Human-Centered Security
Cybersecurity is complex. Its user experience doesn’t have to be. Heidi Trost interviews information security experts about how we can make it easier for people—and their organizations—to stay secure.
Here Comes the Sludge with Kelly Shortridge and Josiah Dykstra
Users, threat actors, and the system design all influence—and are influenced by—one another. To design safer systems, we first need to understand the players who operate within those systems. Kelly Shortridge and Josiah Dykstra exemplify this human-centered approach in their work. In this episode we talk about:
The vital role of human factors in cyber-resilience—how Josiah and Kelly apply a behavioral-economics mindset every day to design safer, more adaptable systems.Key cognitive biases that undermine incident response (like action bias and opportunity costs) and simple heuristics to counter them.The “sludge” strategy: deliberately introducing friction to attacke...Human-Centered Security In the Wild: Jordan Girman and Mike Kosak On Security and Product Team Collaboration at Lastpass
Imagine a world where product teams collaborate with security teams. Where product designers can shadow their security peers. A place where security team members believe communication is one of the most important skillsets they have. These are key attributes of human-centered security—the type of dynamics Jordan Girman and Mike Kosak are fostering at Lastpass.
In this episode, we talk about:
What cross-disciplinary collaboration looks like at Lastpass (for example, a product designer is shadowing the security team).A set of principles for designing for usable security and privacy.Why intentional friction might be...Dear Security Vendors, Here’s What Security Teams Want You to Know with Paul Robinson
Where are security tools failing security teams? What are security teams looking for when they visit a security vendor marketing website? Paul Robinson, security expert and founder of Tempus Network, says, “Over-promising and under-delivering is a major factor in these tools. The tool can look great in a demo—proof of concepts are great, but often the security vendor is just putting their best foot forward. It's not really the reality of the situation.”
Paul’s advice for how can security vendors do better?
Start by admitting security isn’t just a switch you flip—it...From Tools to Teammates: (Dis)Trust in AI for Cybersecurity with Neele Roch
When we collaborate with people, we build trust over time. In many ways, this relationship building is similar to how we work with tools that leverage AI.
As usable security and privacy researcher Neele Roch found, “on the one hand, when you ask the [security] experts directly, they are very rational and they explain that AI is a tool. AI is based on algorithms and it's mathematical. And while that is true, when you ask them about how they're building trust or how they're granting autonomy and how that changes over time, they have thi...
Introducing Human-Centered Security: The Book
In this episode, Heidi gets a taste of her own medicine and is interviewed by co-host John Robertson about her newly-released book Human-Centered Security: How to Design Systems That Are Both Safe and Usable. We talk about:
Why Heidi’s experience as a UX researcher prompted her to write Human-Centered Security.Places in the user journey where security impacts users the most.Why cross-disciplinary collaboration is important—find your security UX allies (people in security, legal, privacy, engineering, product managers, to name a few).Practical security UX tips like secure by default, guiding the user along the safe path...Threat Actors Leverage Behavioral Science; Security Teams Should, Too with Matt Wallaert
The cybersecurity industry often fixates on “behavior change,” expecting users to take on unrealistic tasks instead of designing safer, smarter systems.
Matt Wallaert (founder of BeSci.io and author of Start at the End: How to Build Products that Create Change) explains behavioral science isn't about forcing behavior change. Instead, it's about understanding people so a thoughtfully-designed system can influence more secure outcomes.
