Tell a story with the project name – Design Monday

Archive for the ‘Blogs’ Category

Tell a story with the project name – Design Monday

Posted by

The city is a book of poetry writ large across buildings. Santiago, Chile.

During the mid-1990s, Santiago went through building boom. The game was simple. A development investment project would be conceived and pitched. If the enough investors were interested, the project was funded, and the building was built. An apartment building here, an office building there. And key to the success of getting funding? The name.

Rodrigo Rojas, a poet and professor, played a key role in naming these buildings. “Rodrigo was a kind of interpreter of dreams — he tapped into the psyche of what the people of Santiago wanted to become, and tried to give that a name.”

Every project needs a name. Unfunded real estate projects and security projects, doubly so. Here are a few things I’ve learned from naming projects.

Be playful and fun. In my consulting days, to protect confidentiality, we wrote a name generator. We dedicated a portion of the project kick-off to laughing over possibilities. With names like Iron Taco and Gubbins Dance, you can’t go wrong. Security needs a spirit of play.

Share the vision. “One system, one team” was what I called my DevOps and IT modernization project. The clarity of the name simplified sharing the vision and making downstream decisions.

Address concerns. When I received feedback that my approach to managing several consulting practices was too complex, I came up with a three year roadmap in three words. Simplify, optimize, expand. One word per year. We executed on this from 2017-2019, with quarterly goals reinforcing the overall journey.

We need to find the spirit of a poet when naming security projects and initiatives. Tell a story with the name. Make it fun, while communicating the vision and addressing any concerns. We can use the name to drive action.

Photography courtesy of Horst Engelmann, Pixabay

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Find your own way without brainstorming or crowdsourcing – Design Monday

Posted by

Imagine you are getting onto a train. Drive. Park. Traverse the crowds. Find the train. Sounds simple and, in many places, it is simple. But Millbrae Station is a difficult space to navigate. In fact, locals would tell you to find somebody to guide you. At least, for the first couple times, because it is easy to get lost. Bring a friend. Recently, San Francisco’s Bay Area Rapid Transit (BART) brought in studio1500 to design a better way.

The challenge was bigger than the space. There is an information system which guides people through the BART public transportation system. Broadly, this known as wayfinding. Specifically, in San Francisco, this was a set of design choices made by different firms at different times. BART’s internal team would be implementing the wayfinding system at Millbrae Station. The colors, typeface, paint choices, all these and more had to come together in a design that coordinated and communicated with multiple parties. One final consideration was how the design would be kept up. Public transportation departments routinely touch-up and refresh signage over the lifetime of a project. 

Wayfinding is an analogy for thinking about how people navigate the various screens, sites, security systems, prompts, and challenges. Our workforce navigates wayfinding systems done by others (say, WorkDay and SalesForce) at the same time they’re working through what we control (say, VPN and SSO). An example of a wayfinding design, across multiple environments, with strong need for maintainability, such an example is fertile ground for cyber security lessons.

Returning to Millbrae Station, you might expect the story to begin with a brainstorming session with the studio1500 partners Julio Martinez and Erik Schmitt. You’d be wrong. It’s cool. I was wrong, too. In fact, Martinez himself wrote: “I assumed life in a design team would be full of brainstorming sessions — mythical, lively, fast-paced meetings with brilliant ideas bouncing off multiple heads until they were captured in someone’s notebook as shiny kernels of greatness. There would be roars of celebration and laughter, hugs and high-fives, uproarious chants.”

Several years ago, I took an improv course. During my time spent learning how to Zip-Zap-Zop, I realized I wasn’t fast at coming up with ideas. Someone would shout a premise, I would freeze, and others would jump in. This wasn’t surprising. After all, I took the course because I felt slow. I decided to take each improv class twice. Double down. Work through it. And here is where I ran into a surprise. Across different classes, with entirely different teammates, with different composition of ages and backgrounds, the exercises were remarkably the same. I froze. Others jumped in. But no matter who it was, in both classes, people made essentially the same joke.  

Free association isn’t all that free. It’s bound by shared experiences and cultural expectations. 

