Co-design workshop
UX research
SSS IT New Zealand
Client
Year
2020
Cybersecurity dashboards to interpret the complexity of metrics to C-suite executives so that they can be aware of the organization’s security posture and make the investment decision.
Cybersecurity Dashboard
SSS IT is a cybersecurity service company based in New Zealand working with both central and local government clients, as well as private sector organisations in a wide range of industries.
They currently encounter a problem when introducing cybersecurity products to C-suite who is heavily responsible for preventing events of a major cybersecurity incident. However, the skills traditionally required for these kinds of leadership roles are often far removed from the technical skills required to properly understand cybersecurity metrics. Compounding the problem, C-Suite executives have to make countless other decisions and often do not have sufficient time to read detailed cybersecurity reports. Therefore, solving the difficulties of communicating cybersecurity metrics in the point of view of C-suite requires the involvement of UX design.
The technique for non-technical persons is a big challenge to success
The key to designing dashboards is to identify the metrics which suit the needs of the particular roles of C-suite and visualise them according to what these roles want to understand. Majority of C-suite are non-technological persons and have limited time. Therefore, how to simplify and visualise the complexity of cybersecurity for them? That is the main challenge of designer and product owner. Besides, our limitation of technical knowledge about cybersecurity challenged us in a short-time project.
Due to the confidentiality, we weren’t able to interview end-users, but the research areas are allowed following
-
3 main roles of C-suite are CEO, CFO and CISO
-
3 main industries should be a focus which are Healthcare, Government and Private
-
The design needs to be based on the in-depth understanding of behaviour and attitude of these in these industries towards cybersecurity. Following there to identify the logic metrics accordingly.
Understanding of project requirements
All Projects
The first delivery required is Personas. Because exploring the complexity of cybersecurity in a very short time might not be appropriate in this case, so the stakeholder wanted us to stay focused on the end-users first that is not only to frame our research areas but also create a common voice for their team to better understand their clients. Therefore, we began with the research of CEO, CFO, CISO regarding their overview of demographics, needs and goals, motivations; their behaviour, attitude, pain points towards cybersecurity. What they want to know about cybersecurity to prevent the organisations from cyber attacks.
Additionally, having a deep understanding of the target users of SSS IT is fundamental in creating the tool to aid decide-makers in choosing cybersecurity products.
The personas were crafted based on our research and SSS IT’s understanding and experience thus, one more round of evaluating should be taken.
Initial research and Personas creation
We had a discussion with the stakeholder to evaluate the personas by leveraging his experience and understanding of his clients. According to him, one of the successes of the dashboard is to enhance the conversation among the roles. Therefore, an interesting spontaneous UX method to evaluate the persona is a roleplay activity where each of us played a particular role such as CEO, CFO, CISO and vendor, I was the CFO. The stakeholder was alongside the activity and observed us and inputted more ideas or confirmed our understanding.
Spontaneous UX method
Cybersecurity was touch and wide topic for us. After understanding the end-users, we needed to explore other deeper aspects of Cybersecurity within given industries which are Government, Healthcare, Private which create a great impact on them. So that we will be able to define the solution for the final product. Hence, we had another interview after the roles-play section with SSS IT stakeholder. This was an open interview which means he explained to us his experience of working and consulting about Cybersecurity to his clients, from that we were able to make the following questions. Although the core knowledge of Cybersecurity could not be imparted in a limited time due to its complexity, his knowledge helped us to frame 4 critical areas which need to deeper dive for following stage of define and design.
One more round of interviewing a stakeholder
To have better clarity and understanding of the information hierarchy, users' tasks make sense the user flow, user story mapping technique was used
-
What the users could do, which metrics users could see?
-
How the flows could go?
-
What are the potential features?
These mappings were conducted at a high level and it requires another round of evaluation and sorting to iron out the information and tasks on a much detailed level. Because the metric and logic of the flow behind cybersecurity remained our big challenge.
User story mapping
Considering the gap and the complexity of the concept, we suggested a co-design workshop. It allows users to become an active part of the design process and is a great tool for both the key stakeholders in the organisation and design team to collaboratively come up with innovative ideas. It also allowed us to bring the ideation and evaluation in the same place.
Our goals
-
Get an accurate user story mapping artefacts for the to-be dashboard
-
Initial design direction and concept key pages for the to-be dashboard
Visualize the understanding of stakeholder throughout the co-design workshop
The co-design workshop allowed us to connect the dots of users’ needs and the logic behind the cybersecurity into the product structure as shown.
