Human-Centered Security

What do the terms digital identity and access mean for the user experience? David Mahdi, CIO at Transmit Security and digital identity and cybersecurity expert, breaks it all down in this episode.

We talk about:

• Access-related terms you need to understand: Digital identity, authentication, and authorization.
• Why so many security problems are, in fact, access problems.
• User experience implications.
• The future of digital identity and what it might mean for your product and your users.

David Mahdi is the CIO at Transmit Security, former Gartner research VP, and was previously CSO at Sectigo. An IAM leader and visionary, David is an expert in digital identity, cryptography, and cybersecurity.

We start the episode discussing a very serious topic: emojis. Then we get back to your regularly scheduled programming.

How would you approach security if you were building something from scratch? How would you address security user experience challenges? Darren Thomas and Margaret Cunningham from Wethos AI talk about how they’ve built security into their product and how cross-disciplinary collaboration helps them improve the security user experience.

In this episode, we talk about:

• How to build security into your product development lifecycle when you need move quickly.
• How to anticipate—and design for—security and privacy concerns.
• Why getting users to the product’s value faster and relates to the security user experience.

Darren Thomas is the co-founder and Chief Product Officer at Wethos AI, a platform that helps people and teams connect and understand one another to improve both individual and team performance. Darren is also the founding team member and head of product at NumberOne AI. A veteran in product management within the security industry, Darren has previously worked at Tenable and McAfee.

Margaret Cunningham is an experimental psychologist and is Chief Scientist at Wethos AI. Previously, Margaret was Senior Staff Behavioral Engineer, Security & Privacy at Robinhood and Principal Research Scientist for Human Behavior at Forcepoint’s X-Lab. Check out the Margaret’s first interview on the Human-Centered Security podcast (Episode 9).

When your website says, “we value your privacy,” how do users interpret that statement? How do they experience “privacy” in your product? What messages are you conveying--perhaps unintentionally? Privacy expert Michelle Finneran Dennedy helps designers think about privacy in the context of the user experience.

In this episode, we talk about:

• What does privacy mean?
• How, as designers, we give the user ideas of what to expect around privacy—an opportunity to erode or foster trust.
• The approach her team took at McAfee when it came to redesigning their privacy policy.
• Starting with ethics—and revving that “ethical engine.”
• Who should designers reach out to about privacy at their organization? What should they ask?

Michelle Finneran Dennedy is a privacy expert, the co-founder of Privacy Code, and was formerly Chief Privacy Officer at McAfee. She is the co-author of The Privacy Engineer’s Manifesto.

Designing for the security user experience is challenging because if security controls are too complex or burdensome, users may bypass them, which compromises security. Additionally, the constant evolution of threats means that effective security controls must be continuously updated to stay ahead of threat actors. In other words, what may have been relatively effective yesterday might not be effective tomorrow. Exactly why the security user experience is so exciting!

Thankfully, Kevin Goldman shares my enthusiasm. Kevin is a design executive whose most recent focus has been in identity and access management. Kevin is the Chair of the UX Working Group at the FIDO Alliance, a nonprofit global industry organization that has developed the standards for passkeys.

During this episode, Kevin and I talk about:

• How to get buy-in for a human-centered approach to the security user experience.
• A key moment when Kevin and in his team faced a UX challenge with passkeys that forced them to take a step back and re-evaluate their approach.
• The surprising findings and resolution after they dug deeper to understand the problem.
• How Kevin worked with his cross-disciplinary team members to identify tradeoffs in usability and security and how they worked through them.

UX folks are great at asking questions about AI and that’s exactly what we do in this episode. But “questions” sounds boring so we gave the set of questions a fancy name: a UX of AI framework. UX researcher John Robertson describes the UX of AI framework he and his team helped build.

In this episode, we talk about:

• The importance of a human-centered design approach to AI.
• The need to slow down and consider safety, privacy, and ethics as part of implementing AI.
• Looking beyond the data: each data point represents a human.
• The need to build and maintain trust in the AI user experience.
• Understanding how humans and AI can work as teammates and how that dynamic might play out.

John Robertson is a skilled UX researcher with a background in neuroscience and experience working at organizations such as American Airlines, IBM, and Visa. Currently he is a Senior Principal UX Researcher for a cybersecurity software company implementing quantitative and qualitative methods to create human centered security analyst experiences.

In the episode, we reference:

Analyzing Qualitative User Data at Enterprise Scale with AI: The GE Case Study by Jakob Nielsen

Do Users Write More Insecure Code With AI Assistants?