David Palermo and James Jenkins studied free association with words in the 1960s. Simon De Deyne is studying this today. (Check out https://smallworldofwords.org to participate.) If you give someone a word, you can be reasonably certain what word they’ll think of next. Likewise, if you give someone a premise, you can be reasonably certain what they’ll improvise. Our first instincts feel creative but actually repeat what most anyone else would do. 

Brainstorming tries and fails to avoid the work of preparation and contemplation.

Mihaly Csikszentmihalyi, the psychologist who popularized the concept of flow, once said there are five stages in the creative process. This was after interviewing a hundred designers and artists, including Don Norman, so we can assume Csikszentmihalyi was on solid ground. The five steps are: preparation, incubation, insight, evaluation, and elaboration. Incubation can take days, weeks, or months. Scheduling a brainstorming session for a Tuesday at 4 o’clock, showing up, and jumping to insights feels tantalizingly innovative. But it ignores decades of research into how creative work gets done unconsciously.

Okay, but what does improv have to do with wayfinding, you ask?

“This dance between the conscious and the unconscious is important,” Martinez explained. Instead of brainstorming, they read the brief. They walked the site. Martinez made time for his observations and intuitions to gel. When studio1500 presented to BART, they came with a number of thoughtful options for the Millbrae Station. They came with ideas to discuss and build upon.

“Our approach is antithetical to the classical Paul Rand model of design. You have one idea. You show up. It is a God-given idea and it is done. Take it or leave it.” Martinez said, contrasting studio1500‘s approach. “We like to play. We like to think as we’re designing. It’s collaboration. It’s iteration. It’s actually how you figure the ideas out.”

The Millbrae Station wayfinding would go through a few iterations. The design firms working within and without gradually got onto the same page. Martinez worked to make sure the vision was translated and executed properly. This meant simplifying the design a bit, choosing colors that were more maintainable. It also meant some rework to get the typeface correct. Each change required thought, but none required a storm of ideas and flurry of sticky notes.  

Brainstorming is theater. As security theater makes us feel secure without actually increasing security, brainstorming makes us feel insightful without producing insights. 

Don’t feel pressured  to crowdsource or brainstorm ideas. Prepare by setting a vision, thinking through how to protect the organization and define the security capability. Give it time to seep into your subconscious. You’ll be ready the day comes for creatively defining architecture and controls.

When designing cyber security capabilities, find your own way.

Afterwards

In past articles in this series, I’ve covered four of my preferred ways for exploring problems and discovering new possible solutions. These are:

Julio Martinez recommends James L. Adams’ book, Conceptual Blockbusting: A Guide to Better Ideas. The book is now on my end table.

Bay Area Rapid Transit (BART) Map, Courtesy Wikipedia

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Let’s not Become Password Huggers: Passwordless Guest Post on SC

Posted by

SC Magazine has a guest blog from me on passwordless authentication, and the importance of addressing usability, manageability, and defensibility.

Change happens at an uneven pace. Take the latest smartphone. The camera still has a lovely shutter click, though digital cameras have long since surpassed shutter cameras. The QWERTY keyboard was designed to solve the problem of jamming in 19th century typewriters. And yes, to open apps and websites alike, we’re still using an idea conceived of 60 years ago for mainframes: the password.

We cling to the password. It’s security’s first, and sometimes disastrously, last line of defense. As surely as we know the camera doesn’t have to click, we know the password can be replaced by stronger factors. In fact, with adaptive and contextual controls, replacing the password means greater security and user experience benefits.

What’s holding us back from moving forward with passwordless?

Read the full article here: Three ways we can move the industry to passwordless authentication

Cyber Security Design Studies, Papers, Books, and Resources

Posted by

The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.

This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Paths They Take

Number of steps; Familiarity of each step; Friction at each step.

Introduction to Customer Journey Mapping (ebook)

Flow Design Processes – Focusing on the Users’ Needs

Scientific Articles

Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y

G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976

ulia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-w

Choices They Make

Number of choices; Predictability of the choice; Cognitive load of each choice.

