Key takeaways:

• Threat intel ≠ data. It’s analyzed info focused “walls-out” (what’s outside your org), then shared clearly so people can act.
• Start with PIRs. Ask: What are we protecting? What is most valuable to our company? What might threat actors want? How do they operate? What do we need to know to defend? Do this with a broad set of stakeholders, not just the security team.
• Communicate clearly and with context. Intelligence is only valuable if it’s shared in a way others can understand and act on. Avoid overwhelming people with raw data or inducing panic — provide actionable insights that are right-sized for the audience. 
  • Mike’s advice: “As a threat intelligence analyst, if you’re doing your job right, when somebody hears from you they know they need to act on it. You don’t want to be the chicken little where you make everybody freak out about everything.”
• Start small and iterate. Even if you’re a one-person team, you can make a big impact. Use free resources (like MITRE ATT&CK, open-source feeds, or even vendor reports), summarize what’s relevant, and push that out. Then refine based on feedback—treat it as a continuous cycle, not a one-and-done project. 
  • Mike admits, “I always say it’s like painting the Golden Gate Bridge. As soon as you get done, you gotta start back at the other end. That’s basically what it is.”

Mike Kosak is the Senior Principal Intelligence Analyst at Lastpass. Mike references a series of articles he wrote, including “Setting Up a Threat Intelligence Program From Scratch.” https://blog.lastpass.com/posts/setting-up-a-threat-intelligence-program-from-scratch-in-plain-language

Researcher Ariana Mirian (and co-authors Grant Ho, Elisa Luo, Khang Tong, Euyhyun Lee, Lin Liu, Christopher A. Longhurst, Christian Dameff, Stefan Savage, Geoffrey M. Voelker) uncovered similar results in their study “Understanding the Efficacy of Phishing Training in Practice.” The solution? Ariana suggests focusing on a more effective fix: designing safer systems.

In the episode we talk about:

• Annual cybersecurity awareness training doesn’t reduce the likelihood of clicking on phishing links, even if completed recently. Employees who finished training recently show similar phishing failure rates to those who completed it months ago. The study notes, “Employees who recently completed such training, which has significant focus on social engineering and phishing defenses, have similar phishing failure rates compared to other employees who completed awareness training many months ago.”
• Phishing simulations combined with training (where companies send out fake phishing emails to employees and, for those who click on the links, lead those employees through training) had little impact on whether participants would click phishing links in the future. 
• Ariana was hopeful about interactive training but found that too few participants engaged with it to draw meaningful conclusions. 
• The type of phishing lure (e.g., password reset vs. vacation policy change) influenced whether users clicked. Ariana warned that certain lures could artificially lower click rates.
• Ultimately, Ariana suggests focusing on designing safer systems—where the burden is taken off the end users. She recommends two-factor authentication, using phishing-resistant hardware keys (like YubiKeys), and blocking phishing emails before they reach users.

This quote from the study stood out to me: “Our results suggest that organizations like ours should not expect training, as commonly deployed today, to substantially protect against phishing attacks—the magnitude of protection afforded is simply too small and employees remain susceptible even after repeated training.”

This highlights the need for safer system design, especially for critical services like email, which—and this is important—inherently relies on users clicking links.

Ariana Mirian is a senior security researcher at Censys. She completed her PhD at UC San Diego and co-authored the paper, “Understanding the Efficacy of Phishing Training in Practice.”

G. Ho et al., "Understanding the Efficacy of Phishing Training in Practice," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 2025, pp. 37-54, doi: 10.1109/SP61157.2025.00076.

Key takeaways:

• Security practitioners tend to be natural-born skeptics (can you blame them?!). They struggle to trust and adopt AI-powered security products, especially in higher-risk scenarios with overly simplified decision-making processes.
• AI can be a tool for threat actors and a threat vector itself, and its non-deterministic nature makes it unpredictable and vulnerable to manipulation.
• All AI models are biased, but not all bias is negative. Recognized and carefully managed bias can provide actionable insights. Purposefully biased (opinionated) models should be transparent.
• Clearer standards and expectations are needed for “human-in-the-loop” and human oversight. What does the human actually do, are they qualified, and do they have the right experience and information?
• What happens when today’s graduates are tomorrow’s security practitioners? On one end of the spectrum we have a lot of skepticism, on the other end not enough. We talk about over-reliance on AI, de-skilling, and loss of situational awareness.

Dr. Margaret Cunningham is the Technical Director, Security & AI Strategy at Darktrace. Margaret was formerly Principal Product Manager at Forcepoint and Senior Staff Behavioral Engineer at Robinhood.

Dr. Divya Ramjee is an Assistant Professor at Rochester Institute of Technology (RIT). She also leads RIT’s Technology and Policy Lab, analyzing security, AI policy, and privacy challenges. She previously held senior roles in US government across various agencies.

Dr. Matthew Canham is the Executive Director, Cognitive Security Institute. He is a former FBI Supervisory Special Agent, with over twenty years of research in cognitive security.

In this episode, we talk about:

• Cyber marketing is hard (but you knew that already). It requires deep product knowledge, empathy for stressed buyers, and clear, no-FUD messaging.
• Building authentic, value-driven communities leads to stronger cybersecurity marketing impact.
• Don’t copy the marketing strategies of big enterprises. Instead, focus on clarity, founder stories, and product-market fit.
• Founder-led marketing works. Early-stage founders can break through noise by sharing personal stories.
• Think twice before listening to the advice of “influencer” marketers. This advice is often overly generic. Or, you’re following advice of marketers marketing to marketers (try saying that ten times fast). In other words, their advice is probably not going to apply to cybersecurity.

