Trust and Recovery
Trust is built through predictability and tested through failure. Users trust systems that behave consistently and recover gracefully when things go wrong.
Evidence Tiers
[Research] — Peer-reviewed studies, controlled experiments [Expert] — Nielsen Norman Group, recognized UX authorities [Case Study] — Documented examples from major products [Convention] — Industry practice, limited formal validation Multiple tags = stronger evidence: [Research][Expert] Mixed findings noted as: [Research — Mixed]
Research Foundations
Peak-End Rule
[Research][Expert] Daniel Kahneman's research (Nobel Prize in Economics, 2002) established that people judge experiences based on:
- •The peak moment (most intense, positive or negative)
- •The end (how it concluded)
They do not average the entire experience.
UX implication: A single graceful recovery can redeem an otherwise frustrating experience. Don't let the last interaction be an error.
Source: Kahneman, D. (1999). Objective happiness. In Well-being: Foundations of hedonic psychology.
Loss Aversion
[Research][Expert] Kahneman & Tversky's Prospect Theory showed losses feel approximately 2x as painful as equivalent gains feel good.
UX implication: Users are highly motivated to avoid losing their work. Auto-save, undo, and data preservation are disproportionately important.
Source: Kahneman, D. & Tversky, A. (1979). Prospect Theory: An Analysis of Decision under Risk.
Undo vs. Confirmation Dialogs
[Expert] Nielsen Norman Group and multiple UX authorities recommend undo over confirmation dialogs in most cases.
Why Confirmation Often Fails
[Expert] From NNg and practitioner observation:
- •Users habitually click "OK" without reading
- •Frequent confirmations train users to ignore them
- •Confirmations interrupt flow
When to Use Each
| Approach | Use When | Evidence |
|---|---|---|
| Undo | Action is reversible | [Expert] NNg |
| Confirmation | Action is truly irreversible AND destructive | [Expert] NNg |
| Neither | Routine, low-risk actions | [Convention] |
[Case Study] Google Drive: No confirmation for moving files to trash (reversible). Confirmation required for emptying trash (irreversible).
Pattern: Undo Toast
[Convention]
[User clicks delete] [Item disappears immediately] [Toast: "Item deleted" [Undo] — auto-dismisses in 10s]
Caution: No controlled studies directly comparing undo vs. confirmation outcomes found. This is strong expert consensus, not validated research.
Source: Nielsen Norman - Confirmation Dialogs
Error Message Design
[Expert] Nielsen's Heuristic #9: "Help users recognize, diagnose, and recover from errors."
The Three Questions
Every error message should answer:
- •What happened? (Clear description)
- •Why? (Cause, if helpful)
- •What now? (Recovery path)
Useless:
Error 500: Internal Server Error
Actionable:
Couldn't save your changes — the server is temporarily unavailable. Your draft has been saved locally. [Try again] [Continue editing]
[Research] Cognitive Load Theory (Sweller) supports this: vague errors increase extraneous cognitive load.
Source: Nielsen Norman - Error Message Guidelines
Core Patterns
trust-1: Confirm Destructive, Not Routine
[Expert] Only interrupt for truly irreversible actions.
Over-confirming (trains users to ignore):
"Are you sure you want to save?" "Are you sure you want to go back?"
Appropriate confirmation:
"Delete 47 files permanently? This cannot be undone." [Cancel] [Delete]
trust-2: Preserve Data Aggressively
[Research] Loss aversion (Kahneman & Tversky) explains why losing work is disproportionately frustrating.
Trust-breaking:
[User writes long comment] [Accidentally navigates away] [Returns — comment gone]
Trust-building:
[User writes long comment] [Accidentally navigates away] [Returns — draft restored]
Auto-save drafts. Preserve form state. Cache locally.
trust-3: Degrade Gracefully
[Convention] Isolate failures. Don't let one problem cascade.
Brittle:
[One image fails to load] [Entire page shows error]
Graceful:
[One image fails to load] [Placeholder shown with retry option] [Rest of page works fine]
trust-4: Show System Status
[Expert] Nielsen's Heuristic #1: "Visibility of system status."
Opaque:
[User clicks Submit] [Nothing happens for 3 seconds] [Suddenly: "Submitted!"]
Transparent:
[User clicks Submit] [Button shows spinner: "Submitting..."] [Button changes: "✓ Submitted"]
Recovery Patterns
Pattern: Optimistic UI with Rollback
[Convention]
1. User takes action 2. UI updates immediately (optimistic) 3. Server request in background 4. If success: done 5. If failure: rollback UI + show error + offer retry
Pattern: Forgiving Input
[Expert] Postel's Law: "Be liberal in what you accept."
// Rigid Phone: [Must be exactly ###-###-####] // Forgiving Phone: [Accepts any format, normalizes internally] "5551234567" → displays as "(555) 123-4567"
Pattern: Graceful Timeout
[Convention]
[Operation takes too long] "This is taking longer than expected. You can keep waiting or try again." [Keep waiting] [Cancel and retry]
Don't make users guess if something is frozen.
Anti-Patterns
| Pattern | Why It Breaks Trust | Evidence |
|---|---|---|
| Silent failures | User doesn't know something went wrong | [Expert] NNg |
| Generic errors | No path to recovery | [Expert] NNg |
| Lost form data | Punishes user for system failure | [Research] Loss aversion |
| Inconsistent behavior | Can't build mental model | [Expert] Jakob's Law |
| Hidden data usage | Feels deceptive | [Convention] |
Key Sources
- •Kahneman, D. & Tversky, A. (1979). Prospect Theory.
- •Kahneman, D. (1999). Objective happiness (Peak-End Rule).
- •Sweller, J. (1988). Cognitive load during problem solving.
- •Nielsen Norman - Confirmation Dialogs
- •Nielsen Norman - Error Message Guidelines
- •A List Apart - Never Use a Warning When You Mean Undo