Nudge to Health: Harnessing Decision Research to Promote Health Behavior

Sludge: “activities that are essentially nudging for evil”

Intentional and Unintentional Sludge

Books

Choosing Not to Choose, by Cass Sunstein

How to Decide: Simple Tools for Making Better Choices, by Annie Duke

Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz

Scientific Articles

Sunstein, C. (2020). Sludge AuditsBehavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32

Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019

Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant informationExp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.

Behavior

The behavior we want people to perform.

Scientific Articles

Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).

Barriers

Barriers preventing people from completing the behavior.

Scientific Articles

Benefits

Benefits of completing the behavior.

Scientific Articles

Training (Ignorance)

Scientific Articles

Irrationality

40 Clever and Creative Bus Stop Advertisements

Scientific Articles

Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.

Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.

Investments

More people, better technology.

Scientific Articles

Incentives

Books

Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink

Scientific Articles

Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061

Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.

Behavior Economics

From “Economic Man” to Behavioral Economics

Related Books

  • The design of everyday things, by Don Norman
  • Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
  • Design research: Methods and perspectives, by Brenda Laurel
  • User experience revolution, by Paul Boag

Presentations

Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.

How does design apply to securing application development and DevOps? Securing without Slowing.

How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.

How does design apply to blue teaming? Design Thinking for Blue Teams.

Design Thinking for Blue Teams at Converge Detroit

Posted by

Usability versus security is stupid. It forces us to choose one or the other. It excuses security breaches under the guise of usability. It automatically pits us against them, builders against breakers, developers against defenders. A better approach is to view security like usability: they happen where man meets machine. At that moment of meeting, what factors in human psychology and industrial design are at play? And suppose we could pause time. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future?

Recorded for Converge Detroit 2020

Watch more videos on my YouTube channel.

Minimum Viable Security – Design Monday

Posted by

My focus on IT security began in 1997 with a malware outbreak. To get a sense of how much has changed, I checked out the (ISC)² website as it existed back then. Whoa. It’s ugly. The website and the views on cyber security have drastically improved since the nineties.

These days I regularly get asked, “where do we begin?” Privileged Access Management is supposed to look like this. Zero Trust Architecture is supposed to look like that. We only have a these two things, a paperclip, some duct tape, an overworked staff, and an intern. Where do we even start?

Borrowing from the product design world, take a Minimum Viable Product (MVP) strategy. Take a limited number of security controls. Take a limited scope of people and systems. Design a security capability, implement it, and get feedback on what works and where improvements are needed. Then, rinse and repeat with refined controls and in a new area of the organization.

A concern is that this process may lead to a patchwork of controls assembled from a tangle of point solutions. Valid concern. We’ve all seen such environments. A few of us have been lucky enough to build such mistakes, and learn from them. The way to avoid this is to use a consistent set of architecture patterns and project templates. Each sprint begins with these patterns and plans. Each one ends with updating the architecture and PMO libraries. It’ll be ugly, but with a controlled process, it’ll improve rapidly.

Criminals don’t care that we got the capability perfect. Adversaries aren’t impressed with the beauty of our control framework. So toss out the textbook.

Start where you are. Dare to be ugly. Iterate and improve.

The (ISC)² CISSP webpage from 1997, courtesy of The Internet Archive.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Change Creates Adventure – Design Monday

Posted by

It has been said San Francisco is forty-nine square miles surrounded by reality. Fleeing Michigan snows for a week in San Francisco leads to feeling the otherworldliness. One flight and everything changes.

In San Francisco, underneath a series of hills reminiscent of Hobbit holes, is the California Academy of Sciences. The hills reflect the structures below, such as the planetarium. The overall field forms a living roof which keeps “interior temperatures about 10 degrees cooler than a standard roof and reducing low frequency noise by 40 decibels. It also decreases the urban heat island effect, staying about 40 degrees cooler than a standard roof.” This according to the California Academy of Sciences press release from 2007.

Renzo Piano designed building. His starting point was a question that’s delightful in his lateral thinking: “what if we were to lift up a piece of the park and put a building underneath?” In the California Academy of Sciences building and throughout Piano’s work, he returns again and again to themes of culture and change.

“The world keeps changing,” Renzo Piano said on the TED stage. “Changes are difficult to swallow by people. And architecture is a mirror of those changes. Architecture is the built expression of those changes. Those changes create adventure. They create adventure, and architecture is adventure.”

There’s a tension when designing a security architecture. The architecture must meet and mirror culture of the organization. The design can’t run contrary to how the organization works. But at the same time, the new controls must facilitate a cultural change towards a more secure way of being. The architecture mirrors while it modifies.

There’s another tension when designing a security architecture. Ongoing change will impact how people perceive and experience security. But at the same time, the security principles and posture must remain unchanged in the face of far ranging organizational change. “Architects give a shape to the change,” Piano once said. The architecture is flexible but stable.

My last trip in the US, before the pandemic, was to San Francisco. Within a month, everything had changed. We are experiencing the greatest migration in human history. A migration from the office to the home, certainly. More significantly, a migration from the physical to the digital. We now live in 1440 square pixels surrounded by reality.  

Security architects must meet the wave of this change while holding steadfast to our security principles.

California Academy of Sciences living roof. Photography Columbia Daily Tribune.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

The IDEA Behind Simple Robots and Simple Security – Design Monday

Posted by

It was the early nineties when I first saw the photograph of a small robot wandering the desert. I would go on to buy the Robo Sapien book which featured photographs from the same shoot, along with more from Peter Menzel. Iconic. Simple. Inspiring and, most of all, achievable.

Robotics in the 1980s and 1990s were incredibly complex and costly. Significant computing power and sensor tech was needed to move a limb. The idea of walking robots was a dream, to some, a fantasy. Rodney Brooks had made some advances with Genghis and Attila. But these were still tens of thousands of dollars. Such robots were available to grad students and researchers, but out tantalizingly of reach for the rest of us.

Enter Mark Tilden. The robot in the Menzel’s photograph, and the rest of Tilden’s menagerie in the 1990s, had a price tag of a few hundred dollars. Many were built from scrap parts and recycled electronics. This allowed for rapid prototyping, which in turn facilitated rapid innovation. End result? Simple robots that worked. Inexpensive robots that walked.

The real lesson I took from Tilden, which I applied both when I built his style of robots and when I designed IT systems, was how to copy an idea. It works like this:

  • Identify the features are providing the value
  • Deconstruct those into underlying principles and tasks
  • Emulate those tasks using the people and technology you have on hand
  • Act on those tasks to reproduce the effect, prototype and iterate, to develop your own way of providing the value

Tilden called his process biomimicry because the stated goal was to mimic biological systems. More broadly, applying Tilden’s process to my framework, you can envision the steps as follows:

  • Identify = Insects walk with legs controlled by a core set of neurons oscillating in a loop
  • Deconstruct = an oscillator with feedback
  • Emulate = two, four, or six inverter oscillators, or in BEAM nomenclature, Bicore, Quadcore, or Hexcore
  • Act = Unibug 1.0, seen in the photograph below

I wager this is the same process Tilden used to build unthinkable robots for a fraction of the cost using parts he had lying around. Meanwhile, in security, we’re challenged to build security capabilities with little budget using what we have on hand. This is where my IDEA method shines.

Implementing any capability reference model or framework is beyond the capacity of most organizations. So? Don’t.

In October 2019, I was in Haifa visiting the Technion. There I saw robots which mimicked the snakes which populate the deserts of Israel. The same movements that facilitate movement through the deserts of Israel are useful in navigating the rubble of fallen buildings and industrial accidents, in order to find survivors. My mind was instantly transported back to Mark Tilden and his spare-part creatures. It struck me that Alon Wolf’s bio-inspired snakes are the technological children of Tilden’s early experiments.

By following a process that closely mirrors my IDEA model, the engineers at the Technion had created a simple, efficient, and focused device which literally saves lives. They identified an unlikely source of inspiration and deconstructed that down to its most iconic element: the serpentine wiggle. They iterated until they were able to emulate this wiggle. Then they put their invention into action: rescuing folks who would otherwise perish.

We can do the same thing in our cyber security work.

Select your reference model. (Say, for an Identity and Access Management or IAM platform.) Use the process above to see where the value is coming from. (Let’s say, on-boarding and off-boarding.) Deconstruct these down to a few core objectives. Then, see what’s available in your organization in terms of tools and techniques. Run inexpensive and quick pilots to try out the ideas and form a plan.

