This website was archived on July 21, 2019. It is frozen in time on that date.

Sonya Mann's active website is Sonya, Supposedly.

Behavior Design: Teaching Your Users Security

I presented this talk at CodeConf LA in June, 2016. The full slides are available on their own as a PDF, but the most relevant ones are included in the post below.


Hi, my name is Sonya Mann. I’m a tech enthusiast, freelance word person, and user of many websites, apps, and software products. This talk is aimed at people who make websites, apps, and software products. It’s about how you can nudge your users toward better security habits.

Forewarning: I’m going to use passwords as an example quite a bit, because they’re the most common security credential that regular users handle and control, but this way of thinking about things is not limited to passwords. Now let’s dive right in!

Behavior Design: Teaching Your Users Security

You may already know this, but typical users have bad security habits. It’s not because they’re stupid or lazy, but because they have different priorities. Most people aren’t judged at work or in their personal life by their password hygiene. And if they haven’t personally experienced an account takeover or identity theft, they’re not on high alert.

If you’re a quote-unquote “normal person” — sometimes we call them “non-technical people” or “people who aren’t paranoid hackers” — if you’re that kind of person, strong security habits don’t necessarily feel like they’re worth the hassle. Just in case you don’t believe me, I want to show you some stats.

password habits and password manager usage stats

SplashData is a password manager company that conducts an annual analysis of commonly used passwords. For the past five years straight the most popular passwords have been the number string “123456” and the word “password”. I find it disturbing that any application allows users to choose either of those values as their password!

In the same vein, last year RoboForm, another password manager company, commissioned a survey of 1,000 people in the US and UK about their password practices. Only 8% of respondents said they used a password manager. Compare that to the 23% who said they always use the same password.

Furthermore, I contacted the makers of the two most popular password managers, 1Password and LastPass. The 1Password team said they have unspecified millions of users, and LastPass’ spokesperson told me that they have eight million users. So let’s guesstimate, generously, that twenty million people use password managers. That would only be 6% of America’s 2014 population — and the world is a lot bigger than America. So there is plenty of room for improvement here. Especially since passwords are only the most obvious credential!

One of the most visible types of problems that people’s poor security habits cause is the account takeover. If you’ve ever worked support, you’ve probably had to deal with these. Mistakes that lead to these issues are not limited to the “normal people” I mentioned in the beginning.

Continue reading “Behavior Design: Teaching Your Users Security”

Boundaries for Bots: Safer Slack Integrations

I gave this short talk on May 17th at Slack HQ for the SF Slack Developers’ Meetup. The video is on Ustream — my segment starts around 3:30. But if you’re not a video person, here’s the script I wrote beforehand, and you can check out the slides here.


Hi, my name is Sonya. I run a community Slack group called Cyberpunk Futurism. It’s pretty lively — last time I checked there were more than ninety members, about half of whom are active. We discuss technology, economics, the current and future dystopia… You know, whatever. Small talk.

Roughly ten members hang out almost every day. Depending on the size of your company, that might seem small, but Stewart Butterfield mentioned in 2015 that the average Slack team has eight or nine members. I don’t know if that’s mean or median average, but there you go.

As the admin, I’m the main person who installs integrations and bots. I usually go through Slack’s directory, and I’m often looking for something specific. For example, recently I wanted an integration that would do what Giphy does, but pull from static images. It doesn’t exist, by the way — hot tip for one of you, in case you want a totally non-monetizable idea. We also have a Github integration, the Twitter auto-expander, and so on.

Slack's directory for searching out bots and integrations
Slack’s integration search.

I want to give my community cool tools to play with, and utilities that allow us to collaborate creatively. There’s a lot of stuff in between me and that goal. I have to look for the tool, go from Slack’s directory to the landing page, click install, select a team — there are a lot of steps, each of which is a potential drop-off point. Hopefully Slack will have a full-fledged app store at some point and installation won’t be such a pain.

