Effective cybersecurity relies on people at different levels, whether that’s software for the public and employees, all the way to those professionals using and understanding data to monitor and secure their infrastructure, and everyone in between.
It’s a complex field with a lot of data and technicalities. The simpler and easier it is to use, understand and implement, the more secure we all become.
Therefore, user-centric design (and UX research) is a key factor in ensuring that once cyber threats, vulnerabilities and other risks are identified, they can be reported and managed as efficiently and effectively as possible.
The current state of play in cybersecurity products
Experience working on a cyber project for the UK government and in-house for a cyber company has given me a unique insider view of the challenges faced by those working on cyber products in a product manager/director, CTOs and CISO capacity.
The easiest way for me to describe the current state of play in the Cybersecurity industry is that it is akin to Financial Services before they realised that UX was really useful when it came to designing user-centric software interfaces.
Many cybersecurity tools currently in existence are very technical; they are built by technical people for technical people. They are complex, and that complexity is often not effectively simplified for things like stressful events, ease of understanding a problem or reaching audiences starting out, nor do they make life easy for expert users.
They are built very much like administrative tools for the technical people who build them well and know the tricks and design quirks well.
But to be ahead of the game, you need as many people to understand - and act - to reduce the effectiveness of threats and exploits, to easily triage, manage, and remediate them; and to be able to manage this across a single personal device or numerous networks.
The problem of data overwhelm
The biggest challenge IT/cybersecurity teams face is the sheer amount of information they have to interpret and analyse about the never-ending number of threats and vulnerabilities, which are often in different formats and viewed from different angles.
When running security checks, a user needs to be able to see and understand the information they get back and exactly what the software is checking virus/vulnerability-wise (such as how much traffic is actually going through their network).
Once an issue has been identified, the issue then comes of how relevant information is pulled out of the report and managed afterwards—which itself should ideally be digital and kept secure.
The importance of visual aids
When designing cyber security systems, you need to make it easy for users to make quick judgement calls and cut through the noise. Building in intelligent notifications and alerts that make it easy for users to understand the severity of the issue (day-to-day vs. critical) and what they should be focusing on is a top priority, particularly in large organisations.
Likewise, building in controls that advise what not to do, based on known information about how certain (malicious) threats behave is also highly important.
A good example here is the “WannaCry” ransomware attack in 2017, which, due to the way it had been designed to work, meant the most appropriate response (blocking the domains it was talking to) was the opposite of what you’d normally do in this type of situation.
There is also the issue of known versus 'unknown' threats. Many threats are new or not yet understood; they might still be researched to learn what they do and how they exploit systems or people. You may only know the domain they are coming from or bits of information, but you still may need to act on it - which can add to the stress of the situation. Often, it's like a big game of chess; in the dark, you could be up against a criminal gang or a state actor, and much is obscured.
Dashboards, information categorisation, preventative actions/reactions, and, of course, remediation are all helpful visual aids and tools that can vastly improve user experience and product effectiveness.
Fundamentally, it is really important to get people to prevent as much malicious activity as they can. So, how do we help them see through the noise, especially when some issues may not be easy to fix?
The value of UX in cybersecurity
Working with systems, you’ll already be familiar with the need to pen test your system and maybe even the exciting endeavours of black ops teams, who use hacking, physical entry premises and social manipulation to test dimensional security. You'll be familiar with threats; you need to research and understand them, remediate them, and retest them to check if you fixed them, or as a CISO, manage teams and review high-level dashboards and reports to help make difficult judgement calls that can cost business dearly. All in every changing landscape.
It’s the exact same actions for employing user-centred design and UX to ensure a valuable and effective experience for users: We research with users to understand their needs, to inform the important solutions we design to for their problems, before designing concepts and prototypes for testing and fine-tuning those, before finalising the design and committing the implementing that in code.
The only difference is that instead of security risks, UX and design look at value to users and reduce the risk of building expensive, less effective, and difficult-to-understand software that will cost you a competitive edge and advantage. Instead, we look to learn quickly, evaluate, iterate cost-effectively, and build value into your product early, understanding and honing in on what intrinsically adds value.
A car security analogy
In the automotive world, the threshold of effort required to steal a car is very high, something that has changed over time due to the effective use of technology, ease of use, and education.
Whilst cybersecurity is perhaps a more complex beast, there is no reason why similar efforts couldn’t make it easier to secure yourself, quicker to resolve issues, and reduce the payoff or success of cybercriminals.
Cybersecurity and user-centred design, your new favourite tools in the fight, could achieve the same by making it easier for all kinds of users to do their jobs effectively.
