Talk about the balance between user experience and risk control

I've said before that many entrepreneurs are prone to mistakes: being overly idealistic and treating users as good people. I have mentioned a key word. It cannot be said that there must be many bad users. It may be that there are really only 1% bad users, but it is very likely that the destruction of one bad user can offset the creation of a hundred good users. This is a very common entrepreneurial dilemma, because a small oversight can lead to huge losses.

Therefore, some inexperienced entrepreneurs must be aware of this aspect, at least have the concept of risk control in mind, know how to avoid and prevent bad things, and not be too idealistic.

However, everything is too much, and there is another extreme among entrepreneurs and some large companies, that is, they are very sensitive to bad things. I am very worried. The awareness of risk control is very strong, which leads to many concerns about product design and a plummeting user experience. To put it simply, treat all users as bad guys to prevent them.

So, balance is key.

I've talked about this before in "Employees Who Push Too Much."

In fact, many large companies have encountered this problem. No matter what you want to do, lawyers and legal affairs will tell you that this is risky, that cannot be done, the policy is unclear, etc. They are the safest if you don’t do anything, so this is why many startups still have a chance to stand out. Those who are barefoot are not afraid of wearing shoes.

The historical biography of WeChat circulating on the Internet also mentions that Tencent has multiple internal platforms to build mobile chat tools. Among them, the WeChat team has the least resources and the smallest scale. However, because of concerns about the cooperative relationship with the telecommunications department, several core departments dare not touch voice chat, and even advised Zhang Xiaolong not to act rashly. As a result, Zhang Xiaolong was barefoot and not afraid of wearing shoes. As soon as he made it, WeChat became Tencent's new development engine in one fell swoop.

Sometimes I feel that I am inconsistent in what I write. You see, one moment I say that some entrepreneurs are hot-headed and dare to do anything without fully considering risks; the other moment I say that entrepreneurs should not worry too much about many things and should do their best. In fact, everything is a matter of degree.

I always say that the path to entrepreneurship is not just black and white, not just right and wrong. Many times we have to find a suitable scale. I am not very courageous, so this is where I was very unsuccessful in starting a business. I keep many standards very tight and dare not touch many things; but I also know some very courageous entrepreneurs, some of whom have already been in prison. If you insist on me drawing a line, I can’t do it, but what I want to remind entrepreneurs is that you need to know both sides.

You can be more courageous, but you need to know what risk control is, which high-voltage lines you cannot touch, and which areas are areas where bad users may cause huge harm; you can also be more timid, but you must know that if you refuse risks blindly, many good opportunities may be completely missed. Being brave doesn't mean that you don't know the risks. It doesn't mean that you can run forward with your eyes closed. That's not being brave, that's seeking death. You may be timid, but you can't limit yourself and pursue absolute safety. Even if you find a good job, it doesn't mean it's 100% safe and risk-free, let alone starting a business.

If we talk about policy risks and legal risks, this topic is a bit big, and it is easy to block words. Let me just say that early Internet entrepreneurs (including giants) had some problems with copyright. This is a fact and must be acknowledged. When the market environment is full of piracy, you will have no chance if you act according to the rules; but the market environment has been standardized, and if you don't stop, you are seeking death. Let's stop this topic.

Let’s talk about the user experience level and how to improve the product experience in the face of the risk of bad users.

A login experience that has become standard in many companies now is like this. As a case study, when you enter your account and password, the first time you enter it, you only need to enter the correct account number and password. But if you enter incorrectly two or three times in a row, a verification code will appear, which is difficult to recognize. If you enter incorrectly a few more times, your account will be locked and you will be prohibited from logging in for a period of time.

In terms of user experience, verification codes are very disgusting to users, but this thing does make sense because it has to deal with the risk of bad users. But there are actually many similar situations.

User expectations for convenience and simplicity are usually at odds with system risk control itself. There is no perfect solution, but there is a principle of balance.

A policy process similar to the verification code above is a typical principle of progressive risk control. When a user first logs in, the system defaults to a good user, but after an exception occurs, prevention measures begin to be added. As abnormal situations occur, the prevention measures are deepened until the account is locked. Of course, the user experience decreases as the risk factor increases.

Nowadays, most excellent Internet products have such a gradual strategy. Under low-risk conditions, the user's operating experience is optimized. However, as the risk level determined by the system increases, prevention strategies begin to be activated, and the operating experience begins to gradually decline. The assessment of this risk level is a technical challenge. You can not only reduce the operating experience for good users at will, but also effectively prevent the behavior of bad users.

In addition to the principle of gradualness, there are several key points that can be mentioned:

1. Tolerance

What is the tolerance level for bad users, bad behavior? You say, zero tolerance is easy to say, but in fact, zero tolerance is technically unachievable. Quite a few bad behaviors are often obtained based on data analysis and statistical rules. It’s embarrassing to say that the richer the bad behavior data is, the stronger the identification ability will be. However, the gradual development of recognition ability is often accompanied by the continuous process of successful bad behavior.

The basic principle of tolerance is that bad behavior cannot be large-scale, explosive, or widespread.

We often say that many frequent flyer systems have wool in them. In fact, there is also a problem of tolerance here. As long as you don't scale up and make money in a non-proliferative manner, people really don't care.

2. Friendliness of prevention strategies

When the level of risk identification increases and prevention strategies emerge, there is actually a very clear topic of friendliness here.

