You’ve got your design together. You’ve thought about the happy path your users will take, and the successes to come. After you take a moment to bask in the glow of your solution, it’s time for a change of perspective. Start thinking like an hacker by putting on your infosec hat — time to anticipate how it could break so you can build in some safeguards.
Failure is always an option
The first step towards an infosec mindset is to willfully make your design fail. Here’s a quick primer of the many ways you can try to break it that are a good proxy for what may happen in actual use.
Been using beautiful images in your designs..? If your product depends on user-generated content, let ’em go. Whittle your design down to just one, or to no content at all, to simulate a low-engagement experience. Or, starve your design of variety: fill up your product with the same kind of content from different sources, or content all from the same source. Make your content poor quality, awkwardly large or small, or spammy in nature. If that’s the content you see, what happens to how you feel about using the product?
Does your product need a reliable internet connection for some or all of its functionality? Shut off your connectivity and try to start using it. Better yet, leave it in a state with something important or useful is half-finished and imagine what happens if you have no connection, or when a connection returns.
Is it usable in other situations? The way people interact with the world varies, and you don’t need to be an expert on accessibility or internationalization to anticipate some of those differences. Try using a smaller screen or window that you typically do, to see what you can see. Restrict yourself to a single type of input (just your keyboard, just your cursor, or just voice or gesture if either is available) and see how far you can get. Imagine you have difficulty reading and use only the layout and the most prominent words to figure out what to do. Imagine any text doubled in length.
Are you paying too much attention? Be as distracted as your users likely are. Try rushing through your product and take the obvious options without reading them. Try walking away from it partway through the flow and come back to it a few minutes/hours later. See if you can make sense of where you end up.
Disruption for fun and profit
Once you’ve exhausted those, get to the heart of the infosec mindset and imagine the sneakier ways your product may be disrupted.
There may be both technological and social ways to exploit your product. When thinking of technology, take a hacker’s approach. How could you game the system? Or automate it? What valuable data could you try to access? Alternatively, take the social engineering approach: how could misrepresent yourself to gain special access? How could you take advantage of other people’s confidence?
Either approach could reveal weaknesses in the system. Take those weaknesses and think of the things an unsavory type might do for fun or profit. What might you do if you chose to be willfully destructive? What might you do if you were looking to make money from it?
The infosec approach is valid when designing any systems of trust: especially products involving commerce, protected data, and multi-user interactions. Security, exploits, and failsafes are all considerations in programming. Why not think about them in the realm of design too?
You’re probably already in the habit of walking a mile in a user’s shoes. Be sure to break out your infosec hat once in a while to spot the things that can make them stumble.