Human-Centered Security
Cybersecurity is complex. Its user experience doesn’t have to be. Heidi Trost interviews information security experts about how we can make it easier for people—and their organizations—to stay secure.
Threat Modeling for UX Designers with Adam Shostack

In this episode, we talk about:
Questions you should be asking to uncover information security threats early on in the design process. How to account for human behavior in a structured way as part of threat modeling (spoiler: this is not so different from what you are doing now). How to collaborate with an interdisciplinary team as part of an iterative design process to improve the user experience of security.Adam Stostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School...
Designing Multi-Factor Authentication with Blair Shen and Bethany Sonefeld

In this episode we talk about:
How designing for security is different from (and the same as) designing for other types of experiences. How to tackle aspects of the user experience that may be necessary but are perceived as annoying roadblocks. How to anticipate where things might go wrong for the user. How to effectively collaborate with technical teams.Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance...
Unintended Consequences: What Questions Should Designers Be Asking? With Bethany Sonefeld

In this episode, we talk about:
How do you tackle situations where business goals might be at odds with what’s ethical or what’s best for the human using the product? How can designers make a difference even if they don’t have a leadership role at their organization? How do you anticipate potentially unhealthy behaviors or unintended consequences? What are some actionable steps you can take today?Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany...
What Role Does the UX Team Play in Security? With Michael Snell

How do the UX, product, and technology teams effectively collaborate when it comes to security? How do we, as part of the UX team, take part in the security conversations and what role do we play?
In this episode, we talk about:
How Michael’s user research for dating apps helped him understand the unintended consequences of digital products on our behaviors. Why we need new frameworks for security and privacy in the digital world. How users’ perceptions and expectations for security and privacy are highly contextual and changing. How to break down the u...Testing for Usability and Security with Jeremiah Still

In this episode, we talk about:
Where the fields of cognitive psychology, security, and user experience meet. Why Jeremiah and his team chose to investigate graphical authentication. How they cleverly incorporated testing both usability and security in their two-part study. The importance of research around learnability: is it easy for users to learn how to use your new authentication schema?Read Jeremiah’s research: Usability Comparison of Over-the-Shoulder Attack Resistant Authentication Schemes.
Jeremiah is the Director of Human Factors, Ph.D. Track and Associate Professor of Psychology and the Sch...
Technical Users Care About UX, Too

In this episode, we talk about:
Why technical users expect a great user experience just like everyone else. How to find and incentivize participants who are extremely busy. How to support users in making a decision without telling them what to do. Deciding what data to show and how to show it.Tanja Venborg Hansen is a seasoned user researcher who has worked in both the enterprise cybersecurity (Forcepoint) and aviation industries (Finnair). She earned a master of science degree focused on design and innovation from the Technical University of Denmark.
Responsible Innovation in the Technology Industry with Chloe Poynton

In this episode, we talk about:
What is responsible innovation and where can companies get started? How can companies take guiding principles, establish a framework, and operationalize that framework in a way that “informs decision-making in a meaningful way”? How are regulations impacting responsible innovation programs? What happens when an organization’s business model conflicts with responsible innovation principles?Chloe Poynton is the co-founder and principal at Article One Advisors, a management consultancy with expertise in human rights, responsible innovation, and social impact.
Why Designers Need to Learn About Security with Jared Spool

In this episode, we talk about:
Why security UX requires “selective usability” and how that poses unique challenges for designers. Thinking about security in terms of safety systems: putting the burden on the system rather than on the user. How to work effectively with the security team.And Jared shares lots of examples.
Jared Spool is the founder of UX consultancy UIE and the co-founder of UX design school Center Centre. Interested in hearing more about what Jared has to say about the security of UX? Watch the talk: Insecure and Unintuitive: Why We Need to F...
Improve, Adapt, and Customize Cybersecurity Awareness Strategies and Metrics with Kate Brett Goldman

In this episode, we talk about:
What’s next for the cybersecurity awareness industry. How to leverage qualitative and quantitative metrics (with similar challenges and opportunities to measuring the user experience). How to go about understanding and changing your organization’s cybersecurity culture.
Kate Brett Goldman is the Founder and CEO of Cybermaniacs, an innovative cybersecurity awareness company. Prior to founding Cybermaniacs, Kate spent over 20 years developing solutions that encourage human and organizational change in enterprise IT.
Everything You Wanted to Know About Security But Were Too Afraid to Ask with Ira Winkler

In this episode we talk about:
Building a system in a way that, as Ira says, “a user cannot initiate a loss” What designers need to know about prevention, detection, and reaction when it comes to security What we can learn from safety science How designers can get a seat at the table when it comes to human security engineeringIra Winkler is the founder of Secure Mentem and Chief Information Security Officer at Skyline Technology Soutions. He is the author of seven books on security, the latest of which is You Can Stop Stupid (discussed in this e...
IoT Devices: Establishing Trust through Transparency with Matt Wyckhouse

