What are Security Assessments?

Imagine you are a developer working on some kind of product/app/service within a large organization: you have some baseline intuition/experience/knowledge on writing safe and secure code, but apart from common regulatory policies like GDPR, you likely don't spend your time studying the minutia of cybersecurity policies and best practices - it's not something you have specialized in.

However, from a liability and regulatory standpoint the organization needs to make sure their software meets the bar, which is where the cybersecurity team comes in to (essentially) give you a Google Forms survey asking questions assessing the compliance of your code against the exact requirements. These assessment forms are compartively much more practical and convenient than spending the resources to train every developer to become cybersecurity experts.

What are Security Engagements?

Consider security engagements akin to the other end of the equation: engagements are when Security Staff engage with Security Users to make sure their projects are compliant. For example, say the Security Team recieves an assessment form for project X indicating that X is not compliant against some esoteric policy that the product owner/developers are not familiar with. Here, some security engineer(s) are then assigned to give direct assistence to its respective stakeholders to meet compliance.

Expert Interviews

User research was conducted concurrently alongside design tasks throughout the project. At the outset, I leaned heavily on expert interviews with CIAAN directors (as they knew how much I didn't know) to establish actionable user insights to serve as a starting point for planning my design sprints. This was later combined with insights from semi-structured interviews with some of T-Mobile's security staff -- the culmination of which is shown in the graphic below.

Competitive Analysis

Due to the proprietary nature of cybersecurity platforms there was little opportunity to make a direct comparisons, but the issues affecting Security Staff are effectively analogous to many everyday problems such as having to many meetings, managing multiple projects and people, and other common friction points. For this reason, against the prior user research insights, the analysis aimed to explore design patterns employed by other products which could serve SCAS's assessment & engagement worklflows.

Engagement Creation/Management

Security Engagements are created and managed by Security Administrators, and then conducted by assigned Security Engineers who work with assigned Security Users to complete the assigned engagement forms & surveys.

Assessment Creation/Management

Security Engagements are created and managed by Security Administrators, and then conducted by assigned Security Engineers who work with assigned Security Users to complete the assigned engagement forms & surveys.

Managing Assessments & Engagements

To enable T-Mobile security staff to better manage multiple ongoing engagements & assessments, both have a spreadsheet-style management page featuring various filtering and sorting functionality.

User Dashboard

This dashboard allows Security Users to view and fill out any assigned security assessment forms. Each form card shows detailed information about the respective assessment driven by feedback that Security Staff were often asked trivial questions such as about who was managing the assessment or how far along it has progressed.

Assessment Forms

Imagine Google Forms but for cybersecurity assessments. Since these forms often cannot be quickly filled due to certain questions that require extra work for Security Users, and combined with the high-stakes impact these forms can have, there was extra emphasis for form-safety controls & exposing assessment details to reduce user error.

Visual Approach

The aim was to tailor the visual style to the T-Mobile brand while prioritizing function over form. To this end, I decided to simply use T-Mobile's characteristic hot pink for CTAs, brand text, and other elements that deserve higher visual salience.

Adding as I go

For rapid design iteration I componentized and prototyped interface elements as I designed them in turn instead of starting with low or mid-fi drafts for the sake of time and to present vertical slices for external stakeholder feedback. This was necessary from the start since there are many interface elements repeatedly used (such as the ID tags) across flows that I would have to otherwise update individually. This eventually enabled me to create various templates for page layouts and nested components early on using these building blocks as shown.

Spreadsheet View

A set of spreadsheet components were created, but the interface for advanced filtering and pagination were ommitted in favor of sticking to the table component already provided by the UI library CIAAN was using to avoid potential technical feasibility issues.

Status-dependant Variants

Component variants were created for interface elements that are functionally dependant on some system status (such as save states).

Methodology

Using the mockups above, three cognitive walkthroughs were conducted remotely through Zoom screensharing with three cybersecurity experts familiar with assessment/engagement processes. Each participant was asked to perform four common worflow tasks and were encouraged to verbalize their thought-process in-situ. Additional time was allocated afterwards to enquire further about usability feedback & discussion.

Testing Results

Research insights are summarized in the table below. Overall, feedback was generally very positive both in terms of both ease-of-use and aesthetics, though there were questions about the specific definitions of the terminology used such as 'assigning' a Security Engineer -- no operational definition was provided by the mockups so it was left to the users to presume.