Designing Security-Friendly UX: Why Usability Wins in Reducing Workarounds
- Minakshi DEBNATH
- 1 day ago
- 4 min read
MINAKSHI DEBNATH | DATE: DECEMBER 11, 2025
People don’t want to be “bad actors.” People just wanna finish their tasks quickly, without hassle. If safety rules slow them down, folks tend to skip around them faster but risky shortcuts pop up. Build UX that works with security, not against it, cuts out those detours, slashes danger, helps teams move better and feel better too. Ahead: what’s really going wrong, real-world proof from studies and companies, stories from the field, plus hands-on fixes you can start using now. Security that’s hard to use gets bypassed; bypasses create real risk.
Why that matters
Industry incident analysis shows the human element (errors, misconfigurations, social engineering, etc.) played a role in a large majority of breaches in 2024 the DBIR finds the human element was a component of 68% of breaches.
Large breach-cost studies show that IT failures and human error account for a substantial share of incidents roughly about 22–25% of breaches in major industry analyses. Reducing those human-factor failures has measurable financial impact.
These numbers make the core point plain: users are a primary factor in real-world
security outcomes. That means improving the user-facing side of security is not optional it’s a high-leverage control.
How workarounds form
Workarounds are often empathetic acts, not malice. A nurse who logs in with a colleague’s credentials to administer time-sensitive meds, a salesperson who shares a password to avoid missing a client call, or an engineer who bypasses a slow VPN during a production incident these are symptoms of design friction colliding with real human needs.
Research into workplace and healthcare settings shows this clearly: when workflows are interrupted by poorly designed systems, users create informal fixes that restore flow but undermine safety and these workarounds can lead directly to errors and breaches. Systematic reviews of clinical workarounds find they most often occur because EHRs and related systems don’t fit clinicians’ workflows, and they pose significant safety risks.
Usability × Security: the scholarly consensus
A quarter-century of usable security research repeatedly finds the same human patterns: when security is painful, people choose convenience over strict compliance often in ways that reduce actual security. Designing security with usability in mind (sometimes called “usable security”) improves adherence to controls, reduces shadow practices, and increases overall system resilience.
One practical example from authentication research: risk-based authentication (RBA) which adapts friction to the risk context is often perceived as more usable and comparably secure versus many step-up 2FA approaches in user studies, illustrating that smarter UX choices can deliver both security and user acceptance.
Case studies
Case study 1 Healthcare: EHR workarounds and patient safety
Several reports suggest nurses often find shortcuts when electronic records take too much time say, while giving meds. Such fixes might lead to mistakes in treatment or missing notes. The research synthesis shows workarounds are commonly triggered by poor usability or mismatches between system workflows and clinical practice and that redesigning interfaces and workflows reduces the frequency of dangerous shortcuts.
Case study 2 Enterprise: authentication friction and shadow IT
Across industries, teams frustrated by slow or intrusive authentication sometimes adopt shadow IT (personal cloud services, shared accounts) so work can proceed. Industry breach and compliance reports link these human responses to measurable incidents and to longer detection/containment times meaning the convenience gained by workarounds often costs more later in risk and remediation. (See the DBIR and breach-cost analyses referenced above.)
Practical design principles to prevent workarounds
Here are concrete, UX-centric strategies that teams can adopt right away.
Build for how folks really do their job - watch them closely while they work, like during shadow sessions or real-time interviews, so you can shape tools that match their flow instead of forcing new habits. (Healthcare research above shows the cost of mismatch.)
Risk-based checks Add hurdles only if danger shows up, like extra login steps when actions seem off.
Default to the secure path; Make the secure option the easiest, fastest, and most convenient by default (single click, SSO, integrated device auth).
Ease mental effort don’t overwhelm people with tricky rules. Swap jargon for plain words, reveal info step by step, add hints right where they’re needed - so folks do the right thing without stress or guesswork.
Fix things fast instead of pointing fingers create clear, do-it-yourself ways to regain access, like simple reset options, so people don’t pass around passwords when shut out.
Communicate the ‘why’ Humanize policies: explain the business reason for a control in plain terms so people understand the tradeoffs and feel part of the solution rather than policing.
A short checklist for teams
Swap a tedious task like typing passwords or using a standalone VPN app with something easier, like automatic login or built-in device approval.
Try risk-based auth with some users, then check if support calls go down.
Log and review shadow IT indicators weekly; treat the top 3 apps as signals for design change.
Share one short human story internally each month about how a UX fix prevented a workaround make successes visible.
Conclusion: security is a human product
Security technology will always be necessary, but the point of technology is to help humans do things well. When we design security as an obstacle, we force users to choose between safety and getting the job done and they will choose the latter. When we design security as a collaborator adaptive, understandable, and convenient we reduce the root causes of workarounds and shift the human element from a liability to an asset.
Citations/References
Cost of a data breach report 2024. (2024). https://table.media/wp-content/uploads/2024/07/30132828/Cost-of-a-Data-Breach-Report-2024.pdf
Verizon Business. (2024). 2024 Data Breach Investigations Report (DBIR). Verizon. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf
Hospital clinicians’ EHR “workarounds” pose risk to patient safety and quality, study finds. (2019, March 11). Fierce Healthcare. https://www.fiercehealthcare.com/tech/hospital-clinicians-ehr-workarounds-pose-risk-to-patient-safety-quality-study-finds
Patil, A. (2025, June 19). Shadow IT in the Cloud: Risks and mitigation strategies. SecPod Blog. https://www.secpod.com/blog/shadow-it-cloud-risks-mitigation-guide/
Garnham, C. (2023, March 21). What is a UX Strategy? Overview, Best Practices & Examples. https://dovetail.com/ux/ux-strategy/
Wiefling, S., Dürmuth, M., & Lo Iacono, L. (2020). More than just good passwords? A study on usability and Security perceptions of risk-based authentication. Annual Computer Security Applications Conference, 203–218. https://doi.org/10.1145/3427228.3427243
Reuter, C., Lo Iacono, L., & Benlian, A. (2022). A quarter century of usable security and privacy research: transparency, tailorability, and the road ahead. Behaviour and Information Technology, 41(10), 2035–2048. https://doi.org/10.1080/0144929x.2022.2080908
Gulati, B., & Gulati, B. (2025, April 7). UX Design Principles: The 10 rules behind products Users love. Thoughts about Product Adoption, User Onboarding and Good UX | Userpilot Blog. https://userpilot.com/blog/ux-design-principles/
Image Citations:
Dhruv, V. (2025, January 20). The Role of Cybersecurity in UX/UI Design - UI UX Design vs Cybersecurity. Better Experience Design. https://yellowslice.in/bed/the-role-of-cybersecurity-in-ux-ui-design/
Ropstam Solutions Inc. (2025, July 3). Best Tips and Tricks To Enhance Security with UI/UX Design. https://www.ropstam.com/tips-and-tricks-to-enhance-security-with-ui-ux-design/
Comments