In this episode we talk about:
The security risks associated with IoT devices. Why IoT devices can be less secure than, for example, a mobile device. Supply chain security. How UX designers can more effectively communicate risk to their users.Prior to founding Finite State, Matt spent 15 years leading the research and development of advanced solutions to some of the hardest problems in cyber security, with experience across the spectrum of offensive and defensive cyber operations. Notably, he was the technical founder and CTO of Battelle's Cyber Innovations business unit. Throughout his career, Matt...
How an Anthropologist Approaches a Security Breach with Patricia Ensworth

In this episode, we talk about:
How anthropology can help security teams uncover the “why” behind security breaches. Why it’s important for designers to familiarize themselves with information security risk management. What designers should know about quality assurance applied to security. How to fight for the time needed to build security into products.
Patricia Ensworth is a business anthropologist whose work focuses on the human factors affecting the development and maintenance of innovative products, services, and systems. As a technology project manager at leading global financial services firms (Merrill Lynch, Moody’s UBS, Citigroup, Morgan Stanley...
Where do "people" fit in with process and technology? with Dr. Nikki Robinson

In this episode, we talk about:
Dr. Nikki Robinson is a Security Architect and holds a Doctorate of Science in CyberSecurity, as well as s...
Adapting the Human Factors Analysis and Classification System to Cybersecurity with Robin Bylenga

During this episode, we talk about:
How an insider threat at her own company led Robin into cybersecurity. Why looking at the human side of errors and using a framework like HFCAS can help identify the root cause of the problem. How Robin’s research challenges the idea that “humans are the weakest link.” How HFACS can be applied to cybersecurity’s existing frameworks.Robin Bylenga is a seasoned client-facing expert, having drawn her initial skills early in her career as a flight attendant. Prior to entering cybersecurity, she was the CEO and Founder of Pedal...
Avoid the Temptation to Start Cybersecurity Conversations with “You’re Doing It Wrong” with Ryan Cloutier

In this episode, we talk about:
How security experts can more effectively communicate with end users. The issue of delayed consequences in the digital realm and how that impacts how people behave. The role accountability plays in improving information security.
Ryan Cloutier is the principal security consultant for SecurityStudio. He is an experienced IT/cybersecurity professional with over 15 years experience developing cybersecurity programs for Fortune 500 organizations. Ryan is a virtual Chief Information Security Officer for K12 districts across the country and is Certified Information Systems Security Professional (CISSP) and is proficient in cloud security, dev-ops, and...
Cybersecurity Risk Management for UX Practitioners with Natalie Hill

In this episode we talk about:
Thinking about cybersecurity risk from a UX practitioner’s perspective. Balancing ease of use while not introducing unnecessary risk. Building personas and scenarios for bad actors so you can make conscious decisions about how controls might be circumvented. The importance of content strategy and collaborating with UX writers. Tips for conducting user research when it’s difficult to get access to end users.Natalie Hill is a senior product designer with over 20 years of professional experience and a Master of Science in Information Studies. Her niche is enterprise UX. She loves find...
Expectation vs. Outcome: Accounting for Human Behavior with Dr. Alexander Stein

During this episode, we talk about:
Why looking for a silver bullet for cybersecurity is hopeless. Like any human issue, it is a multi-dimensional and complex. Expectations versus outcomes: how we must take into account how “things will play out when you involve people.” "Changing how people think and behave is complicated, non-linear, painstaking, and does not conform to your expectations.” Despite this, understanding and accounting for people when it comes to cybersecurity is critically important. What organizations are missing and what organizations are doing well when it comes to accounting for people in cybersecurity.
Alexander Stein...
How Do You Get People to Care About Cybersecurity? with Laura Nespoli

Laura Nespoli is founder of Meshin Movement, a brand strategy consultancy. Laura has spent her career serving as a strategic problem-solver and brand storyteller across the sales marketing spectrum in many facets--from agency to client-side, media to creative, market
research to integrated marketing planning. Her professional focus is in helping brands and teams reveal business opportunity and advantage while her passion is rooted in inspiring ideas that serve the world for greater good.
During this episode we talk about:
Incorporating cybersecurity into the "fabric of your organization’s brand." How to create meaning and und...We All Have Been the “Stupid User” at Some Point with Dr. Margaret Cunningham

Dr. Margaret Cunningham is an experimental psychologist and the Principal Research Scientist for Human Behavior at Forcepoint’s X-Lab. In this role, she serves as the behavioral science subject matter expert in an interdisciplinary security team driving the development of human-centric security solutions. Previously, she supported the Human Systems Integration branch of The Department of Homeland Security.
In this episode, we talk about:
Why saying “people are the weakest link” is not a productive mindset when it comes to cybersecurity. How we can thoughtfully create systems/designs that mitigate the risk of human limitati...Using Analogies to Help People Understand Information Security with Brian Murphy

