I said before that many entrepreneurs are prone to make mistakes. They are overly idealistic and regard users as good people. I mentioned a keyword. I can't say that there must be a lot of bad users. Maybe there are only 1% of bad users, but it is very likely that the destruction of one bad user can offset the creation of 100 good users. This is a very common entrepreneurial dilemma, because very small negligence leads to great losses.

Therefore, some inexperienced entrepreneurs should have this awareness, at least have the concept of risk control in mind, know how to avoid and prevent bad things, and not be too idealistic.

However, there is another extreme for entrepreneurs and some large companies, that is, they are very sensitive to bad things. Very worried, the risk control awareness is very strong, which leads to a lot of worries in product design and a straight decline in user experience. To put it simply, we should guard against all users as bad people.

Therefore, balance is the key.

I also talked about it in The Employees Who Exert Too Much.

In fact, many large companies have encountered such problems. No matter what you want to do, lawyers and lawyers will tell you that this risk is very high, that cannot be done, and that policy is not clear. You don't do anything. They are the safest. That's why many startups have the opportunity to stand out. Barefoot people are not afraid to wear shoes.

The historical biography of WeChat spread on the Internet also mentioned that Tencent's internal platforms are used as mobile chat tools, among which the WeChat team is the smallest with the least resources. However, due to the scruples about the cooperation with the telecommunications department, several core departments dare not touch voice chat, and also advised Zhang Xiaolong not to act rashly. As a result, Zhang Xiaolong is not afraid of wearing shoes without shoes. After doing so, WeChat has become a new development engine of Tencent.

Sometimes I also think that when I write, it is inconsistent. You see, some entrepreneurs will say that they are hot headed and dare to do anything. It is wrong to consider risks inadequately; Later, he said that entrepreneurs should not worry too much about many things and should try to do as much as possible. In fact, everything is degree.

I always say that the path of entrepreneurship is not only black and white, not only right and wrong. Most of the time, we have to find a suitable scale. My courage is relatively small, so it is also the place where my business is very unsuccessful. I have tightened up many standards myself, and I dare not touch many things; But I also know some brave entrepreneurs, some of whom have gone through prison. I can't draw a line if you insist, but I want to remind entrepreneurs that you should know both sides.

You can be brave, but you should know what risk control is, which high-voltage lines you can't touch, and which areas bad users may cause great harm; You can also be timid, but you should know that if you reject risks blindly, many good opportunities may be completely missed. Be brave, but don't say you don't know any risks. It doesn't mean you can run with your eyes closed. It's not daring, it's death. You are timid, but you cannot be tied down. You must pursue absolute security. Even if you find a good job, it does not mean that 100% security is not risky, let alone entrepreneurship.

If we talk about policy risk and legal risk, this topic is a little big, and it is easy to shield words. Just to say one thing, early Internet entrepreneurs (including giants from all walks of life) have some problems in copyright, which is a fact and must be acknowledged. When the market environment is pirated, you have no chance to behave yourself; However, the market environment has been standardized. If you still don't stop, that's to say, death.

Next, we will talk about user experience, how to achieve a good product experience in the face of the risk of bad users.

Now many companies have become the standard configuration of a login experience. As a case sharing, when you enter an account and password, you only need to enter the correct account and password for the first time. However, if you enter an error two or three times in a row, a verification code will appear, which is hard to recognize. If you enter an error several more times, the account will be locked, and you will be prohibited from logging in for a period of time.

From the perspective of user experience, the verification code is very objectionable to users, but it is really meaningful because it is necessary to deal with the risk of bad users. But there are many similar situations.

Users expect convenience. Simplicity and system risk control are usually contradictory. There is no perfect solution, but there is a principle of balance.

The policy process similar to the above verification code is a typical principle. Progressive risk control. When users log in at the beginning, the system defaults to good users. However, after an exception occurs, preventive measures are added. With the exception, the prevention measures are deepened until the account is locked. Of course, the user experience decreases with the increase of the risk coefficient.

At present, most excellent Internet products have such a gradual strategy. Under low risk conditions, the user's operating experience is optimized. However, with the improvement of the risk level identified by the system, the prevention strategy starts to start, and the operating experience starts to decline. The assessment of this risk level is a technical challenge. You can not reduce the operating experience for good users at will, but also effectively prevent bad users' behavior.

In addition to the gradual principle, there are several key points that can be said:

1. Tolerance

What is the tolerance for bad users? It's easy to say that zero tolerance is technically impossible. Quite a lot of bad behaviors are obtained based on data analysis and statistical laws. To be ashamed, the richer the bad behavior data, the stronger the recognition ability. However, the gradual development of recognition ability is often accompanied by the process of continuous success of bad behavior.

The basic principle of tolerance is that bad behavior cannot be large-scale, explosive, or diffuse.

We often say that there is wool in many frequent flier systems. In fact, there is also a problem of tolerance. People really don't care if you try to make a profit without scale and proliferation.

2. Friendliness of preventive strategies

When the level of risk identification is improved and prevention strategies appear, there is also a very clear topic of friendliness.