Whether you’re a UX designer, a security engineer, or a CISO, you influence security behaviors. Here’s how you can move towards more secure outcomes:
Stay Ah...Tech & Law: The Power of Understanding Both With Justine Phillips
“Technical people need to better understand the laws and regulations and lawyers need to better understand the technology and processes in place. When that happens, when those worlds come together, that’s where you can meaningfully make things happen.” -Justine Phillips, Partner at Baker McKenzie
In this episode, we talk about:
Essential questions product teams should ask legal experts when integrating AI into new products and features.In particular, why it’s important for designers and engineers to question the source of the data they are using for AI-powered products and features.The need to...Complexity Undermines Security With Bill Bonney, Gary Hayslip, and Matt Stamper
What do CISOs have to say about the security tools their teams use?:
“When we introduce a level of complexity in the system, it undermines security. Every moment wasted trying to use a tool effectively benefits the adversary.” - Matt Stamper
In this episode, we talk to cybsecurity leaders Bill Bonney, Gary Hayslip, and Matt Stamper about:
Security Tools Don’t Get a Free Pass When It Comes to Human-Centered Design with Jaron Mink
In this episode, we talk about:
Security tools don’t get a free pass when it comes to involving end users as part of the design process. People studying and building ML-based security tools make a lot of assumptions. Instead of wasting time on assumptions, why not learn from security practitioners directly?Businesses (and academia) are investing a great deal in building ML-based security tools. But are those tools actually useful? Are they introducing problems you didn’t anticipate? And even if they are useful, how do you know security practitioners will adopt them?Why are adversarial machine learni...Leverage UX Research to Improve the Security User Experience with Serge Egelman
In this episode, we talk about:
The role misaligned incentives play in security behaviors.How Serge and his team approach security-focused UX research. Looking upstream at the security decisions made by software engineers and, in turn, the situations they are often placed in due to resource constraints and competing priorities at their organizations.Learning from other industries with highly-skilled professionals (shout-out to the humble check list!)Regulations and policy changes will likely place greater liability on the organizations shipping software.Serge Egelman is the Founder and Chief Scientist at AppCensus and Research Director at I...
Help Security Analysts Tell the Story Behind the Threats with Shante Perrin
Shante Perrin, a cybersecurity leader, and her team use cybersecurity software to not only to detect and respond to cybersecurity threats but also, as Shante describes, to help paint a picture for their customers:
“We like to build a timeline of events to build that picture, create that story so we can deliver it to the customer and explain why we felt it is suspicious. In other words, why are we bothering you about this?”
In this episode, we talk about:
Putting Human-Centered Security Into Practice with Julie Haney
In this episode, we talk about:
The need for human-centered security—in order for security measures to be effective, they must center around people, making usability as crucial as technology. We explore the gap between research and practice, highlighting the need to bring cybersecurity research into real-world application. Human-centered security research can’t possible be effective if no one knows about it or finds it challenging to implement.The importance of collaboration, advocating for more shared spaces where researchers and practitioners can come together to address pressing cybersecurity challenges.Julie Haney is a Computer Scientist and Human-Centered Securi...
So Much Data, So Little Time—Designing for Security Workflows with Tom Harrison
Security analysts respond to security detections and alerts. As part of this, they have to sift through a mountain of data and they have to do it fast. Not in hours, not in days. In minutes.
Tom Harrison, security operations manager at Secureworks, explains it perfectly, “We have a time crunch and it’s exacerbated by the other big issue security analysts have: we have an absolute ton of data that we have to sift through.”
In this episode:
Tom explains that security analysts are fo...
Threat Modeling Parts of the User Journey That Cost Your Business Money With Adam Shostack
“Even though usability and security tradeoffs will always be with us, we can get much smarter. Some of the techniques are really simple. For one, write everything down a user needs to do in order to use your app securely. Yeah, keep writing.”
In this episode, we talk about:
What is threat modeling and why should product teams and UX designers care about it? (Also check out Adam’s first episode on Human-Centered Security).Focus on parts of the user journey where you might gain or lose customers: what tradeoffs between usability and securi...No Room for Hype When Integrating AI Into Cybersecurity Products with John Robertson and Siddharth Hirwani
“UX design can enhance the overall performance, adoption, and impact in cybersecurity tools that leverage AI, making the tools more accessible to a broader range of users, including those who don’t have deep technical or security knowledge.”
In this episode, Siddharth Hirwani and John Robertson talk about:
Pressures and challenges security analysts face and how AI can help.Moving beyond AI hype and focusing on integrating AI in a way that genuinely addresses security analyst’s needs.How UX design can foster trust and adoption of AI tools, while still encouraging analysts to verif...What Do You Know About Alert Fatigue? An Interview with John Robertson
“People try to talk about the technical user experience at too high of a level. You talk about alert fatigue and you kind of understand what alert fatigue is just by the name. Yeah, there’s a lot of alerts. But watching it in action is different.”
In this episode, Heidi interviews John about what he’s learned about designing for security analysts. We talk about:
The importance of understanding user workflows. “Alert fatigue” is just a saying until you actually observe it in action.While trust is hard to measure, it’s critical for i...How to Build Trust Through the User Experience with Carlie Hundt and Devon Hirth
Carlie Hundt and Devon Hirth believe a UX designer’s role is to “lift up the voices of the people trying to access and use government services.” Trust is really important. How do we build trust through the user experience, particularly when you are asking for personal information?
In this episode, we talk about:
Leveraging storytelling to “share with our government partners the real experience of real people who are trying ot access government services.”Why you need to anticipate where users might question, “Why are you asking for this? What are you going to do...Understand the Holistic Experience to Improve Cybersecurity Products with Lindsey Wallace
When thinking about building products for security teams, we often emphasize the technical side: reduced false positives, new detection techniques, and automation. But what about asking things like: how do security teams work together? What excites a security analyst about their job? How can we help them do more of that? What does the experience look like across a suite of cybersecurity products? To improve the user experience for security teams—and improve security outcomes—you have to think holistically.
In this episode, we talk about:
How a centralized UX research team fosters meta...Include Users with Disabilities in Your Security UX Research with Joyce Oshita
Are you inadvertently designing a security user experience that makes it less likely your users will choose the most secure option for them? Are security-related roadblocks preventing people from using your service? In order to design inclusive experiences—including accessible experiences—you must include users with disabilities in your research.
In this episode, we talk about:
Including users with disabilities as a co-creation exercise—not something you “check off” as part of your UX research.Why flexibility is so important when it comes to the security user experience.The importance of storytelling to help teams...Leveraging Data Science to Help Security Teams with Serge-Olivier Paquette
How do you help security teams understand what happened and what to do next? Data science can help with that. Serge-Olivier Paquette, CPO at threat intelligence and analytics platform Flare, combines product, cybersecurity, and data science expertise to develop cutting-edge products and experiences that help security teams make informed decisions.
In this episode:
The best explanation of data science you’ve ever heard.Why you need to skeptical of data science models.How to leverage data science to be more helpful to security teams.How to build trust—particularly when tools can increasing perform actions on beha...What Designers Need to Know About Digital Identity and Access with David Mahdi
What do the terms digital identity and access mean for the user experience? David Mahdi, CIO at Transmit Security and digital identity and cybersecurity expert, breaks it all down in this episode.
We talk about:
Access-related terms you need to understand: Digital identity, authentication, and authorization.Why so many security problems are, in fact, access problems.User experience implications.The future of digital identity and what it might mean for your product and your users.David Mahdi is the CIO at Transmit Security, former Gartner research VP, and was previously CSO at Sectigo. An IAM...
Bake Security Into the DNA of Your Product and Improve the Security User Experience with Darren Thomas and Margaret Cunningham
We start the episode discussing a very serious topic: emojis. Then we get back to your regularly scheduled programming.
How would you approach security if you were building something from scratch? How would you address security user experience challenges? Darren Thomas and Margaret Cunningham from Wethos AI talk about how they’ve built security into their product and how cross-disciplinary collaboration helps them improve the security user experience.
In this episode, we talk about:
How to build security into your product development lifecycle when you need move quickly.Ho...What UX Designers Need to Know About Privacy with Michelle Finneran Dennedy
When your website says, “we value your privacy,” how do users interpret that statement? How do they experience “privacy” in your product? What messages are you conveying--perhaps unintentionally? Privacy expert Michelle Finneran Dennedy helps designers think about privacy in the context of the user experience.
In this episode, we talk about:
What does privacy mean?How, as designers, we give the user ideas of what to expect around privacy—an opportunity to erode or foster trust.The approach her team took at McAfee when it came to redesigning their privacy policy.Starting with ethics—and...Learning and Iterating Are Key to Improving the Security User Experience with Kevin Goldman
Designing for the security user experience is challenging because if security controls are too complex or burdensome, users may bypass them, which compromises security. Additionally, the constant evolution of threats means that effective security controls must be continuously updated to stay ahead of threat actors. In other words, what may have been relatively effective yesterday might not be effective tomorrow. Exactly why the security user experience is so exciting!
Thankfully, Kevin Goldman shares my enthusiasm. Kevin is a design executive whose most recent focus has been in identity and access management. Kevin is the...
Build a UX of AI Framework for Your Cross-Disciplinary Team with John Robertson
UX folks are great at asking questions about AI and that’s exactly what we do in this episode. But “questions” sounds boring so we gave the set of questions a fancy name: a UX of AI framework. UX researcher John Robertson describes the UX of AI framework he and his team helped build.
In this episode, we talk about:
The importance of a human-centered design approach to AI.The need to slow down and consider safety, privacy, and ethics as part of implementing AI.Looking beyond the data: each data point represents a huma...Build Security and UX Into Your Product Development Process with Ali Cuthbertson and Jason Telner
If there’s one thing both UX teams and security teams can empathize with each other on is being involved too late in the development process. Ali Cuthbertson and Jason Telner realized that it wasn’t enough for teams to embrace the need for UX and security—they needed a method for integrating them into their agile development processes.
Throughout the interview, Ali and Jason will be referencing a project they worked on together to help develop and foster a consistent process for integrating UX and security into an agile development process for teams at IBM...
Designing for Cybersecurity Power Users with Tom Keenoy
Ever wonder what it’s like to design enterprise cybersecurity software? Tom Keenoy, a design leader for a cybersecurity company, explains why what you learned in design school may not apply when you’re building software for specialized power users (think: security analysts, IT administrators, devops).
How do you get up-to-speed when designing for complex domains like cybersecurity?How do you adapt your design process for enterprise power users (spoiler: stripping away information isn’t always the right answer)?How to prioritize when “everyone wants to build all the cool things.”Why Tom thinks much of a designer’s job is “de...Security Engineers Hate CAPTCHAs, Too with Jason Puglisi
Ever encountered a CAPTCHA and thought to yourself, “whoever decided to put this here must really hate people”? It turns out, the people who make the decisions to use CAPTCHAs hate them as much as you do. Jason Puglisi, an application security engineer, describes what teams like his think about when evaluating potential solutions to a security issue. (Spoiler: you’ll be pleased to know these considerations include how security solutions may affect the user experience).
The surprising similarities between UX and security teams.What designers need to know about information security risks, as well as how designers can he...Threat Modeling for UX Designers with Adam Shostack
In this episode, we talk about:
Questions you should be asking to uncover information security threats early on in the design process.How to account for human behavior in a structured way as part of threat modeling (spoiler: this is not so different from what you are doing now).How to collaborate with an interdisciplinary team as part of an iterative design process to improve the user experience of security.Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School...
Designing Multi-Factor Authentication with Blair Shen and Bethany Sonefeld
In this episode we talk about:
How designing for security is different from (and the same as) designing for other types of experiences.How to tackle aspects of the user experience that may be necessary but are perceived as annoying roadblocks.How to anticipate where things might go wrong for the user.How to effectively collaborate with technical teams.Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance...
Unintended Consequences: What Questions Should Designers Be Asking? With Bethany Sonefeld
In this episode, we talk about:
How do you tackle situations where business goals might be at odds with what’s ethical or what’s best for the human using the product?How can designers make a difference even if they don’t have a leadership role at their organization?How do you anticipate potentially unhealthy behaviors or unintended consequences? What are some actionable steps you can take today?Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany...
What Role Does the UX Team Play in Security? With Michael Snell
How do the UX, product, and technology teams effectively collaborate when it comes to security? How do we, as part of the UX team, take part in the security conversations and what role do we play?
In this episode, we talk about:
How Michael’s user research for dating apps helped him understand the unintended consequences of digital products on our behaviors.Why we need new frameworks for security and privacy in the digital world.How users’ perceptions and expectations for security and privacy are highly contextual and changing. How to break down the u...Testing for Usability and Security with Jeremiah Still
In this episode, we talk about:
Where the fields of cognitive psychology, security, and user experience meet.Why Jeremiah and his team chose to investigate graphical authentication.How they cleverly incorporated testing both usability and security in their two-part study.The importance of research around learnability: is it easy for users to learn how to use your new authentication schema?Read Jeremiah’s research: Usability Comparison of Over-the-Shoulder Attack Resistant Authentication Schemes.
