Scout Brody is executive director of Simply Secure, a nonprofit that works to make security and privacy technologies usable by technologically unsophisticated people by focusing on usability and human factors.
In a short, smart interview with the O'Reilly Security Podcast (MP3, Brody talks about how a humanistic, human-centered mindset is essential to producing usable (and hence, effective) security. Critically, she also offers excellent advice on how to bring these human-centered practices into your product and service design.
I volunteer on Simply Secure's advisory board, and really believe in this work.
A powerful tool you can adopt when talking to users is cognitive walkthrough. In essence, you ask them to tell you what they're thinking as they're thinking it. So, if you're going to do a cognitive walkthrough for an encryption program, you might say, 'I'd like you to encrypt this email message. Please tell me what you're doing as you're doing it and all of the thoughts that occur to you.' You might hear someone say, 'Oh, wow, okay, so I'm going to encrypt. I don't really know what I'm doing. I'm going to start by pushing this button because that looks good. That's green. I'm going to push that.' You can really hear the thought process that people are going through.
If you're in a more formal user study context, it can be useful to get the user's consent to videotape—not necessarily the person, but the screen—and see what they're doing because then you can play it for your colleagues. This is one of the most convincing ways you can make a case that your tool has problems or your tool needs improvement. Thus, just by videotaping people trying to use a tool and showing the challenges they face, you can identify ways to improve the user experience.