To be more precise in the product structure, we aimed to facilitate users to streamline effectively the decision-making process of cybersecurity products through the factors including
-
The dashboards followed the same logic from viewing the cybersecurity postures, measuring the consequences
-
The design product was able to analyse and simulate the improvement of cybersecurity after applying cybersecurity products.
-
The product is customised based on each persona, however, the role-view shifting was allowed to enhance the conversation and sync the topics during the conversatio
Due to the time limitation, we consider the scope of the design work by creating the hi-fidelity wireframes with linear flows for each persona
-
CEO views risk heat map → severity assessment of risk 1 → simulation of products to change the posture of risk 1
-
CFO views Revenue analysis → Financial consequence on revenue
Cash flow analysis → Financial impact on cash flow
-
CISO views cybersecurity posture → Metric detail
Product structure
In this project, the personas were crafted based on our research and SSS IT experience, no interview was allowed while personas were the key to a successful product. Thus, the improvisation of roleplay activity helped us to solve our difficulty. There is no fixed UX method, the designers should leverage what we have on hand to obtain the goals.
When we don’t have enough time to understand the complexity, we might take advantage of an expert and facilitate him to simplify that complexity into the understandable indication.
This project consumed my energy and time the most but rewarding with the praise from the stakeholder - "You really exceeded all my expectations” - he mailed. We didn’t have a chance to move on to the Usability testing but the fact that our design facilitates and enhances his confidence to introduce the cybersecurity products to his clients.
Learning
The project goal is to leverage on design thinking methodologies to ideate and design a tool that would be consumed by decision-makers tasked with choosing cybersecurity products that would provide the best value for money augmentation of their organisation’s cybersecurity.
Project goals
Since the flows and the visualisation were defined after the workshop, we divided the team into 2 groups according to the team member’s strength or interest to move on to the design stage. One person and I were responsible for completing the metric details, connecting the dots of users’ needs and cybersecurity logic (we called them the furniture). The rest of the team to build the UI and aesthetic factors (we called them the house).
According to the sketch solution from the workshop, we started building the low fidelity wireframes. There were still some detailed metrics which needed to be clarified following:
-
To display the consequences with different ranking measurements
-
To display the compliance according to the frameworks (CIS, ISO, PCI-DSS)
-
To connect the control monitoring with product analysis
-
To connect the Revenue analysis with product analysis
Two of us took 2 more rounds of meeting with the stakeholder to dig deeper into cybersecurity logic and complete the “furniture” while 2 others introduced him the design concept, style guide with the colour scheme, fonts and widget.
Design and iteration
Due to the project constraints, we were not able to contact end-users to do a Usability Testing session. However, with the deep knowledge and experience of SSS IT Information Security Consultant standing on the point of view of users, he helped us to assess the success of this product.
-
This design conveys the complexity of Cybersecurity in the easier understanding to non-IT audiences
-
It focuses on the point of view of each role and enhances the interactive conversation around different roles
-
The flow is good to start from industry and facility users to shift across their roles
-
The UI design is good and clear to express the metrics but not so dry.
Validation and what stakeholder said about our work
Duration 1.5 hours
The user story mapping was introduced to the stakeholder to discuss the tasks and flows. Based on the high-level user story mapping, the stakeholder was able to sort out more details and wire up the tasks to define the users’ flows according to the logic of cybersecurity.
-
CEO views the risks by checking the risk heat map which drives him to the impacts and vulnerabilities of each risk in detailed metrics such as financial loss, system outage, reputation loss
-
CFO views the financial risks driven to the financial losses and cybersecurity product suggestion with their measurement of financial improvement.
-
CISO views the technical details and can shift to CEO and CFO dashboards
Workshop 2 - Design solutions
Duration 1.5 hours
The UI components and metric references from existing products were prepared for the design section where we were able to drag and drop these components to the dashboard during the stakeholder’s talk. By this way, we enhanced his imagination and our questions.
After the workshop, the dashboards were crafted with the metrics and users’ flows based on one logic to allow users to view the cybersecurity postures and the following consequences. The dashboards are differentiated and customised according to each persona. The users’ flows are to facilitate the conversation among users about cybersecurity. Due to the time limitation, the sketch solution didn’t include all UI components or metrics but the critical factors were noted carefully.