How do you understand this? When risk prevention strategies appear, they may face a bad behavior, but they may also be a good user. As long as the system does not shield this behavior, but provides a prevention strategy, this strategy is likely to face a good user. At this time, you should try to give this user the impression that you respect him and he is not a bad user.

What do you mean?

For example, if my password has been entered incorrectly several times, you can issue a verification code, but your copy should be gentle. Do not directly give this user rude or impolite text. Because I often change cities, many apps have done risk control for city login. As a technical background, I can understand the strategy behind this. But could you please be kind, for example, "I'm sorry to cause you trouble. Since the current address does not belong to your common login address, the system hopes you can cooperate in entering the following verification code to protect your data from illegal theft".

With a little more gentle and cute expression, users may have a better understanding. Now I find that many well-known Internet products tend to be simple and crude in such places, and the prompts appear more like naked warnings, which seem to make users very unhappy. I guess the test may not take this seriously.

In fact, when the risk control strategy appears in the interaction, the copywriting and interaction view are meaningless for bad users, but for good users, your copywriting is also a compensation for the decline of experience.

3. Risk control cannot be conducted at the expense of large-scale damage to normal business or reduction of activity

This is a very critical principle. It is inevitable that risk control will have an impact on business and user activity. However, if large-scale damage to normal business or reduce user activity, it is not worth the loss.

I can't say that I am reasonable in my risk control, and my safety is my priority. Your business is dead. Who are you safe to show?

The risk control department and the security department of an enterprise are, in the final analysis, responsible for ensuring the business. For the healthy development of the business, they will cause some business losses in the short term. If it is really necessary, it can also be understood, but it would be very bad if risk control was used to kill the business and cause the loss of users.

Baidu Space used to be very speechless about the strategy of blocking words. I have always been a loyal user of Baidu Space. I said that I had been in the product team of Baidu Space for more than half a year, but I found it increasingly difficult to post long articles in Baidu Space, because I did not know where the blocking words violated the rules. The key is that the articles I want to publish are all formal words without any political metaphor or related content. They are particularly troubled every time I encounter them, and they have no hint of correction. I can only use dichotomy (cut half of the text to see if it can be published successfully, and then half of the latter half, and so on) to find the key words. It is really hard to find the sour and cool of the shielding words. Later, I really didn't want to send things in Baidu Space, and then Baidu Space was gone.

I think this is a typical case of loss of users caused by risk control. I think this is the solution that the risk control department is the most lazy and unwilling to take responsibility.

Another typical case has also mentioned before that Microsoft's Vista system is the most unsuccessful version of Microsoft's Windows operating system. In fact, it is because the security claim is superior to the convenience, which makes it unacceptable to users.

What is the value of your risk control after all the good users have been run away?

As I said before, what are users' demands for personal information security products to make themselves more secure? Wrong, it's for better surfing. Users need security products because they are not safe enough to surf the Internet. If the security products dominate and make users feel uncomfortable online, they will be uninstalled.

So, these principles are easy to say, but why are there obstacles in their implementation?

First, we need to blame for everything. Leaders require zero tolerance for risks or 100% accountability for bad cases. In this case, the relevant executives naturally put risk control ahead of business. Anyway, it is not their business to do well, and they have to bear the blame if the risk control goes wrong.

Second, department generation gap. Each department only cares about its own authority and responsibility. My department KPI only considers system security. Why should I care about business growth? That's your problem.

Third, considering one thing and losing another, I found a problem here today, so I tried to analyze the cause of the problem, find a solution, and issue a patch; If I find a problem there tomorrow, I will try to analyze the cause of the problem, find a solution and issue a patch; It seems that they are all the correct analysis methods, and each scheme is correct. But in the end, the problem is that there are no users.

Why? When solving problems, do we take into account the negative effects of this solution? The same is true of risk control. We have solved a system risk. Does it lead to a decline in user experience? How big is the impact? One has little impact, and the other two have little impact. However, the experience of competitors is similar to yours, but you work hard to solve the problem. The more you solve the problem, the worse the user experience will be. In the end, the harder you work, your users will lose faster than your competitors.

To sum up

We should have a concept of bad users, bad behavior, and risks, including system security risks, including risks of wool pulling, including policy and regulatory risks. You can be bold, but you can't ignore these problems. It is necessary to know where the risks are and where the boundaries are.

On the premise of understanding these risks, it should be clear that risk control within the company is used to ensure business development, not to curb business development. Risk control will lead to a decline in user experience, which is inevitable, but some principles to ensure user experience should be followed, such as the principle of gradual progress, such as the principle of friendly prevention strategies. We should have an understanding of risk tolerance and seek the balance between user experience and risk control.

Each risk solution should assess the damage to the user experience and seek the best balance. If the damage to the user experience is greater than the threat of the risk to the system, this solution is not desirable.

Do not demand full blame, do not divide departments, and do not ignore other influences in order to solve problems.

These are the topics that today's entrepreneurs and the innovation departments of large companies need to seriously face.