We spend enormous amounts of time and money auditing code for security holes. Whole industries are built around it. But for all that effort, we rarely look at the part of the system that is actually clicking the buttons and interpreting the warnings. The person with Dorito dust on their fingers and a coffee ring permanently branded on their desk, someone just trying to get things done in a tool that may or may not be helping them make safe decisions. A surprising number of real-world security failures happen not because the code is flawed, but because the interface leaves too much room for dangerous misunderstandings.

Drawing on our work at Ura with security-critical and open source projects, this talk explores how the user experience itself can introduce or amplify security risks and why these issues often slip through traditional code-focused reviews. We will look at memorable examples of user-driven failures, outline common UX surfaces where security risks emerge, and show why auditing the human side of the system is just as critical as auditing the code.