How to understand this is that when risk prevention strategies appear, these strategies may face a bad behavior, but they may also be a good user. As long as the system does not block this behavior, but provides a prevention strategy, then the person facing this strategy is likely to be a good user. At this time, you should try your best to give this user the feeling that you respect him and he is not a bad user.

What does it mean?

For example, if I entered my password incorrectly several times in a row, you can issue a verification code, but your copywriting should be gentle and do not directly address the user with rude or impolite text. Because I often change cities, many apps have risk control measures when logging in when I change cities. As a person with a technical background, I can understand the strategy behind it. But can the copywriter be kinder, for example, "I'm sorry to cause you trouble. Since the current address does not belong to your common login address, in order to protect your information from illegal theft, the system hopes that you will cooperate and enter the following verification code."

With a gentler and more cute expression, users may be able to understand it better. Now I find that many well-known Internet products are often simple and crude in this kind of place, and the prompts that appear are more like naked warnings, which seem to make users very unhappy. I guess the test may not take this seriously.

In fact, when risk control strategies appear in interactions, copywriting and interactive views are meaningless for bad behavior and bad users, but for good users, better copywriting is also a way to compensate for the decline in experience.

3. Risk control cannot be at the expense of harming normal business or reducing activity on a large scale

This is a very critical principle. It is inevitable that risk control will have an impact on business and user activity. However, if it harms normal business on a large scale or reduces user activity, it will not be worth the gain.

It cannot be said that I am responsible for risk control and I prioritize safety. If your business is ruined, who will you show your safety to?

An enterprise's risk control department and security department are ultimately responsible for protecting the business and for the healthy development of the business, which may cause some business losses in the short term. If it is really necessary, it is understandable, but if it is used to kill business and cause users to lose in the name of risk control, this is very bad.

In the past, Baidu Space was speechless about its strategy of blocking words. I have always been a loyal user of Baidu Space. I have been working in the product team of Baidu Space for more than half a year, but I found that it is getting more and more difficult to post long articles on Baidu Space because I don’t know where the blocked words violate the rules. The key point is that the articles I want to publish have no political metaphors or related content, and are all regular words. Every time I encounter them, I am particularly troubled, and there is no prompt for correction. I can only keep using the dichotomy method (cut off half of the text to see if it can be published successfully, and then half and half, and so on) to find keywords. The joy of finding blocked words is really hard to describe. Later, I really didn’t want to post anything on Baidu Space, and then Baidu Space disappeared.

I think this is a typical case where risk control leads to user loss. I think this is the laziest and least responsible solution for the risk control department.

Another typical case has been mentioned before. Microsoft's Vista system is the most failed version of Microsoft's Windows operating system. In fact, it is because security demands trump convenience, and it is not enough, which makes it unacceptable to users.

If all the good users are squeezed away, what is the value of your risk control?

As I said before, what are users’ demands for personal information security products? Is it to make themselves safer? No, it’s to make surfing the Internet more enjoyable. Because insecurity makes surfing the Internet uncomfortable, users need security products. If security products take over and make users unhappy while surfing the Internet, they will definitely be uninstalled.

So, these principles are easy to say, so why are there obstacles in their implementation?

First, seek blame for perfection. Leaders require zero tolerance for risks or 100% accountability for bad cases. Under such circumstances, the relevant executors naturally put risk control ahead of the business. Anyway, if the business does not do well, it has nothing to do with them. If there is a problem with the risk control, they will take the blame.

Second, there is a generation gap between departments. Each department only cares about its own authority and responsibilities. My department's KPI only considers system security. Why should I care about business growth? That is your problem.

Third, focus on one thing and ignore the other. If you find a problem here today, you will work hard to analyze the cause of the problem, find a solution, and come up with a patch; if you find a problem there tomorrow, you will work hard to analyze the cause of the problem, find a solution, and come up with a patch. It seems that they are all correct analysis methods, and every solution is correct. But in the end, after doing it, the problem was gone, and so were the users.

Why is this? When we solve the problem, do we consider the negative effects of this solution? The same is true for risk control. If we solve a system risk, will it lead to a decline in user experience? How big is the impact? One is not big, and the two are not big, but one is ebbing and the other is ebbing. Maybe the competitor's experience is similar to yours, but you work very hard to solve the problem. The more you solve the problem, the worse the user experience becomes. In the end, the harder you work, your users are lost faster than your competitors.

To summarize

We must have a concept of bad users and bad behaviors, and we must have a concept of risks, including system security risks, including the risks of profiteering, including policy and regulatory risks. You can be bold, but you cannot ignore these issues. It is necessary to know where the risks are and where the boundaries are.

On the premise of understanding these risks, it is necessary to clearly understand that company-wide risk control is used to ensure business development, not to curb business development. Risk control will lead to a decline in user experience, which is inevitable, but some principles to ensure user experience should be followed, such as the principle of gradualness and the principle of friendliness of prevention strategies. It is necessary to have an understanding of risk tolerance and seek a balance between user experience and risk control.

Every risk-solving solution must evaluate the harm to the user experience and seek the best balance. If the harm to the user experience is greater than the risk to the system, then this solution is not advisable.

Don’t ask for full blame, don’t let departments work in isolation, and don’t ignore other influences in order to solve the problem.

The above are topics that today’s entrepreneurs, as well as the innovation departments of large companies, need to seriously face.