Gianna Whitver is the co-founder and CEO of the Cybersecurity Marketing Society, a community for marketers in cybersecurity to connect and share insights. She is also the podcast co-host of Breaking Through in Cybersecurity Marketing podcast, and founder of LeaseHoney, a place for beekeepers to find land.

• The vital role of human factors in cyber-resilience—how Josiah and Kelly apply a behavioral-economics mindset every day to design safer, more adaptable systems.
• Key cognitive biases that undermine incident response (like action bias and opportunity costs) and simple heuristics to counter them.
• The “sludge” strategy: deliberately introducing friction to attacker workflows to increase time, effort, and financial costs—as Kelly says, “disrupt their economics.”
• Why moving from a security culture of shame and blame to one of open learning and continuous improvement is essential for true cybersecurity resilience.

Kelly Shortridge is VP, Security Products at Fastly, formerly VP of Product Management and Product Strategy at Capsule8. She is the author of Security Chaos Engineering: Sustaining Resilience in Software and Systems.

Josiah Dykstra is the owner of Designer Security, human-centered security advocate, cybersecurity researcher, and former Director of Strategic Initiatives at Trail of Bits. He also worked at the NSA as Technical Director, Critical Networks and Systems. Josiah is the author of Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.

During this episode, we reference:

Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Sludge for Good: Slowing and Imposing Costs on Cyber Attackers,” arXiv preprint arXiv:2211.16626 (2022).

Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Opportunity Cost of Action Bias in Cybersecurity Incident Response,” Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 66, Issue 1 (2022): 1116-1120.

In this episode, we talk about:

• What cross-disciplinary collaboration looks like at Lastpass (for example, a product designer is shadowing the security team).
• A set of principles for designing for usable security and privacy.
• Why intentional friction might be counterintuitive to designers but, used carefully, is critical to designing for security.
• When it comes to improving security outcomes, the words you use matter. Mike explains how the Lastpass Threat Intelligence team thinks about communicating what they learn to a variety of audiences.
• How to build a threat intelligence program within your organization--even if you have limited resources.

Jordan Girman is the VP of User Experience at Lastpass. Mike Kosak is the Senior Principal Intelligence Analyst at Lastpass. Mike references a series of articles he wrote, including “Setting Up a Threat Intelligence Program From Scratch.” 

Paul’s advice for how can security vendors do better? 

• Start by admitting security isn’t just a switch you flip—it’s a journey. 
• Security teams aren’t fooled by glitz and glamour on your marketing website. They want to see how you addressed real problems.
• Incredible customer service can make a small, scrappy cybersecurity product stand out from larger, slower-moving vendors.
• Cybersecurity vendors need to get onboarding right (it’s a make or break aspect of the user experience). There are more variables than you think—not only technology but also getting buy-in from employees, leadership, and other stakeholders.
• Think about the user experience not only of the person using the security product, but the people at the organization who will be impacted by the product.

Looking for a cybersecurity-related movie that is just a tad too plausible? Paul recommends Leave the World Behind on Netflix.

As usable security and privacy researcher Neele Roch found, “on the one hand, when you ask the [security] experts directly, they are very rational and they explain that AI is a tool. AI is based on algorithms and it's mathematical. And while that is true, when you ask them about how they're building trust or how they're granting autonomy and how that changes over time, they have this really strong anthropomorphization of AI. They describe the trust building relationship as if it were, for example, a new employee.” 

Neele is a doctoral student at the Professorship for Security, Privacy and Society at ETH Zurich. Neele (and co-authors Hannah Sievers, Lorin Schöni, and Verena Zimmermann) recently published a paper, “Navigating Autonomy: Unveiling Security Experts’ Perspective on Augmented Intelligence and Cybersecurity,” presented at the 2024 Symposium on Usable Privacy and Security. 

In this episode, we talk to Neele about:

• How security experts’ risk–benefit assessments drive the level of AI autonomy they’re comfortable with.
• How experts initially view AI: the tension between AI-as-tool vs. AI-as-“teammate.”
• The importance of recalibrating trust after AI errors—and how good system design can help users recover from errors without losing their trust in it.
• Ensuring AI-driven cybersecurity tools provide just the right amount of transparency and control.
• Why enabling security practitioners to identify, correct, and learn from AI errors is critical for sustained engagement.

Roch, Neele, Hannah Sievers, Lorin Schöni, and Verena Zimmermann. "Navigating Autonomy: Unveiling Security Experts' Perspectives on Augmented Intelligence in Cybersecurity." In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 41-60. 2024.

• Why Heidi’s experience as a UX researcher prompted her to write Human-Centered Security.
• Places in the user journey where security impacts users the most.
• Why cross-disciplinary collaboration is important—find your security UX allies (people in security, legal, privacy, engineering, product managers, to name a few).
• Practical security UX tips like secure by default, guiding the user along the safe path, and being really careful about the words you use.
• Technical users—IT admins, engineers, security analysts—are users, too and why it’s so important to thoughtfully design the security user experience for them. (Spoiler: they help keep the rest of us safe!)

Matt Wallaert (founder of BeSci.io and author of Start at the End: How to Build Products that Create Change) explains behavioral science isn't about forcing behavior change. Instead, it's about understanding people so a thoughtfully-designed system can influence more secure outcomes.

