Type Synth | Amy Keeney

Secure by Design: a UX Toolkit

In support of Microsoft's Secure Future Initiative, I was part of a community of cross-company experts tapped to build a UX toolkit that would help anyone in UX uphold our promise to make products "Secure by Design."

My contributions centered not only on developing the right language to contextualize security concepts for UX professionals often intimidated by the security space, but also contributing to the design of a program that fit existing UX workflows and processes.

The problem

Microsoft's Secure Future Initiative is a company-wide commitment to ship products that are secure by default. The piece UX owns: making sure the experiences themselves don't create risk. Security expertise often lives in security teams; UX practitioners need a way to apply that expertise to their own work without having to become security engineers themselves.

The work

I was part of a cross-company group tapped to build the toolkit. My contribution was in two places:

  • Language and concept translation. Security concepts are often intimidating to UX practitioners. A lot of the toolkit's work was finding ways to talk about security risk that don't require UX folks to become security experts.

  • Program design. A toolkit that doesn't fit existing UX workflows gets ignored. We designed the program around the way UX teams actually work, not around the way security teams wished they would.


We piloted the program through learning sessions, presentations, and workshops. I co-led some of those workshops, with audiences that grew to nearly 300 people at a time.

Workshops, by design

Workshops were designed to reveal tensions and inspire difficult conversations: between UX and security, between product and security, and inside individual designers' heads about whether they actually understood the risks in their own work.

Product teams who went through the process reported finding issues to fix. Which, frankly, was the goal.

Outcomes + what's next

The toolkit was featured publicly on the Microsoft.design website and referenced in the Microsoft public progress report for the Secure Future Initiative. I'm acknowledged as a key contributor in the published article.

As for what's next, we've begun applying what we learned to emerging threats like XPIA and data poisoning, which are reshaping what "secure" even means as AI is built into more products.

What I learned

The right language is often the unlock. A discipline that feels inaccessible to its neighbours doesn't get the collaboration it needs. Reading level is a problem in security writing the same way it is in privacy writing.

A toolkit that doesn't fit existing workflows is just a binder. The program design was the harder half of the work; the words were easier once we knew how UX teams would actually use it.