If there’s one thing both UX teams and security teams can empathize with each other on is being involved too late in the development process. Ali Cuthbertson and Jason Telner realized that it wasn’t enough for teams to embrace the need for UX and security—they needed a method for integrating them into their agile development processes.

Throughout the interview, Ali and Jason will be referencing a project they worked on together to help develop and foster a consistent process for integrating UX and security into an agile development process for teams at IBM. As a result of their work, they developed a set of principles and best practices. They talk about:

• How a set of principles can serve as a guide for teams.
• Why integrating UX and security involved a cultural shift for teams in order to be successful.
• Why support from leadership is instrumental for new processes to be effective.
• Tips for leveraging mixed methods user research to look at problems from different angles.
• How to measure the success of embedding UX and security into existing processes.

Ali and Jason presented some of their research and recommendations at the 2023 UXPA presentation called “How to balance strong user experiences with enhanced security within an agile framework? Lessons learned and best practices.”

Ali Cuthbertson is the Technical Vitality Development Manager and CIO Design Program Manager at IBM. Ali brings over 20 years of seasoned expertise navigating software and hardware engineering. She has become the Indiana Jones of life sciences, user experience, talent management, vitality optimization, security protocols, AI advancements, data analytics, scientific exploration, and cutting edge cloud technologies.

Jason Telner, PhD, is a senior user researcher within IBM’s CIO design user research and data analytics team. Jason has over 15 years of experience working within the field of user research. In his current role at IBM, Jason’s focus has been on improving the user experience of employee support applications such as chatbots, web support, and voice interface support.

Ever wonder what it’s like to design enterprise cybersecurity software? Tom Keenoy, a design leader for a cybersecurity company, explains why what you learned in design school may not apply when you’re building software for specialized power users (think: security analysts, IT administrators, devops).

• How do you get up-to-speed when designing for complex domains like cybersecurity?
• How do you adapt your design process for enterprise power users (spoiler: stripping away information isn’t always the right answer)?
• How to prioritize when “everyone wants to build all the cool things.”
• Why Tom thinks much of a designer’s job is “de-risking.”
• The most important skills designers need to be successful in building enterprise security software.

Tom Keenoy is a design leader who loves building technical products for power users. At various points in his career he’s been a designer, an educator, an engineer, a product manager, and a startup founder. He’s currently leading a design team at a cybersecurity company and advising growth stage startups to help right-size their UX and product design programs.

Ever encountered a CAPTCHA and thought to yourself, “whoever decided to put this here must really hate people”? It turns out, the people who make the decisions to use CAPTCHAs hate them as much as you do. Jason Puglisi, an application security engineer, describes what teams like his think about when evaluating potential solutions to a security issue. (Spoiler: you’ll be pleased to know these considerations include how security solutions may affect the user experience).

• The surprising similarities between UX and security teams.
• What designers need to know about information security risks, as well as how designers can help security teams understand the UX tradeoffs they may be making.
• What designers can do to more effectively collaborate with their cross-disciplinary teams, including the security engineering team.
• What to consider when designing for users in higher-risk scenarios—users who have privileged access and are operating at scale (for example, if your end users are engineers, IT professionals, or security analysts).

Jason Puglisi is an application security engineer at a financial technology company. He performs ethical hacking to discover vulnerabilities, guide solutions, and inform organization-wide security measures. Human security is a particular passion of his, including security culture, awareness, and various aspects of social engineering.

In this episode, we talk about:

• Questions you should be asking to uncover information security threats early on in the design process.
• How to account for human behavior in a structured way as part of threat modeling (spoiler: this is not so different from what you are doing now).
• How to collaborate with an interdisciplinary team as part of an iterative design process to improve the user experience of security.

Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and the forthcoming Threats: What Every Engineer Should Learn From Star Wars. Adam’s YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

In this episode we talk about:

• How designing for security is different from (and the same as) designing for other types of experiences.
• How to tackle aspects of the user experience that may be necessary but are perceived as annoying roadblocks.
• How to anticipate where things might go wrong for the user.
• How to effectively collaborate with technical teams.

Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance of technology in her own life. Bethany is a design manager at Duo Security and was previously at Cloudflare, RetailMeNot, and IBM.

Blair Shen is a product designer at Duo Security and was previously at Cloudflare and Harry&David. She is also a YouTube content creator, where she mentors and coaches aspiring UX designers.