Brian Murphy, a security specialist at GreyCastle Security, is a technology, information security, and risk management professional. He assists with the development and implementation of cybersecurity solutions for a variety of industries. Brian has knowledge of PCI, SOX, GLBA compliance requirements, as well as ISO and NIST standards and regulations.
On this episode we talk about:
How we are constantly doing risk assessments in our everyday life. At least, we should be. How using analogies and stories help people connect with something new, like cybersecurity. Shifting the mindset to ensure the cybersecurity team's...What can we learn from human factors programs in other industries? with Dr. Calvin Nobles

Dr. Nobles is a cybersecurity scientist and human factors practitioner with more than 25 years of experience. He retired from the U.S. Navy and currently works in the financial services industry. Dr. Nobles recently completed a Cybersecurity Policy Fellowship with the New America Think Tank in Washington, D.C.
In this episode we talk about:
What human factors is and what a human factors engineer does. Chronic fatigue and stress in the cybersecurity industry. What approaches the aviation industry has taken to address the likelihood of human error. What leaders at organizations can do to embrace...Managing Risk Through Two-Way Communication with Alexandra Panaretos

Alex is the EY Americas Cybersecurity Lead for Secure Culture Activation. With a background in sports broadcasting and operational security, she is experienced in security communications and education, awareness program development, the psychology of social engineering, and behavior analytics. In her free time, she is a mother of three and she volunteers with law enforcement agencies and neighborhood organizations to educate community members, elder care organizations, children and parents on information security and social media safety.
During this episode, we’re focusing on what successful organizations are doing to manage risk. We talk about:
Why it’s di...Improving the User Experience with Passwordless Security with Yan Grinshtein

Yan Grinshtein is an HCI and accessibility certified human-centered design leader, speaker, and mentor. Currently the head of design at HYPR, Yan has over 20 years of experience as a creative and design leader. He has worked on three different continents across four countries with companies ranging from Fortune 500 to startups, some of which have become multi-billion dollar companies today. You can follow Yan on Medium or Linkedin.
In this episode, we talk about:
How to design better, more thoughtful solutions when users try to get around security. How conducting your own user research helps you question...How to Design Great User Experiences in a Complicated Cybersecurity Ecosystem with Christian Rohrer

Christian Rohrer is Senior Director, User Experience at McAfee, returning to the company after a 5-year hiatus during which he was Founder and Principal at XD Strategy, a UX strategy consultancy, and former Vice President of Design, Research and Enterprise Services at Capital One. He has also led UX teams at Realtor.com, eBay, and Yahoo!. Christian holds a Bachelors in Computer Science from UC Santa Cruz and a Ph.D in Cognitive Science and Education from Stanford University.
Christian not only has a deep understanding of the complex cybersecurity ecosystem, he also appreciates the challenges in...
Using Self-Sovereign Identity as the Foundation for Secure, Trusted Digital Relationships with Kaliya Young

In this episode we talk about:
What Kaliya describes as a new “layer” to the Internet to support decentralized identity, much like how html or email supported what came next. The importance of open standards. How to build a “digital wallet” paradigm that makes sense to people. What SSI means for businesses/business models.Kaliya is the co-author of “Comprehensive Guide to Self-Sovereign Identity,” and author of “Domains of Identity.” She is also one of the co-founders of the Internet Identity Workshop, which brings together people to help develop open standards for ways people can own and cont...
Reframing the Information Security Conversation for Business Owners with Jim Nelson

Jim Nelson, Senior Security Consultant for Innovative Solutions, has been working with organizations to help raise their security posture based on their risk for the last 17 years.
In this episode, we talk about:
How to reframe the security conversation so business owners understand that an investment in security is taking a proactive stance. Ultimately, you have to empathize with business owners. Why fear-based tactics may not be the best solution in getting people to care about security. Why it's so important to understand the business and its employees before establishing security controls. Expectations around security--customers just...The Role of Storytelling in Cybersecurity Awareness Training with Gabriel Friedlander

Gabriel has been studying human behavior for a long time. His first company, ObserveIT, an insider threat management platform recently acquired by Proofpoint, dealt with monitoring and reporting on out-of-policy employee behavior. Today, as the founder of Wizer, a security awareness training platform, Gabriel is focused on ensuring, as he put it, “security awareness is a basic human skill.” In fact, not only is Wizer’s training user-friendly and in digestible chunks, most of it is free.
In this episode, we talk about:
Cybersecurity awareness training should start with stories, to connect with people and encourage them t...