Anyway, the members of my Slack community are a bunch of paranoid technophiles who value their privacy. I take that as seriously as Slack’s free settings will let me. A business that has confidential discussions in Slack will take it even more seriously, and they’re going to hesitate to assume any risk.

Most Slack integrations don’t come from comforting IT name brands like Microsoft or Apple. It’s some upstart little company. Trust me, I love upstart little companies, but I don’t have time to run a background check on all of you. Because you’re an unknown quantity, that represents risk. I don’t know exactly how your integration works, how it stores the data it collects, and I definitely haven’t read your EULA, so I’m likely to err on the side of caution.

Uncertainty introduces fear — sometimes the fear is irrational, and sometimes it makes sense. There are all kind of things that users “should” or “could” do, most of which they will totally ignore. People are busy and they have different priorities. Think of users as timid baby bunnies who are simultaneously running a company.

Adding a Slack integration.
Adding a Slack integration.

Anyway, the screen that I pause on the longest is this one — the one where Slack tells me what kind of access the integration is asking for. Usually it’s asking for more information than seems reasonable. Most crucially, I don’t know why.

Remember to look at this from the user’s perspective. I am indifferent to your goals unless they align with my goals. I have nothing invested in your integration in particular. My cost-benefit analysis involves the safety of my community, and that counts for way more than your KPIs. It probably also counts for more than my desire for another unproven productivity enhancer.

All of this is a very long windup to say: tell me on your landing page why you’re going to need the amount of access you need. If you’re going to ask for access to all my channels and user data, you should explain why that’s necessary, and call out your privacy policy. Most likely I won’t actually read your privacy policy, but when you mention it, that soothes my lizard brain.

So those are the problems I face whenever I’m considering a new integration, and they pose problems for you too. Because you want me — or rather a manager at some company with tons of money to burn — as a user.

Of course, you should A/B test all of this. Maybe I’m totally wrong, or you’re selling to a weird market, and doing permission priming will repel your potential users. But at least think about trying it out. Maybe have a couple of different landing pages where you can funnel different types of users.

hugging face emoji

After installing an integration, I’m usually still not sure how to interact with it. Give me a rundown of the basic actions and how to adjust settings. Don’t surprise me by popping up in places where I haven’t been told to expect you. If you can do the onboarding directly through Slack, that’s perfect. Otherwise shoot me a welcome email with some instructions for beginners.

I would also encourage you to use slash commands instead of bot users as much as possible. They’re way more intuitive, and much faster for simple tasks. I know some use-cases don’t work with slash commands, but for the ones that do, those are better.

Before I give up the mic, I want to mention one more time that your attitude toward users should be empathetic as much as possible. I’ve worked support so I know users are annoying, but try to reduce your own frustration with their lack of domain knowledge and expertise. Make an effort to understand their incentives.

That’s all! Have fun building!


Nick Babich wrote a great article about permission priming called “The Right Ways to Ask Users for Permissions” that you should read next!

Small Local Retailers Struggling To Compete With National Brands (As Usual)

Have you noticed #brands in your feed, invited or not? Of course you have. Social media and email marketing are powerful channels for anyone selling a product to reach potential customers. The goal is to usher people toward the gaping maw of a sales funnel. Granted, at the moment ecommerce accounts for less than ten percent of retail sales, but the numbers are higher when it comes to apparel. A tenth may not seem like much, but the market-share is steadily growing.

Amazon logistics center in Madrid, Spain. Photo by Álvaro Ibáñez.
Amazon logistics center in Madrid, Spain. Photo by Álvaro Ibáñez.

National or international brands have the resources and know-how to use digital sales channels with utmost savvy (notwithstanding marketers’ cringeworthy affinity for youth culture). Can smaller businesses keep up? It’s more difficult to coax a customer into your brick-and-mortar shop than it is to get them to click a link. Even when small businesses are based online, lacking economies of scale means that they can’t offer the tempting perks and discounts that big brands do. Keeping everything on sale, all the time, eats into your margins.

The proprietor of a now-closed outdoorsy retailer in Wisconsin, who prefers not to be identified by name or city, doesn’t see big brands “supporting the little guy”. In an email she explained, “Certain brands keep separate inventories for their retailers versus their online business […]. It is hard to explain to a customer that you can’t get an item, when they can go to the brand’s website and buy it direct. The brands generally offer free shipping and many times 15%-off coupon deals just for sharing their email.”

She observed, “Customers are being trained to only buy with a deal or incentive.” On the phone, this former store-owner described a man who went into a local sporting goods shop to examine the products, while as the same time searching for the best deals on his smartphone. “He had absolutely no qualms about that,” she told me. Instead of buying from the store whose inventory he was touching and evaluating, he bought from Amazon or a similar retail aggregator, in order to save a couple of dollars.

Instagram post by REI.
Instagram post by REI.

From the customer’s point of view, shopping online for the best possible deal makes complete sense. Most won’t even bother to take advantage of testing a local store’s physical goods. Why wouldn’t you purchase the same thing cheaper without even having to leave your home? Everyone knows Amazon is a cutthroat company willing to crush competitors of all sizes, but that doesn’t stop people from shopping there, and it never will. If you can pay less to buy a parka online, and have it delivered to your doorstep, the alternative must be very attractive to entice you to do otherwise.

In 2013, technology analyst Ben Thompson wrote, “With the loss of friction,” meaning hassles and barriers to action, “there is necessarily the loss of everything built on friction, including value, privacy, and livelihoods. […] The Internet is pulling out the foundations of nearly every institution and social more that our society is built upon.”

Thompson continued, “Count me with those who believe the Internet is on par with the industrial revolution, the full impact of which stretched over centuries. And it wasn’t all good. Like today, the industrial revolution included a period of time that saw many lose their jobs and a massive surge in inequality. It also lifted millions of others out of sustenance farming.” It’s not all good, but it’s not all bad either. However, when you’re a family business-owner who is being “disrupted”, it’s almost entirely bad.

Traffic on Pyrmont Bridge in Sydney, Australia. Photo via Powerhouse Museum.
Traffic on Pyrmont Bridge in Sydney, Australia. Photo via Powerhouse Museum.

The analogy doesn’t work in every respect, but mostly this is the current state of affairs: Traditional retailers are horse-drawn carriages compared to steam-powered trains, or traditional taxis compared to Uber. Because of the internet, anyone can easily set up the infrastructure to sell directly to end users. Adjust your value proposition and differentiate or die, because the market doesn’t care about your ability to put food on the table.

This is the hard truth retailers have to confront: If you can’t compete on price or convenience you have to compete on quality, but it’s impossible to compete on quality when you’re selling the exact same product that people can easily buy online for less money. All you’re left with is the experience, the feelings you can evoke and the values you extol, urging customers to “shop local” and, as the anonymous Wisconsin store-owner said, “support the little guy”. She suggested staging events and collaborating with other local businesses, all boosting the community together. Her store used to host yoga classes run by a local instructor. Then Lululemon moved in down the street and also hosted yoga classes — free ones.

Castle in the Air is a truly gorgeous shop in Berkeley, California.
Castle in the Air is a truly gorgeous shop in Berkeley, California. Photo via Yelp user Michele C.

This is all very grim. Does the internet revolution mean that retailers based in physical stores should give up hope entirely? Of course not. It means that you have to be intentional about your business strategy, and understand the ways in which you can and cannot compete. It means you have to double down when it comes to reaching the customers who you can actually serve, to whom you can offer a benefit that is meaningful to them.

Understand that shopping in person instead of defaulting to the cheapest, highest-rated item on Amazon is now a luxury. Craft a rewarding experience, whether rustic or glossy, for the customers who show up in person.

Written in early June, 2015. Languished in my Google Drive until now.

Sign up for my newsletter to stay abreast of my new writing and projects.

I am a member of the Amazon Associates program. If you click on an Amazon link from this site and subsequently buy something, I may receive a small commission (at no cost to you).