Security systems are installed to ensure business continuity by mitigating security-related risks. The aim, in general, is to limit the chances of incidents happening and to limit the effect when they do occur.
In access control systems it means that only authorized people should get access to secured zones. Which implies that people need to be identified and that doors need to open. Access control, by definition, is limiting the freedom of people to move around. And whatever movement is left, is monitored and stored in security event logs so that investigations can be carried out after a security incident has occurred. Video surveillance is of a similar nature. It is implemented to actively monitor situations and make sure that incidents are responded to swiftly. Footage often is stored to carry out research security incidents.
People, in general, are okay with the somewhat restrictive and sometimes intrusive nature of security systems. Most of them understand the need for security measures. They will support the system by using their access control badges (or their fingerprint or another identifier) to get access. They understand that some doors need to stay closed. And most of them even understand that cameras and readers monitor their whereabouts for safety purposes.
However, people really do not like it when access control gets in their way while they are trying to do their jobs. If a door lock malfunctions too often or if a card reader is not working consistently, people will find their way around them. By physically keeping the door open for example. Which renders all your security policies and systems useless.
People also do not appreciate it when security systems are invading the last bit of privacy they have left when entering a well-secured corporate site. We often hear people saying: “If you’ve got nothing to hide, why would you mind your movements, behavior, and whereabouts being tracked and monitored?” But most of us will also acknowledge that security measures will need to be balanced against the level of trust that an organization has in its employees, contractors and visitors. And of course, there is an increase in legislation (GDPR) that protects the privacy of individuals.
People will support systems that do not get in their way. They will support security implementation they feel comfortable with. And they might even support systems better if these systems offer a great user experience. And they will love systems that actually help them better perform their job. But how often do you see us, security managers, really focus on user experience? We tend to focus on security policies and the technology to support them. We may think about people as a security risk. We seldom approach the human element in security as a positive force. Maybe it is time to widen our scope a little.
The Wheel of Convenience in Access Control
When thinking about a user’s security experience in general and in access control specifically, security managers seldom seriously ask themselves what users are confronted with when they use an access control system. Think about it, users must first be enrolled. They are offered a security credential when they do not have it yet. They are expected to carry that credential around all day. When entering a secured zone, they must present the credential to a reader of some sort. Then, if they are authorized, they may enter the door. If they lose their credential it needs to be replaced; for which their enrollment needs to be verified and a new credential issued. And the process starts again like a cycle in which most steps need to be carried out again and again.
Users are interfacing with the security system in each step. They are experiencing the usage of that system multiple times per day. Given the nature of this application, it is not likely that manufacturers and installers of access control systems are looking for a ‘WOW!-factor’. It is often not their aim to amaze the users of their systems. However, users are confronted with the access control system multiple times per day. Users should at least feel comfortable using the system. And they just might be even more supportive of the system if it exceeds their expectations with regards to the convenience aspect -- the user experience.
The Wheel in Motion
So how does the ‘Wheel of Convenience’ help the decision-making process when designing, planning and implementing an access control system, whether it is a building access control system or a vehicular access control system?
The idea is to look at a combination of identification technology, an access control system and the physical entry. For example, let’s use traditional access badges with any access system and doors with magnetic door locks in a fictional organization somewhere in the United States.
The enrollment is carried out at the reception. Which means that users must be physically present at the reception. To verify their identity, they are expected to show a valid picture ID. All relevant user data is then manually entered into the system, which often causes queues at the front desk.
The user obtains the access badge personally from the receptionist. It is handed over and sometimes users must sign a form which confirms the actual acceptance of the credential and the commitment of related corporate policies.
The user is then requested to carry it on a lanyard, so other employees can see the badge and verify the color-coded security level and sometimes a photo of the carrier.
When approaching a door, the user has to bend over to present the smart card to the RFID reader at a distance of a few inches at most.
To gain access the user often will have to manually open the door that is now unlocked.
If the user loses the card or if the card is not working, he/she must go back to the reception personally to get a replacement card.
What do you think? Is there room for improvement when it comes to the user experience that is offered to the employee? This scenario, however, is more or less the reality for millions of users of security systems worldwide.
Spinning the Wheel
Now if you look at each step in the process, there are tons of ways to add convenience to this access control experience.
Let’s for example, compare the situation above with another combination: the card is replaced by a virtual access control card that is part of an app that uses BLE. The access control system is connected to BLE readers and has an interface “to the cloud”. The doors are replaced with automatic sliding doors.
Enrollment is done through an online boarding process.
The user obtains the access badge virtually in the app at a time and place that is convenient to him/her.
The user is instructed to carry the corporate (or BYOD) smartphone with the corporate app that includes the virtual access badge.
When approaching a door, the user or an event triggers the app to present the card to the RFID remotely using Bluetooth.
To gain access the user must just walk to through the sliding doors that have automatically opened.
If something is not working correctly, the user has to use the app to get remote support and, for example, receive a replacement credential.
From a user perspective, this process appears much more convenient. There may be security considerations to rethink some of the steps in this process, but that will be very much depending on the context in which this process is executed.
Many other combinations of security technology can be reviewed with the Wheel of Convenience in mind. Maybe camera systems are installed that support facial recognition. Maybe touchless four-finger fingerprint is used in the corporate smartphone, which is triggered by beacons that are installed near entrances. Or maybe a good old physical key is used with conventional door locks. Or pin-code terminals. Whatever combination of access control technology is implemented it would always be beneficial to not only consider its value based on security characteristics but also from the user perception.
It is my firm belief that adding convenience to security very often equals raising the security level of your organization. Remember, users, make or break your security policies. Why not enhance their experience and increase their commitment to your security policies while doing that?
Maximum vs. Optimum Security Levels
The secured object may be data, a tangible asset, a process or a person. Maximum security would be to completely restrict any access from anyone to that data, process, asset or person. However, most data, processes, assets and people would lose their interaction value within their environment if access was impossible, yet having an environment with completely unrestricted access substantially raises the chances of harm being done to the secured object.
Security managers always strive for the optimum security level. And there is always a human element to consider. Why not consider these two design principles when implementing any security solution?
- People should, at the very least, feel comfortable being part of the security ecosystem. The system should not be intrusive to their daily operation.
- People should appreciate being part of the security eco-system because it actually helps them to execute their daily operation better, quicker or in a more enjoyable fashion.
We live in exciting times where the level of technological innovation in our industry is enormous. Video analytics is constantly improving. Artificial intelligence and deep-learning algorithms seem to deliver a promise of automated performance improvements of monitor- and control systems. Smartphones and smart wearables offer new technological possibilities. The performance of RFID-systems is still evolving. The convergence of physical and cybersecurity finally seems to be a reality. And cloud-based architectures enable global integration of security systems across boundaries never seen before. But all this security technology is worthless if it is not used (or used properly) by people.
Security technology and user experience must be a marriage of useful convenience. User-centric innovation will ensure a good marriage.
About the author: Maarten Mijwaart is the founder of the Security Industry Group in LinkedIn and on SecIndGroup.com, the new online security trade show. He started his company ‘Explicate’ at the beginning of 2019 to help bridge the gap of comprehension between sellers and buyers in technical industries. Before that, he was the MD of Nedap Identification Systems for nine years. He has worked professionally in the IT- and security industry since 1996.