Whether you’re a UX designer, a security engineer, or a CISO, you influence security behaviors. Here’s how you can move towards more secure outcomes:

• Stay Ahead of Threat Actors: Cybercriminals use behavioral science to their advantage. People designing the security user experience must not only catch up but outpace them.
• Define Clear Outcomes: Don’t just say “we want users to be secure.” Know exactly what behaviors you want and why. Vague goals lead to vague results.(as Matt explains, saying things like “I want people to be more secure” isn’t helpful. In fact, many people don’t know what “more secure” means in the context of their product or organization).
• Ask Better Questions: Use tools like the “sufficiency test.” For example, sure, it might be nice if users created complex passwords—but users don’t necessarily have to be the ones doing it. Why can’t the system create a complex password for them (as password managers do)?
• Understand promoting and inhibiting pressures. These concepts will help you design systems that are more resilient because they are built with people in mind. There are reasons people do and do not do things—when you understand why, you can develop systems that will be more effective in encouraging the behaviors you want. 
• Security practitioners: tired of being perceived as the “department of no”? Matt explains how behavioral science can help you better collaborate with cross-disciplinary teams.

Bonus: UX designers, after this episode you may never create another persona.

In this episode, we talk about:

• Essential questions product teams should ask legal experts when integrating AI into new products and features.
• In particular, why it’s important for designers and engineers to question the source of the data they are using for AI-powered products and features.
• The need to anticipate international security and privacy regulations, which are constantly changing, including emerging regulations that could impact companies developing IoT devices.

Justine Phillips is a Partner at Baker McKenzie, where she is co-chair of data+cyber for the Americas. She is the author of Data Privacy Program Guide: How to Build a Privacy Program That Inspires Trust.

In this episode, we talk to cybsecurity leaders Bill Bonney, Gary Hayslip, and Matt Stamper about:

• The ever-evolving role of the CISO and what CISOs care about most.
• What product teams designing security software need to understand:
  • Security tools need to operate across varied ecosystems (which means your product team needs to understand those ecosystems).
  • Complexity is the enemy of security. Yes, UX matters.
  • Context-switching means security teams waste time. Instead, security tools need to present the right information at the right time.
  • Why CISOs are excited to leverage AI in security tools—and what concerns them the most.

Bill Bonney, Gary Hayslip, and Matt Stamper are seasoned CISOs and cybersecurity leaders. They are co-founders of the CISO Desk Reference Guide—a series of books including topics such as security policy, third-party risk, privacy, and incident response—which provide actionable insights for security leaders.

• Security tools don’t get a free pass when it comes to involving end users as part of the design process. 
• People studying and building ML-based security tools make a lot of assumptions. Instead of wasting time on assumptions, why not learn from security practitioners directly?
• Businesses (and academia) are investing a great deal in building ML-based security tools. But are those tools actually useful? Are they introducing problems you didn’t anticipate? And even if they are useful, how do you know security practitioners will adopt them?
• Why are adversarial machine learning defenses outlined in academic research not being put into practice? Jaron outlines three places where there are significant roadblocks: First, there are barriers to developers being aware of these defenses in the first place. Second, developers need to understand how the threats impact their systems. And third, they need to know how to effectively implement the defenses (and, importantly, be incentivized to do so).

Jaron Mink is an Assistant Professor in the School of Computing and Augmented Intelligence at Arizona State University focused on the intersection of usable security, machine learning, and system security. 

In this episode, we highlight two of Jaron’s papers:

• “Everybody’s Got ML, Tell Me What Else Do You Have”: Practitioners’ Perception of ML-Based Security Tools and Explanations.”
• “Security is not my field, I’m a stats guy”: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry

• The role misaligned incentives play in security behaviors.
• How Serge and his team approach security-focused UX research. 
• Looking upstream at the security decisions made by software engineers and, in turn, the situations they are often placed in due to resource constraints and competing priorities at their organizations.
• Learning from other industries with highly-skilled professionals (shout-out to the humble check list!)
• Regulations and policy changes will likely place greater liability on the organizations shipping software.

Serge Egelman is the Founder and Chief Scientist at AppCensus and Research Director at International Computer Science Institute (ICSI). He’s written countless research papers on usable security and privacy. Most recently, his research centers around improving the user experience for users who are responsible for safeguarding their customer’s data (such as software engineers).

“We like to build a timeline of events to build that picture, create that story so we can deliver it to the customer and explain why we felt it is suspicious. In other words, why are we bothering you about this?”

In this episode, we talk about:

• Building stories from data: analysts must translate technical information into clear, understandable narratives for customers.
• If people designing cybersecurity software can design better, more effective experiences for analysts, analysts can do a better job of communicating these narratives to their customers.
• How security analysts at different levels perceive and handle threats differently—and how that changes what they need or expect from cybersecurity software.
• How thinking like an attacker can help security analysts—but only if the tools they use provide them with the right information at the right time. 

Shante Perrin is a cybersecurity leader and is currently the director of a managed services team. She led a cybersecurity team for a Fortune 100 company as an MSSP and has been a security analyst and security operations center (SOC) lead.

• The need for human-centered security—in order for security measures to be effective, they must center around people, making usability as crucial as technology. 
• We explore the gap between research and practice, highlighting the need to bring cybersecurity research into real-world application. Human-centered security research can’t possible be effective if no one knows about it or finds it challenging to implement.
• The importance of collaboration, advocating for more shared spaces where researchers and practitioners can come together to address pressing cybersecurity challenges.

