• United States




Using empathy to improve technology

Aug 25, 20175 mins
Application SecurityDeveloperTechnology Industry

Technical ability is only a starting point in developing useful, secure and powerful technology. If we take steps to better understand and represent a wider user base, we can get significantly improved financial results.

fail frustration laptop user head desk
Credit: Thinkstock

I’m sure we’ve all had the experience of trying to navigate some piece of software that is quite technically powerful, but so inscrutable as to be almost useless. Sometimes that software could be a widget that was built in-house and never meant to see wider distribution, and sometimes it’s a widely used application that’s sold for big bucks. One thing they all have in common is a lack of understanding or empathy for how people actually use this technology.

The stereotype of an engineer, especially a software engineer or a security practitioner, is someone who is technically-minded. But that really isn’t the only trait, or even necessarily the most important one, needed to do the job well.

Technical skill is only a starting point; the best technology in the world will still end up on the ash heap of history if no one uses it, or if it creates more problems than it solves. For software applications or security procedures to be successful, they need not only to address a demand, but also to do it in a way that is comfortable for people to use. Arguably, it is even more important to secure the human than just the data or devices.

Most (if not all) of us have been guilty of feeling that people “should” behave certain ways, in order to use software properly or to keep oneself safe online. But our theoretical mandates are irrelevant if real-life particulars dictate that people operate differently.

We probably all have our own personal pet peeves regarding vendors who misread how people actually use (or misuse!) technology. An inability to put oneself in another person’s metaphorical shoes leads to glitches in security, privacy, accessibility, localization, usability, and even the legality of technology. It’s not difficult to see how disasters in any one of these areas could cost everyone from users to manufacturers a lot in terms of lost productivity, sales, brand reputation or regulatory fines.

To some extent, failing to predict other people’s experiences completely is inevitable. If you’ve ever worked for a technical support organization or in a quality assurance department, you know that the variations in users’ software and hardware configurations can be truly mind-boggling. Likewise, our own personal life experiences will necessarily have a seemingly infinite number of variations. Even two people who share the same DNA can have significant differences.

Rather than treating this as an unsolvable problem, we should view this as an infinite opportunity. Even viewing this from a strictly financial perspective, the more varied the life experiences of a company’s employees are, the more the organization stands to gain.

Companies in the top quartile for racial and ethnic diversity are 35% more likely to have financial returns above national industry medians. Companies in the top quartile for gender diversity are 15% more likely to have financial returns above their national industry peers. Teams with members whose sexual orientation matches the target consumers’ are much more likely to understand that market.

It should be intuitively obvious to those of us preaching the difference between “checkbox compliance” and true security improvements that these financial benefits are only available when companies are truly trying to include a wide variety of people rather than just collecting employees who match a checklist of traits. Such lists are never comprehensive; if companies perform a thorough examination of what their current assets are and what types of skills or experiences they could benefit from by incorporating, they are more likely to identify opportunities and vulnerabilities. Having a neutral third party assist in these examinations can also help detect blind spots.

The following list is not intended to be complete, but it may give you a starting point for factors to consider:

  • Age
  • Race
  • Ethnicity or ancestry
  • National origin
  • Gender identity
  • Sexual orientation
  • Socio-economic background
  • Educational background
  • Religious affiliation
  • Marital or domestic partner status
  • Family status
  • Veteran status
  • Disability status
  • Neurodiversity
  • Personality types
  • Thinking styles
  • Communication styles

To include a wider variety of people in your organization, you may need to address things that are limiting your ability to hire inclusively, or which may be causing high levels of attrition. Changes may be simple, or they may require cultural shifts such as moving from a more competitive environment to a more “just culture”. Project Include is a phenomenal resource for those looking to learn more about diversity and inclusion.

The technology industry has gotten to where it is by disrupting “business as usual”. For growth to continue, we need to disrupt our own “business as usual” habits. Failing to do so will ensure that we continue to have friction around hiring and employee retention, plus the security, usability and adoption of products. But if we succeed, we can create a rising tide to lift all boats.


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all this change can be difficult for even the most tech-savvy users, she enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.

The opinions expressed in this blog are those of Lysa Myers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.