

User Testing in Security UX

Understanding Passkeys vs. Traditional Passwords

Personal Insights and Inspirations

Conclusion and Further Resources

Final Thoughts

Summary

Introduction to the Episode

Guest Background and Motivation

The Complexity of Designing Security UX

Scope of Security in UX Design

Metrics and Frameworks for Measuring Security UX

Enhancing Cross-Disciplinary Collaboration

User Testing in Security UX

Understanding Passkeys vs. Traditional Passwords

Personal Insights and Inspirations

Conclusion and Further Resources

Final Thoughts