Information Security Metrics: Stop Measuring Engagement and Start Measuring Invisibility

February 16, 2021

By: Alon Blum, Head of Product at Votiro

One of the most effective and standard metrics companies measure their products by is user engagement. Tracking how users interact with your product is very important to understand whether the product creates real value over time. The exact definition of user engagement should be unique for each product or service; typically it revolves around a set of actions taken with the product, such as clicks, downloads, views, etc.

However, security products that adopt this metric often end up optimizing their products in the wrong direction. Let’s explore why.

Building Engagement

Maximizing user engagement is one of the biggest challenges when building products. In his influential book, Hooked, Nir Eyal describes a model he built to encourage users to repeatedly engage with a product. The model describes four main steps:

  • Trigger – create external and internal triggers to use the product
  • Action – generate action and promise a reward
  • Variable reward – make the reward unexpected
  • Investment – cause users to accumulate value in the product

The model is built to form habits around the product’s usage in order to make users come back to the product more often and for a longer duration of time.

Making Money

User engagement is typically correlated to profit generation. The more time and attention users dedicate to a product, the easier it is to convert that engagement into income. A non-security example is that advertisers recognize the value of having access to highly engaged users and are willing to pay more for advertising on platforms with high engagement.

Engagement as a Growth Engine

User engagement in many industries is considered the basis for growth. Highly engaged users tend to be more loyal over time, sharing and recommending the product to others.

Getting Funding

When companies seek funding, they can either show revenue or traction, indicating there is revenue in the future. Without revenue, daily and monthly active users can count as traction. However, these are vanity metrics that can be manually increased and do not necessarily predict future success.

On the other hand, user engagement indicates that the users find actual value in the product, even after removing the artificial incentives they received during the marketing, sales, and onboarding processes.

No Wonder Security Products Are Getting It Wrong

Because user engagement is one of the most critical metrics in B2C and B2B products, and is considered one of the most reliable ways to measure whether a product is creating value, it is not surprising that Information Security product designers are aiming to build user engagement into products.

However, in many cases, this is fundamentally wrong. As strange as it may sound, security products are not there to engage users. Security products that aim to engage users are misunderstanding their role.

If My Product Is Not Noticed, Customers Will Not Renew the Subscription

No one wants to build a product that is so utterly invisible that your users are not even aware they are using it. Still, the question security companies should be asking themselves is: who’s problem are you really trying to solve, yours or your users?

And that involves segmenting your users into at least 2 categories: end users and security users.

End Users Don’t Care—And Don’t Want to Hear—About Your Product

End users want to do their job without security tools, rules, and protocols getting in their way. Your company will not get a pat on the back if you stop a threat from entering the organization, but you will receive a ton of rage and frustration when you disrupt work and workflows. If you are honest with yourself, the best you can do with end-users is to protect them while being completely invisible.

Security Teams Need to Know Your Value—But They Don’t Need to Touch Your Product All Day!

There is a common trope in cybersecurity about the “single pane of glass” dashboard. The dashboard is the control panel/analytics and proves the security tools’ value…but every security solution wants you to look at THEIR dashboard…instead of fitting into the existing security ops. This is an attention grab, instead of flowing metrics & threat intel into a security user’s existing and preferred method!

Votiro’s Strategy For End-User Satisfaction

At Votiro, we recognize that the secret to creating a great security product user experience for all users is to ensure that it:

  • Provides the highest level of security
  • Seamless integration into the existing security stack
  • While keeping end-users happy

Therefore, at Votiro, we invented an Invisibility information security metric. Under the assumption that unbothered end-users lead to happy administrators and executives, everything we do is aimed at leaving the end-users out of our processes. When we ask end-users what they think about “Votiro,” and they answer: “Who?”— we know we have succeeded.

An Invisibility Cloak For Your Users

Measuring invisibility is the exact opposite of how you would typically measure engagement. We created a sequence of events that represent negative signs of unwanted interaction with users, and we continually optimize this software security metric to get it to zero.

Once you overcome the psychological barrier of being invisible to the users you serve and shrug off the instinct of pushing your brand and benefits everywhere, you will find that optimizing your product for what really makes an impact becomes much easier.