Using UX to design better cybersecurity products
As with all digital product design, there are a number of UX considerations that should be accounted for. When it comes to cybersecurity, those areas that are especially critical are:
User Research
Contextual understanding
Testing and iteration
Empathy
Context of use
Tools and activities
Stratergy
1. User Research across a broad, diverse set of users
With work like this, there tends to be more emphasis on the importance of conducting user research with cyber experts and engaging with users where there’s likely to be a wide variety of user skills and understanding (e.g. cyber experts versus generalists and everyone else).
Without UX research, there’s a big risk of the "curse of knowledge" and of being unable to know what it was once, like not knowing. We can't assume that we understand all users needs, challenges and mental models either. Making assumptions at this stage can really cause unstable foundations in decisions going forward for both business, product, and design.
You want your experience to be easy for users of all skill sets and levels to understand and valuable at each step of the learning curve. Ideally, it will help move people up that curve or even reduce that curve.
2. Contextual Understanding
Due to the nature and environment of cybersecurity, it is important to understand the context in which users operate.
We need to consider factors such as organisational resources, varying tools, and differences in access to those depending on the size of the organisation. We need that understanding to design a user experience that accommodates those different situations, including the users’ roles and information-sharing commitments within their roles and time constraints.
3. Testing and iteration
In complex and variable situations, it's really important to accurately test design ideas and assumptions with users in a realistic way using a prototype(s).
We’d also want to see whether the designed experience gave users the right signals for prioritising tasks and notifications to optimise focus and returns, for it not only shows information but surfaces it intelligently at the right time, for example.
4. Empathy and emotional considerations
Through talking with users, we can understand the stress associated with the technical field and the importance of empathising with users to help reduce the emotional impacts of problems they face, particularly in high-stress situations where time matters and decisions need to be made quickly.
Designers need to understand and consider the emotional aspects of users dealing with highly stressful situations. That might mean the ability to triage and drill down to track the stages or process of a threat or vulnerability through its lifetime and determine the base way to surface that clearly to a user. It might also mean understanding the best ways to manage issues between a team and facilitating that in the design.
5. Context of Use
In cybersecurity, the significance of understanding the context of use, including the scenario, locations, and timeframes, is also more pronounced than usual.
We’d need to consider factors like remote work with a combination of on-site and off-site, perhaps a user at home trying to protect their personal equipment or global organisations working across timezones, and the need for clarity in information such as what time something happened relevant to a specific (other) time zone.
6. Tools and activities
We’d use many of our usual UX tools because they scale well, but we also use specific tools for specific jobs, so there might be contextual enquiry techniques, diary studies, and ethnographic research observing the users in their environment.
We might turn research insights into tangible, shareable deliveries with persona mapping of the different roles involved, and user journey maps to understand the touchpoints of those interactions over a journey, for example.
In each case, the specific choice of activities and tools would be based on the project itself and any particular variables or constraints such as time, budget, or technology.
7. Strategy
Strategy is paramount to solving problems and capitalising on opportunities in a long-term, repeatable way to give you a last competitive advantage. It's what takes all of the learning coming out of projects and research and brings it together to keep your products moving in new and desired directions. UX strategy can fit into your organisation in two main ways to bring you lasting success.
The first is at a product level. Using the process to gather insight, opportunities, and an understanding of users firsthand, as well as the design's success so far, can provide the understanding and confidence to make key product and design decisions based on evidence to meet your goals.
The second is organisationally. There are still many organisations that are led by uninformed business goals or technology for direction on what will make a last success, over those they build the products for and decide whether what we have holds value. Once you have found the process of putting users at the centre of the thinking and learning and how that pays off on your goals, you'll soon want to originate your business to focus on the user. The user understanding them and asking the right questions is the gateway to what is a value need or problem to solve.
UX and Fruto can help you achieve those goals through our years of expertise, knowledge of in-house products, and experience working with cybersecurity companies and the government.
Working with Fruto as your Cybersecurity UX partner
Here at Fruto, we specialise in making complex software and systems more human-centred and thus effective and valuable. We already work in complex industries such as the medical and healthcare sectors. This is along with our prior experience working on cybersecurity projects, including for the government, makes us a perfect partner.
Our processes are fundamentally focused on problem-solving and can be applied to any industry. However, we are aware of and understand many of the challenges the cyber industry faces. Our technical experience also helps us produce designs that understand the complexities involved in development.
If you’re currently developing or updating a cybersecurity product, we’d love to help. Get in touch to speak to one of our expert team and find out more about working with us.