Julie Haney is a Computer Scientist and Human-Centered Security Researcher and program lead at NIST (National Institute of Standards and Technology). She was formerly a Computer Scientist at the United States Department of Defense. In the episode we refer to two of Julie’s publications: “From Ivory Tower to Real World: Building Bridges Between Research and Practice in Human-Centered Cybersecurity” and “Towards Bridging the Research-Practice Gap: Understanding Researcher-Practitioner Interactions and Challenges in Human-Centered Cybersecurity.”

Tom Harrison, security operations manager at Secureworks, explains it perfectly, “We have a time crunch and it’s exacerbated by the other big issue security analysts have: we have an absolute ton of data that we have to sift through.”

In this episode:

Tom explains that security analysts are forced to go back to a pile of data with each subsequent question in their workflow. That’s a huge waste of time. And a terrible user experience. 

Tom says, “It would lead to better accuracy, faster triage, and a better user experience if you can just take me directly to the answer or at the very least a subsection that has the answer I’m looking for.”

What does this mean for you as a UX designer designing security products? You need a deep understanding of security analyst workflows to help them identify and respond to attacks as quickly as possible.

That way, you can design security products that support users who are under intense pressure to do things quickly. Tom describes how the UX can “guide or complement the workflow.”

Tom talks about what gets him excited about integrating AI into security analyst workflows—and what has him worried, as well.

Tom Harrison is a Security Operations Manager at Secureworks. We dubbed Tom an “ideas machine” and a fierce advocate for the security analyst user experience. In fact, Tom is conducting UX research in the field better than most UX researchers. He’s a passionate teacher and shares his knowledge and resources in a free security reference guide.

In this episode, we talk about:

• What is threat modeling and why should product teams and UX designers care about it? (Also check out Adam’s first episode on Human-Centered Security).
• Focus on parts of the user journey where you might gain or lose customers: what tradeoffs between usability and security are you making here?
• Involve a cross-disciplinary team from the very beginning. This is critiical: “How do we get focused on the parts of the problem that matter so we don’t spend forever on the wrong stuff?”

Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn From Star Wars. Adam’s YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

In this episode, Siddharth Hirwani and John Robertson talk about:

• Pressures and challenges security analysts face and how AI can help.
• Moving beyond AI hype and focusing on integrating AI in a way that genuinely addresses security analyst’s needs.
• How UX design can foster trust and adoption of AI tools, while still encouraging analysts to verify AI outputs. 
• John and Siddharth highlight problems like over-reliance and bias and how UX can be leveraged to address these concerns.

Siddharth Hirwani is Senior Principal Product Designer interested in exploring the critical intersection of user experience and cybersecurity.

John Robertson is a researcher interested in the experience of technical users, especially those in cybersecurity. Recently his focus has been understanding workflows of cybersecurity analysts in security operations centers.

Siddharth and John will be presenting their paper “Cybersecurity Analyst’s Perception of AI Security Tools and Practical Implications” at USENIX SOUPS (Symposium on Usable Privacy and Security) in August 2024.

In this episode, Heidi interviews John about what he’s learned about designing for security analysts. We talk about:

• The importance of understanding user workflows. “Alert fatigue” is just a saying until you actually observe it in action.
• While trust is hard to measure, it’s critical for improving the security user experience.
• Practical tips on how to promote cross-disciplinary collaboration.

John Robertson is a researcher interested in the experience of technical users, especially those in cybersecurity. Recently his focus has been understanding workflows of Cybersecurity Analysts in Security Operations Centers.

In this episode, we talk about:

• Leveraging storytelling to “share with our government partners the real experience of real people who are trying ot access government services.”
• Why you need to anticipate where users might question, “Why are you asking for this? What are you going to do with this information?”
• Providing flexibility in the user experience. Carlie refers to this as “many welcoming doors.”
• When and why you might give users the option to sign up for services without requiring them to create an account.

Both Carlie Hundt and Devon Hirth work for Code for America, a civic tech non-profit, in the Safety Net Innovation Lab. Carlie is Staff Product Designer and Devon is Staff User Experience Designer.

In this episode, we talk about:

• How a centralized UX research team fosters meta-analysis across different personas, workflows, and a suite of products.
• Why in-person research—like visiting a security operations center (SOC)—is so important for UX researchers building security products.
• Creative ways of engaging with customers and learning from them.
• Why her UX research team has taken ownership over UX metrics and analytics.
• Why asking stakeholders a simple question: “What kind of evidence are you looking for?” can save you a lot of time and frustration.

Lindsey Wallace is the Director of Design Research and Strategy at Cisco Security Design. She has a PhD in Anthropology and previously worked at Adobe. 

In this episode, we talk about:

• Including users with disabilities as a co-creation exercise—not something you “check off” as part of your UX research.
• Why flexibility is so important when it comes to the security user experience.
• The importance of storytelling to help teams design accessible experiences.
• Joyce’s experience when encountering a CAPTCHA using a screen reader (and listen to an example), where she is prevented from completing a form.
• Why Joyce believes “today’s frustration will be the field for tomorrow’s innovation.”

Joyce Oshita is a Certified Professional in Web Accessibility, accessibility trainer and educator, and advisor for the FIDO Alliance task force. Joyce created the Digital Overload series, which documents her experiences using digital services while using a screen reader.

Also check out the W3C Web Accessibility Initiative (WAI) Web Accessibility Perspective Videos.

In this episode:

• The best explanation of data science you’ve ever heard.
• Why you need to skeptical of data science models.
• How to leverage data science to be more helpful to security teams.
• How to build trust—particularly when tools can increasing perform actions on behalf of users.

Serge-Olivier Paquette is CPO at Flare, a cybersecurity platform that helps organizations proactively identify security threats. He works at the intersection of product management, data science, cybersecurity, and platform engineering. Serge-Olivier was previously tech lead and senior manager at Secureworks.

We talk about:

• Access-related terms you need to understand: Digital identity, authentication, and authorization.
• Why so many security problems are, in fact, access problems.
• User experience implications.
• The future of digital identity and what it might mean for your product and your users.

David Mahdi is the CIO at Transmit Security, former Gartner research VP, and was previously CSO at Sectigo. An IAM leader and visionary, David is an expert in digital identity, cryptography, and cybersecurity. 

How would you approach security if you were building something from scratch? How would you address security user experience challenges? Darren Thomas and Margaret Cunningham from Wethos AI talk about how they’ve built security into their product and how cross-disciplinary collaboration helps them improve the security user experience.

In this episode, we talk about:

• How to build security into your product development lifecycle when you need move quickly.
• How to anticipate—and design for—security and privacy concerns.
• Why getting users to the product’s value faster and relates to the security user experience.

Darren Thomas is the co-founder and Chief Product Officer at Wethos AI, a platform that helps people and teams connect and understand one another to improve both individual and team performance. Darren is also the founding team member and head of product at NumberOne AI. A veteran in product management within the security industry, Darren has previously worked at Tenable and McAfee.

Margaret Cunningham is an experimental psychologist and is Chief Scientist at Wethos AI. Previously, Margaret was Senior Staff Behavioral Engineer, Security & Privacy at Robinhood and Principal Research Scientist for Human Behavior at Forcepoint’s X-Lab. Check out the Margaret’s first interview on the Human-Centered Security podcast (Episode 9).

In this episode, we talk about:

• What does privacy mean?
• How, as designers, we give the user ideas of what to expect around privacy—an opportunity to erode or foster trust.
• The approach her team took at McAfee when it came to redesigning their privacy policy.
• Starting with ethics—and revving that “ethical engine.”
• Who should designers reach out to about privacy at their organization? What should they ask?

Michelle Finneran Dennedy is a privacy expert, the co-founder of Privacy Code, and was formerly Chief Privacy Officer at McAfee. She is the co-author of The Privacy Engineer’s Manifesto.

Thankfully, Kevin Goldman shares my enthusiasm. Kevin is a design executive whose most recent focus has been in identity and access management. Kevin is the Chair of the UX Working Group at the FIDO Alliance, a nonprofit global industry organization that has developed the standards for passkeys.

During this episode, Kevin and I talk about: 

• How to get buy-in for a human-centered approach to the security user experience.
• A key moment when Kevin and in his team faced a UX challenge with passkeys that forced them to take a step back and re-evaluate their approach.
• The surprising findings and resolution after they dug deeper to understand the problem.
• How Kevin worked with his cross-disciplinary team members to identify tradeoffs in usability and security and how they worked through them.

In this episode, we talk about:

• The importance of a human-centered design approach to AI.
• The need to slow down and consider safety, privacy, and ethics as part of implementing AI.
• Looking beyond the data: each data point represents a human.
• The need to build and maintain trust in the AI user experience.
• Understanding how humans and AI can work as teammates and how that dynamic might play out.

John Robertson is a skilled UX researcher with a background in neuroscience and experience working at organizations such as American Airlines, IBM, and Visa. Currently he is a Senior Principal UX Researcher for a cybersecurity software company implementing quantitative and qualitative methods to create human centered security analyst experiences.

In the episode, we reference:

Analyzing Qualitative User Data at Enterprise Scale with AI: The GE Case Study by Jakob Nielsen

Do Users Write More Insecure Code With AI Assistants?

Throughout the interview, Ali and Jason will be referencing a project they worked on together to help develop and foster a consistent process for integrating UX and security into an agile development process for teams at IBM. As a result of their work, they developed a set of principles and best practices. They talk about:

• How a set of principles can serve as a guide for teams.
• Why integrating UX and security involved a cultural shift for teams in order to be successful.
• Why support from leadership is instrumental for new processes to be effective.
• Tips for leveraging mixed methods user research to look at problems from different angles.
• How to measure the success of embedding UX and security into existing processes.

Ali and Jason presented some of their research and recommendations at the 2023 UXPA presentation called “How to balance strong user experiences with enhanced security within an agile framework? Lessons learned and best practices.”

Ali Cuthbertson is the Technical Vitality Development Manager and CIO Design Program Manager at IBM. Ali brings over 20 years of seasoned expertise navigating software and hardware engineering. She has become the Indiana Jones of life sciences, user experience, talent management, vitality optimization, security protocols, AI advancements, data analytics, scientific exploration, and cutting edge cloud technologies.

Jason Telner, PhD, is a senior user researcher within IBM’s CIO design user research and data analytics team. Jason has over 15 years of experience working within the field of user research. In his current role at IBM, Jason’s focus has been on improving the user experience of employee support applications such as chatbots, web support, and voice interface support.

• How do you get up-to-speed when designing for complex domains like cybersecurity?
• How do you adapt your design process for enterprise power users (spoiler: stripping away information isn’t always the right answer)?
• How to prioritize when “everyone wants to build all the cool things.”
• Why Tom thinks much of a designer’s job is “de-risking.”
• The most important skills designers need to be successful in building enterprise security software.

Tom Keenoy is a design leader who loves building technical products for power users. At various points in his career he’s been a designer, an educator, an engineer, a product manager, and a startup founder. He’s currently leading a design team at a cybersecurity company and advising growth stage startups to help right-size their UX and product design programs.

• The surprising similarities between UX and security teams.
• What designers need to know about information security risks, as well as how designers can help security teams understand the UX tradeoffs they may be making.
• What designers can do to more effectively collaborate with their cross-disciplinary teams, including the security engineering team.
• What to consider when designing for users in higher-risk scenarios—users who have privileged access and are operating at scale (for example, if your end users are engineers, IT professionals, or security analysts).

Jason Puglisi is an application security engineer at a financial technology company. He performs ethical hacking to discover vulnerabilities, guide solutions, and inform organization-wide security measures. Human security is a particular passion of his, including security culture, awareness, and various aspects of social engineering.

• Questions you should be asking to uncover information security threats early on in the design process.
• How to account for human behavior in a structured way as part of threat modeling (spoiler: this is not so different from what you are doing now).
• How to collaborate with an interdisciplinary team as part of an iterative design process to improve the user experience of security.

Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and the forthcoming Threats: What Every Engineer Should Learn From Star Wars. Adam’s YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

• How designing for security is different from (and the same as) designing for other types of experiences.
• How to tackle aspects of the user experience that may be necessary but are perceived as annoying roadblocks.
• How to anticipate where things might go wrong for the user.
• How to effectively collaborate with technical teams.

Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance of technology in her own life. Bethany is a design manager at Duo Security and was previously at Cloudflare, RetailMeNot, and IBM.

Blair Shen is a product designer at Duo Security and was previously at Cloudflare and Harry&David. She is also a YouTube content creator, where she mentors and coaches aspiring UX designers.

• How do you tackle situations where business goals might be at odds with what’s ethical or what’s best for the human using the product?
• How can designers make a difference even if they don’t have a leadership role at their organization?
• How do you anticipate potentially unhealthy behaviors or unintended consequences? 
• What are some actionable steps you can take today?

Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance of technology in her own life. Bethany is a design manager at Duo Security and was previously at Cloudflare, RetailMeNot, and IBM.

In this episode, we talk about:

• How Michael’s user research for dating apps helped him understand the unintended consequences of digital products on our behaviors.
• Why we need new frameworks for security and privacy in the digital world.
• How users’ perceptions and expectations for security and privacy are highly contextual and changing. 
• How to break down the user experience of security so your team isn’t treading water in the abstract and can take steps to improve security outcomes.

Michael Snell is the UX research team lead at JPMorgan Chase managing research focused on security and authentication. He previously worked at Microsoft and Verizon Connect. He has a PhD in psychology from the University of Georgia.

• Where the fields of cognitive psychology, security, and user experience meet.
• Why Jeremiah and his team chose to investigate graphical authentication.
• How they cleverly incorporated testing both usability and security in their two-part study.
• The importance of research around learnability: is it easy for users to learn how to use your new authentication schema?

Read Jeremiah’s research: Usability Comparison of Over-the-Shoulder Attack Resistant Authentication Schemes. 

Jeremiah is the Director of Human Factors, Ph.D. Track and Associate Professor of Psychology and the School of Cybersecurity at Old Dominion University. He runs the Psychology of Design Laboratory, which focuses on human cognition and technology, including usable security.

• Why technical users expect a great user experience just like everyone else.
• How to find and incentivize participants who are extremely busy.
• How to support users in making a decision without telling them what to do.
• Deciding what data to show and how to show it.

Tanja Venborg Hansen is a seasoned user researcher who has worked in both the enterprise cybersecurity (Forcepoint) and aviation industries (Finnair). She earned a master of science degree focused on design and innovation from the Technical University of Denmark.

• What is responsible innovation and where can companies get started?
• How can companies take guiding principles, establish a framework, and operationalize that framework in a way that “informs decision-making in a meaningful way”?
• How are regulations impacting responsible innovation programs?
• What happens when an organization’s business model conflicts with responsible innovation principles?

Chloe Poynton is the co-founder and principal at Article One Advisors, a management consultancy with expertise in human rights, responsible innovation, and social impact.

• Why security UX requires “selective usability” and how that poses unique challenges for designers.
• Thinking about security in terms of safety systems: putting the burden on the system rather than on the user.
• How to work effectively with the security team.

And Jared shares lots of examples.

Jared Spool is the founder of UX consultancy UIE and the co-founder of UX design school Center Centre. Interested in hearing more about what Jared has to say about the security of UX? Watch the talk: Insecure and Unintuitive: Why We Need to Fix the Security of UX.

• What’s next for the cybersecurity awareness industry.
• How to leverage qualitative and quantitative metrics (with similar challenges and opportunities to measuring the user experience).
• How to go about understanding and changing your organization’s cybersecurity culture.

Kate Brett Goldman is the Founder and CEO of Cybermaniacs, an innovative cybersecurity awareness company. Prior to founding Cybermaniacs, Kate spent over 20 years developing solutions that encourage human and organizational change in enterprise IT.

• Building a system in a way that, as Ira says, “a user cannot initiate a loss”
• What designers need to know about prevention, detection, and reaction when it comes to security 
• What we can learn from safety science 
• How designers can get a seat at the table when it comes to human security engineering

Ira Winkler is the founder of Secure Mentem and Chief Information Security Officer at Skyline Technology Soutions. He is the author of seven books on security, the latest of which is You Can Stop Stupid (discussed in this episode). He also has a new book in the works, Security Awareness for Dummies, which will be available in 2022.

• The security risks associated with IoT devices.
• Why IoT devices can be less secure than, for example, a mobile device.
• Supply chain security.
• How UX designers can more effectively communicate risk to their users.

Prior to founding Finite State, Matt spent 15 years leading the research and development of advanced solutions to some of the hardest problems in cyber security, with experience across the spectrum of offensive and defensive cyber operations. Notably, he was the technical founder and CTO of Battelle's Cyber Innovations business unit. Throughout his career, Matt has spearheaded complex national security programs ranging from detection of malicious integrated circuits in the supply chain to next generation intrusion detection systems for low-power embedded systems. Matt directed numerous intelligence programs related to the security of embedded and IoT devices and has been a speaker on the subject at events around the world.

You can follow Finite State on Twitter and LinkedIn.

• How anthropology can help security teams uncover the “why” behind security breaches.
• Why it’s important for designers to familiarize themselves with information security risk management. 
• What designers should know about quality assurance applied to security.
• How to fight for the time needed to build security into products.

Patricia Ensworth is a business anthropologist whose work focuses on the human factors affecting the development and maintenance of innovative products, services, and systems. As a technology project manager at leading global financial services firms (Merrill Lynch, Moody’s UBS, Citigroup, Morgan Stanley) she came to specialize in risk analysis and quality assurance, often recently in relation to cybersecurity vulnerabilities. Her consulting firm Harborlight Management Services LLC provides organizational research and management training to clients in a broad range of industries, as well as government agencies and non-profits. She is the author of The Accidental Project Manager: Surviving the Transition from Techie to Manager (Wiley 2001) and numerous technical articles about multicultural teamwork in software engineering. She is also an Adjunct Assistant Professor teaching in a graduate business degree program at New York University.

• Why human factors is important when it comes to cybersecurity and why it’s still a relatively unexplored topic.
• The importance of communication and empathy in cybersecurity.
• Dr. Robinson’s research around low and medium vulnerabilities—and how their potential use in combination warrants additional attention.
• Dr. Robinson’s most recent research around “vulnerability chaining blindness” and why the words we use and a shared understanding are crucial for making progress in cybersecurity.

Dr. Nikki Robinson is a Security Architect and holds a Doctorate of Science in CyberSecurity, as well as several industry certifications (CISSP, CEH, MCITP, etc). She is currently working on a PhD in Human Factors and research in blending psychology and cybersecurity. With a background in IT Operations and Engineering, she moved into security several years ago.

• Connect with Dr. Nikki Robinson on LinkedIn
• Listen to Dr. Nikki Robinson’s podcast: The Resilient Cyber Podcast

• How an insider threat at her own company led Robin into cybersecurity.
• Why looking at the human side of errors and using a framework like HFCAS can help identify the root cause of the problem.
• How Robin’s research challenges the idea that “humans are the weakest link.”
• How HFACS can be applied to cybersecurity’s existing frameworks.

Robin Bylenga is a seasoned client-facing expert, having drawn her initial skills early in her career as a flight attendant. Prior to entering cybersecurity, she was the CEO and Founder of Pedal Chic, the first women-specific bike shop in North America. She built the brand, won national awards, and designed a full line of bicycles for a niche market. Then her company suffered an insider threat attack. That experience changed the course of her life and brought her to a new career and the opportunity to adapt the Human Factors Analysis and Classification System (HFACS) framework to cyber.

Learn more about Robin's research at https://hfacs-cyber.com/

• How security experts can more effectively communicate with end users.
• The issue of delayed consequences in the digital realm and how that impacts how people behave.
• The role accountability plays in improving information security.

Ryan Cloutier is the principal security consultant for SecurityStudio. He is an experienced IT/cybersecurity professional with over 15 years experience developing cybersecurity programs for Fortune 500 organizations. Ryan is a virtual Chief Information Security Officer for K12 districts across the country and is Certified Information Systems Security Professional (CISSP) and is proficient in cloud security, dev-ops, and sec-ops methodologies, security policy, process, audit, compliance, network security, and application security architecture. Ryan also co-hosts a weekly security podcast and is included on the top 100 most influential people in cybersecurity.

You can also find Ryan:

• On Twitter @cloutiersec
• On The Security Shitshow
• During the episode, Ryan mentions S2me (by SecurityStudio), a free security risk assessment resource

• Thinking about cybersecurity risk from a UX practitioner’s perspective.
• Balancing ease of use while not introducing unnecessary risk.
• Building personas and scenarios for bad actors so you can make conscious decisions about how controls might be circumvented.
• The importance of content strategy and collaborating with UX writers.
• Tips for conducting user research when it’s difficult to get access to end users.

Natalie Hill is a senior product designer with over 20 years of professional experience and a Master of Science in Information Studies. Her niche is enterprise UX. She loves finding elegant solutions to complex design problems and understanding the psychology that drives human behavior. Natalie considers cybersecurity one of the most important things in the world and has spent the last four years designing network, web, and email security solutions.

Natalie is a seasoned guitar player who enjoys playing live with a band in non-pandemic times. She is also on the board of directors of the nonprofit Girls Rock Austin, an organization dedicated to empowering girls, transgender, and non-binary youth through music education, mentorship, and self-care.

• Why looking for a silver bullet for cybersecurity is hopeless. Like any human issue, it is a multi-dimensional and complex.
• Expectations versus outcomes: how we must take into account how “things will play out when you involve people.”
• "Changing how people think and behave is complicated, non-linear, painstaking, and does not conform to your expectations.” Despite this, understanding and accounting for people when it comes to cybersecurity is critically important.
• What organizations are missing and what organizations are doing well when it comes to accounting for people in cybersecurity.

