Affordances refer to what forms of behaviour are made possible by the environment in which people act. Affordances can be elements within the environment, or options which are presented within it. Environments can be adjusted and altered to change the set of affordances that are available to people. This can include restrictive changes, such as introducing swipe access to certain areas of public buildings. There are also possibilities of enhancing people’s affordances, for instance in designing streets in such a way that cars, cyclists, and pedestrians can all safely take part in traffic, rather than only cars being accommodated. In human-computer interaction, this term has become more narrowly focused on the behaviours that the end-user perceives to be possible, not the wider set of behaviours that are possible even if the end-user is unaware of them.

Application within the field of cybersecurity

In cybersecurity, systems can be designed in such a way that potential harmful or unwanted actions are simply made impossible. Big tech companies use this to advance their commercial interests, such as YouTube deciding that users cannot see the number of downvotes on videos anymore, in a similar way to Facebook who have never created a dislike button for their platform. In support of cybersecurity, affordances are used to enforce stronger passwords. They do this by setting requirements of password length and complexity. Furthermore, cybersecurity can be improved using affordances by forcing employees in organisations to adopt two-factor authentication. As computer systems and the networks that they are connected with are designed by people, there is the option to adjust these systems and networks to enhance or limit the affordances of end-users. This can be done to improve productivity, but also to reduce unwanted behaviours, or limit the impact of certain cyberattacks.

Annotated bibliography

Norman (2013). Norman wrote a book on how design affects the way we interact with objects. He covers affordances, but also notes that many designers do not use affordances correctly, as they focus on what they would want the end-user to do, rather than all the options that end-users have at their disposal. This narrowed focus on what end-users should do is something different and Norman coins the term “signifiers” to denote this category of actions.

Lessig (2006). In his book Code 2.0, Lessig outlines how the Internet could be regulated, and one of the aspects is through the architecture of the internet, his approach to affordances. As the Internet is a designed system, we have the potential to control which affordances are available to end-users and Lessig argues that we can and should use this potential to improve the Internet.

van Steen (2022). In this paper, the architecture concepts of Lessig are applied to cybersecurity and contrasted with nudge theory solutions for cybersecurity. The paper covers some downsides of reducing affordances, such as an increased risk of shadow security, where people find ways outside of the system to get their work done, sometimes at the cost of security and monitoring by the organisation.


Lessig, L. (2006). Code v2.0. Basic Books, New York, NY.

Norman, D. (2013). The design of everyday things: Revised and expanded edition. Basic books     New York, NY.

van Steen, T. (2022). When Choice is (not) an Option: Nudging and Techno-Regulation     Approaches to Behavioural Cybersecurity. In: Schmorrow, D.D., Fidopiastis, C.M. (eds)     Augmented Cognition. HCII 2022. Lecture Notes in Computer Science, vol 13310.          Springer, Cham

Download this one-pager as a pdf-file:

Download slides about this topic that you can embed into your presentation / lecture: