Human-Centered Security

Imagine a world where product teams collaborate with security teams. Where product designers can shadow their security peers. A place where security team members believe communication is one of the most important skillsets they have. These are key attributes of human-centered security—the type of dynamics Jordan Girman and Mike Kosak are fostering at Lastpass. In this episode, we talk about: * What cross-disciplinary collaboration looks like at Lastpass (for example, a product designer is shadowing the security team). * A set of principles for designing for usable security and privacy. * Why intentional friction might be counterintuitive to designers but, used carefully, is critical to designing for security. * When it comes to improving security outcomes, the words you use matter. Mike explains how the Lastpass Threat Intelligence team thinks about communicating what they learn to a variety of audiences. * How to build a threat intelligence program within your organization--even if you have limited resources. Jordan Girman is the VP of User Experience at Lastpass [https://www.lastpass.com]. Mike Kosak is the Senior Principal Intelligence Analyst at Lastpass. Mike references a series of articles he wrote, including “Setting Up a Threat Intelligence Program From Scratch.” [https://blog.lastpass.com/posts/setting-up-a-threat-intelligence-program-from-scratch-in-plain-language]

Where are security tools failing security teams? What are security teams looking for when they visit a security vendor marketing website? Paul Robinson, security expert and founder of Tempus Network, says, “Over-promising and under-delivering is a major factor in these tools. The tool can look great in a demo—proof of concepts are great, but often the security vendor is just putting their best foot forward. It's not really the reality of the situation.” Paul’s advice for how can security vendors do better?  * Start by admitting security isn’t just a switch you flip—it’s a journey.  * Security teams aren’t fooled by glitz and glamour on your marketing website. They want to see how you addressed real problems. * Incredible customer service can make a small, scrappy cybersecurity product stand out from larger, slower-moving vendors. * Cybersecurity vendors need to get onboarding right (it’s a make or break aspect of the user experience). There are more variables than you think—not only technology but also getting buy-in from employees, leadership, and other stakeholders. * Think about the user experience not only of the person using the security product, but the people at the organization who will be impacted by the product. Looking for a cybersecurity-related movie that is just a tad too plausible? Paul recommends Leave the World Behind on Netflix.

When we collaborate with people, we build trust over time. In many ways, this relationship building is similar to how we work with tools that leverage AI.  As usable security and privacy researcher Neele Roch found, “on the one hand, when you ask the [security] experts directly, they are very rational and they explain that AI is a tool. AI is based on algorithms and it's mathematical. And while that is true, when you ask them about how they're building trust or how they're granting autonomy and how that changes over time, they have this really strong anthropomorphization of AI. They describe the trust building relationship as if it were, for example, a new employee.”  Neele is a doctoral student at the Professorship for Security, Privacy and Society at ETH Zurich. Neele (and co-authors Hannah Sievers, Lorin Schöni, and Verena Zimmermann) recently published a paper, “Navigating Autonomy: Unveiling Security Experts’ Perspective on Augmented Intelligence and Cybersecurity,” presented at the 2024 Symposium on Usable Privacy and Security.  [https://www.usenix.org/conference/soups2024/presentation/roch] In this episode, we talk to Neele about: * How security experts’ risk–benefit assessments drive the level of AI autonomy they’re comfortable with. * How experts initially view AI: the tension between AI-as-tool vs. AI-as-“teammate.” * The importance of recalibrating trust after AI errors—and how good system design can help users recover from errors without losing their trust in it. * Ensuring AI-driven cybersecurity tools provide just the right amount of transparency and control. * Why enabling security practitioners to identify, correct, and learn from AI errors is critical for sustained engagement. Roch, Neele, Hannah Sievers, Lorin Schöni, and Verena Zimmermann. "Navigating Autonomy: Unveiling Security Experts' Perspectives on Augmented Intelligence in Cybersecurity." In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 41-60. 2024.

In this episode, Heidi gets a taste of her own medicine and is interviewed by co-host John Robertson about her newly-released book Human-Centered Security: How to Design Systems That Are Both Safe and Usable. We talk about: * Why Heidi’s experience as a UX researcher prompted her to write Human-Centered Security. * Places in the user journey where security impacts users the most. * Why cross-disciplinary collaboration is important—find your security UX allies (people in security, legal, privacy, engineering, product managers, to name a few). * Practical security UX tips like secure by default, guiding the user along the safe path, and being really careful about the words you use. * Technical users—IT admins, engineers, security analysts—are users, too and why it’s so important to thoughtfully design the security user experience for them. (Spoiler: they help keep the rest of us safe!)

The cybersecurity industry often fixates on “behavior change,” expecting users to take on unrealistic tasks instead of designing safer, smarter systems.  Matt Wallaert (founder of BeSci.io and author of Start at the End: How to Build Products that Create Change) explains behavioral science isn't about forcing behavior change. Instead, it's about understanding people so a thoughtfully-designed system can influence more secure outcomes. Whether you’re a UX designer, a security engineer, or a CISO, you influence security behaviors. Here’s how you can move towards more secure outcomes: * Stay Ahead of Threat Actors: Cybercriminals use behavioral science to their advantage. People designing the security user experience must not only catch up but outpace them. * Define Clear Outcomes: Don’t just say “we want users to be secure.” Know exactly what behaviors you want and why. Vague goals lead to vague results.(as Matt explains, saying things like “I want people to be more secure” isn’t helpful. In fact, many people don’t know what “more secure” means in the context of their product or organization). * Ask Better Questions: Use tools like the “sufficiency test.” For example, sure, it might be nice if users created complex passwords—but users don’t necessarily have to be the ones doing it. Why can’t the system create a complex password for them (as password managers do)? * Understand promoting and inhibiting pressures. These concepts will help you design systems that are more resilient because they are built with people in mind. There are reasons people do and do not do things—when you understand why, you can develop systems that will be more effective in encouraging the behaviors you want.  * Security practitioners: tired of being perceived as the “department of no”? Matt explains how behavioral science can help you better collaborate with cross-disciplinary teams. Bonus: UX designers, after this episode you may never create another persona.