Alexander Stein, PhD is an expert in human behavior and decision-making, and founder and managing principal of Dolus Advisors, a pyschodynamic management consultancy that advises CEOs, senior management teams, and boards in issues involving leadership, culture, governance, ethics, risk, and other organizational matters with complex psychological underpinnings. Dr. Stein is an internationally regarded authority in human risk and the psychodynamics of fraud and is frequently engaged as a specialist advisor in multi-jurisdictional, corruption, and executive misconduct matters and also helps companies mitigate and address human factor vulnerabilities in cybersecurity. He also consults with companies that develop and deliver technologies that assume decision-making functions in human affairs to mitigate unintended consequences to people, organizations, and society. Dr. Stein is a widely published and cited writer and thought leader, currently a regular contributor to Forbes on the psychology of leadership and misbehavior in business, and a frequent podcast and webinar guest, on-camera expert commentator, and keynote speaker and panelist.

Find more information on Dr. Stein and Dolus Advisors:

• Dolus Advisors
• The Briefing, Dolus Advisors’ periodic digest of thought-leadership and analysis
• Dr. Stein on LinkedIn
• Dolus Advisors on LinkedIn
• Humans and technology: A complicated and fascinating pair, RSA Conference Podcast, Episode 33, March 3, 2020
• To Phish or Not to Phish? That is the Question, Wizer Training Webinar, January 13, 2021
• Pitfalls of Outsourcing Self-Awareness to AI, Forbes, January 6, 2019 

research to integrated marketing planning. Her professional focus is in helping brands and teams reveal business opportunity and advantage while her passion is rooted in inspiring ideas that serve the world for greater good. 

During this episode we talk about:

• Incorporating cybersecurity into the "fabric of your organization’s brand."
• How to create meaning and understanding that leads to a new behavior.
• The FOGG Behavior Model: motivation, ability, and a prompt must converge for a behavior to happen.
• How to deal with our natural aversion to complexity.
• How purpose is a way to create more unified understanding of what everyone is working towards and helps people put more meaning around the security-related tasks that may have otherwise been perceived as meaningless. 

In this episode, we talk about:

• Why saying “people are the weakest link” is not a productive mindset when it comes to cybersecurity.
• How we can thoughtfully create systems/designs that mitigate the risk of human limitations.
• The Human Factors Analysis and Classification System (whether you are in UX or cybersecurity, you will likely find this framework interesting).
• The nuances around errors and rulebreaking and how we can, ideally, learn from our employees’ behavior to make the systems and the organization better.

On this episode we talk about:

• How we are constantly doing risk assessments in our everyday life. At least, we should be.
• How using analogies and stories help people connect with something new, like cybersecurity.
• Shifting the mindset to ensure the cybersecurity team's goals tie back to the business’ goals.
• The importance of culture and providing an environment where employees and the cybersecurity team are constantly learning.

In this episode we talk about:

• What human factors is and what a human factors engineer does.
• Chronic fatigue and stress in the cybersecurity industry.
• What approaches the aviation industry has taken to address the likelihood of human error.
• What leaders at organizations can do to embrace human factors and design systems that are "more favorable to humans."

During this episode, we’re focusing on what successful organizations are doing to manage risk. We talk about:

• Why it’s difficult for people to understand risk in the digital realm.
• Why taking the time to “brand” security at the organization is important.
• How organizations can foster an open dialogue around security to encourage engagement and lasting behavior changes.
• How field visits can be used to develop more effective solutions for awareness and behavior change.

In this episode, we talk about:

• How to design better, more thoughtful solutions when users try to get around security.
• How conducting your own user research helps you question your team's assumptions and, even better, leads to product-defining insights.
• Why it's important to invest in the user experience of advanced/technical users (like administrators).

Christian not only has a deep understanding of the complex cybersecurity ecosystem, he also appreciates the challenges in getting stakeholder buy-in to ensure the user experience is prioritized.

In this episode, we talk about:

• Human-centered design: what is it and why is it important? (we talk about Nielsen Norman Group co-founder and author of the Design of Everyday Things, Don Norman, who has a great video describing the principles of Human-Centered Design)
• The complicated cybersecurity ecosystem and the challenges it presents when designing user experiences. 
• How great user experiences in cybersecurity are "a human and a technology problem to solve."
• How to speak the language of stakeholders by using metrics, including the PURE Method, which Christian co-developed.

• What Kaliya describes as a new “layer” to the Internet to support decentralized identity, much like how html or email supported what came next.
• The importance of open standards.
• How to build a “digital wallet” paradigm that makes sense to people.
• What SSI means for businesses/business models.

Kaliya is the co-author of “Comprehensive Guide to Self-Sovereign Identity,” and author of “Domains of Identity.” She is also one of the co-founders of the Internet Identity Workshop, which brings together people to help develop open standards for ways people can own and control their digital representations of themselves.

In this episode, we talk about:

• How to reframe the security conversation so business owners understand that an investment in security is taking a proactive stance. Ultimately, you have to empathize with business owners.
• Why fear-based tactics may not be the best solution in getting people to care about security.
• Why it's so important to understand the business and its employees before establishing security controls.
• Expectations around security--customers just assume that their data is safe.

In this episode, we talk about:

• Cybersecurity awareness training should start with stories, to connect with people and encourage them to take action.
• Cybersecurity awareness training should then focus on developing the skills that can be applied to a variety of scenarios (as Gabriel says, "we can't teach everything.").
• Make security easy--but roadblocks may necessary to get users to slow down and think.