Jeremiah is the Director of Human Factors, Ph.D. Track and Associate Professor of Psychology and the Sch...
Technical Users Care About UX, Too
In this episode, we talk about:
Why technical users expect a great user experience just like everyone else.How to find and incentivize participants who are extremely busy.How to support users in making a decision without telling them what to do.Deciding what data to show and how to show it.Tanja Venborg Hansen is a seasoned user researcher who has worked in both the enterprise cybersecurity (Forcepoint) and aviation industries (Finnair). She earned a master of science degree focused on design and innovation from the Technical University of Denmark.
Responsible Innovation in the Technology Industry with Chloe Poynton
In this episode, we talk about:
What is responsible innovation and where can companies get started?How can companies take guiding principles, establish a framework, and operationalize that framework in a way that “informs decision-making in a meaningful way”?How are regulations impacting responsible innovation programs?What happens when an organization’s business model conflicts with responsible innovation principles?Chloe Poynton is the co-founder and principal at Article One Advisors, a management consultancy with expertise in human rights, responsible innovation, and social impact.
Why Designers Need to Learn About Security with Jared Spool
In this episode, we talk about:
Why security UX requires “selective usability” and how that poses unique challenges for designers.Thinking about security in terms of safety systems: putting the burden on the system rather than on the user.How to work effectively with the security team.And Jared shares lots of examples.
Jared Spool is the founder of UX consultancy UIE and the co-founder of UX design school Center Centre. Interested in hearing more about what Jared has to say about the security of UX? Watch the talk: Insecure and Unintuitive: Why We Need to F...
Improve, Adapt, and Customize Cybersecurity Awareness Strategies and Metrics with Kate Brett Goldman
In this episode, we talk about:
What’s next for the cybersecurity awareness industry.How to leverage qualitative and quantitative metrics (with similar challenges and opportunities to measuring the user experience).How to go about understanding and changing your organization’s cybersecurity culture.
Kate Brett Goldman is the Founder and CEO of Cybermaniacs, an innovative cybersecurity awareness company. Prior to founding Cybermaniacs, Kate spent over 20 years developing solutions that encourage human and organizational change in enterprise IT.
Everything You Wanted to Know About Security But Were Too Afraid to Ask with Ira Winkler
In this episode we talk about:
Building a system in a way that, as Ira says, “a user cannot initiate a loss”What designers need to know about prevention, detection, and reaction when it comes to security What we can learn from safety science How designers can get a seat at the table when it comes to human security engineeringIra Winkler is the founder of Secure Mentem and Chief Information Security Officer at Skyline Technology Soutions. He is the author of seven books on security, the latest of which is You Can Stop Stupid (discussed in this e...
IoT Devices: Establishing Trust through Transparency with Matt Wyckhouse
In this episode we talk about:
The security risks associated with IoT devices.Why IoT devices can be less secure than, for example, a mobile device.Supply chain security.How UX designers can more effectively communicate risk to their users.Prior to founding Finite State, Matt spent 15 years leading the research and development of advanced solutions to some of the hardest problems in cyber security, with experience across the spectrum of offensive and defensive cyber operations. Notably, he was the technical founder and CTO of Battelle's Cyber Innovations business unit. Throughout his career, Matt...
How an Anthropologist Approaches a Security Breach with Patricia Ensworth
In this episode, we talk about:
How anthropology can help security teams uncover the “why” behind security breaches.Why it’s important for designers to familiarize themselves with information security risk management. What designers should know about quality assurance applied to security.How to fight for the time needed to build security into products.
Patricia Ensworth is a business anthropologist whose work focuses on the human factors affecting the development and maintenance of innovative products, services, and systems. As a technology project manager at leading global financial services firms (Merrill Lynch, Moody’s UBS, Citigroup, Morgan Stanley...
