How encouraging empathy can help you to develop safer apps

Empathy probably isn’t the first word that comes to mind when you think about cybersecurity.

But maybe it should be.

After all, having empathy with your customers doesn’t only help you to create a more user-friendly app. It also helps you to make your app more secure.

Imagine yourself as the end user of your app, and you’ll think of lots of different scenarios of where and how it might be used. Attack vectors will come into focus that might have been hidden before.

And speaking of attack vectors, empathy doesn’t end with your customers.

Seeing the world from the hacker’s point of view might sound a bit strange at first, but it’s actually a vital exercise. Put yourself in their shoes and you’ll have a clearer picture of the data and logic most attractive to them. This can lead to game-changing insights you can use to come up with a risk analysis and threat model.

Then there’s the kind of empathy most likely of all to be overlooked - the understanding between different people involved in the app development process itself.

Misunderstandings and miscommunication between developers, designers, product managers, and security engineers is a common way for vulnerabilities to creep in over time. That’s why encouraging inter-team empathy and a wider perspective on app development is so important.

Do so, and you’ll fill gaps before they’re wide enough for hackers to squeeze through.

The importance of getting a different perspective

The Cambridge Dictionary defines empathy as the ability to share someone else's feelings or experiences by imagining what it would be like to be in that person's situation.

These days, empathy is pretty important in the world of marketing. Most forward-thinking businesses don’t even attempt to attract their prospects until they’ve tried to see things from their perspective.

That isn’t to say there aren’t still some old-school brands around. You might have come across them yourself. They act a bit like a travelling salesman from the 1950s - urging prospects to “step right up” and “buy now”, without knowing anything about them or their daily challenges. But fortunately they’re a dying breed.

If you’ve been involved in an app development process, chances are you that you’ll have tried to see things from your end user’s point of view. You’ll probably have had workshops where you imagine them using the app and interacting with its many features.

Normally, though, this is only done with the objective of improving the UX of the app. Testing and improving usability is crucial, of course. But only empathizing with your customers so you can improve the user experience is a bit of a missed opportunity.

It should also shape your security planning.

Not too long ago we wrote about the concept of the zero trust world. We described it as a place full of malware, jailbroken devices, and outdated OS that doesn’t get the latest security updates. In other words, a very different world to the one you tend to picture when you first design your app.

Imagining yourself as the end user in this wild world is a must. Because by doing so, you expect the worst. You prepare yourself for what you can’t control as well as what you can.

Simply assuming that the security measures you have in place will be enough is asking for trouble in the modern world.

So, the process of putting yourself in your end user’s shoes is all about imagining future threats to your app’s security. But that’s just one half of using empathy for threat modelling.

The other half is imagining yourself as the hacker.

Our view of bad actors is often far too simplistic. We tend to think of the classic image of the mysterious hooded character sat behind a computer screen. An image that was already popular before Mr Robot hit our screens several years ago.

It’s important to demystify the hacker if we want to defend against their attacks. And the best way to do that is to see things from their perspective. That means imagining the data and logic they’d be most interested in stealing or tampering with. It also means thinking about parts of the app’s architecture that could allow them a way in.

Do this consistently, and monitor how the risks in your app’s landscape are evolving, and you’ll be well-placed to counter threats.

Encouraging understanding in the development process

You can limit the number of routes open to hackers during the app development stage itself. But that relies upon clear communication and empathy across key roles in the business.

This isn’t always a given. Especially when so many of the tasks in app development are siloed.

Let’s take developers as an example. Typically they are assigned specific tasks that will contribute to the overall success of the project. This makes for a speedy, efficient way of working. But it does come with certain risks to security.

A lot of vulnerabilities creep into an app’s code during development because of a lack of clarity about responsibilities. A developer might be sure of his own personal tasks, but sometimes there are grey areas between those and the ones assigned to a colleague of his.

It’s these grey areas that hackers will attempt to profit from later.

A developer might also fear that he wouldn’t be rewarded for raising a concern that could delay the completion of his own work as well as the wider project.

The best way to eliminate these concerns and misunderstandings about responsibility is to encourage empathy, understanding, and open communication. In practise, this might mean product managers and leadership teams fostering a culture where people communicate clearly with one another. A culture where people feel confident about asking questions.

Developers and security engineers might sometimes get frustrated with one another. But this is often because of a lack of understanding about the daily challenges that each of them face. If you think this might be true of your business, then it could be worth ringfencing some time for these two roles to shadow one another.

You’d be surprised how effective this is at increasing empathy and understanding.

We also recommend that product managers find time to discuss security and the wider project objectives in sprint planning and sprint retrospective sessions. This can help make sure that the goal of protecting the end user’s sensitive data is always top of mind - alongside other, individual objectives.

Future-proofing your app development

A lot of existing processes that lead to siloed working are there to speed things up. And realistically, more and more businesses will drive towards speedy digitization in the post-coronavirus world in order to stay competitive.

But as we’ve said on this site several times before, speed shouldn’t come at the expense of security.

Security isn’t like wrapping paper. It can’t be neatly sellotaped onto your app at the end of the development process, protecting it from outside threats. It’s a continuous journey that involves close communication and lots of imagined future scenarios.

Only seeing things from your own world view can be dangerous to your long-term success. It ignores other perspectives that might shine a light on potential threats that can be avoided early on.

We’re entering an age where consumers are set to be pretty unforgiving of any kind of data breach. The modern consumer wants to associate with businesses they can trust. Businesses that show that they care.

What better way to position yourself as such a company than by encouraging empathy?