Don’t act on all the things. Act on the right things.

Mark Tilden’s Unibug, photography by Peter Menzel.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Follow Signs of Friction to Find Security Champions – Design Monday

Posted by

On a winter evening in 2014, Nikki Sylianteng got a parking ticket. It wasn’t a surprise. This was in LA where the city collects around $140 million from tickets annually. Sylianteng’s $95 parking ticket wasn’t significant and it wasn’t a surprise. But what happened next was.

When designing security capabilities, we have two aspects to consider:

• The paths people take to complete work – number of steps, familiarity, and friction of each step
• The choices people make during work – number of choices, predictability, and cognitive load

I argue that security can improve people’s work. Make it easier. Make it faster. I often get pushback on this argument, and for good reason. A very real problem is that security teams don’t have good visibility into the path and the choices. Even more worrisome, we don’t get good feedback when things are difficult or when security controls are making them worse.

Millions live in LA. Hundreds of thousands get tickets in LA. One person gave feedback with a solution.

Why? It is the same reason the workforce tolerates bad security controls: habituation. People get used it. They become blind to the annoyances along the path they have to take to complete their workflow. Listen for these tell-tale phrases:

• That’s just the way the world works
• We’ve always done it this way
• Things could be worse

That’s an indication of a workflow security may be to improve while increasing security. There lies habituation. There lies unnecessary steps or choices. There lies an opportunity to improve the path. But we need a partner on the inside, someone who can see beyond the habituation, someone who has what’s called beginner’s mind.

This is what drew me to the story of Sylianteng and her parking ticket. (Listen to Nikki Sylianteng tell her story herself here.) She didn’t accept the ticket. She couldn’t accept the way the parking signs were. She launched To Park or Not to Park and radically redesigned the parking signs. She has since created tools that anyone can use to create their own simplified parking signs.

Imagine our security goal is parking enforcement. Our control, the parking sign. Four million people in LA see the signs. Some follow them. Others don’t. Only one person actually says this is a problem, and takes it on themself to correct the problem. Do we embrace this person? Well. We should. According to Nikki Sylianteng, her new approach “has shown a 60% improvement in compliance and has pilots in 9 cities worldwide.”

Find those with a unique combination of beginner’s mind and desire to make a change. Embrace them. They are your security champions, and by working together, leaps in adoption and compliance are possible.

Before and after Nikki Sylianteng‘s parking sign redesign.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security is not the control, it is the context – Design Monday

Posted by

Seeing is Forgetting the Name of the Thing One Sees. A fantastic title, right? I was having a coffee meeting with a new product designer a few months back. As can happen, I was pretty wound up, going on about the need for usability and human-centric design in cybersecurity. She told me, “you need to read Seeing is Forgetting the Name of the Thing One Sees.”

The book covers conversations Lawrence Weschler, the author, had over three time periods with Robert Irwin. It gets to the heard of Irwin’s philosophy and approach. Irwin began abstract in the 1960s. He painted lines. He painted dots. But when displaying his work, Irwin noticed the way the art was experienced was influenced by factors outside of his paintings. Any of us who have seen optical illusions with colors and lines understand this instinctively and likely think nothing of it. But to Irwin, who was obsessed with the experience to the point of banning photography, this simply wouldn’t do. Irwin took to replastering and repainting walls, sometimes whole studios, where his art was displayed.

Robert Irwin insisted on controlling the entire experience and this led to the realization that the surroundings were just as important as the artwork itself.

We’ve been slow at coming to a similar realization in cybersecurity. Consider the Web application. A thousand things have to go right for it to work, and a thousand things can go wrong from a security perspective. OWASP framed these issues up into a top 10 list. This simplified the work of developing a secure Web app. However, OWASP initially focused solely on the app itself.  Of the six releases since 2003, only the last two releases included the walls and studios, the vulnerable server components, on the OWASP top 10. We’re slow to recognize the importance of the surroundings.

Robert Irwin’s obsession with the surroundings transformed the artist from painter to landscaper. He has gone on to produce more than fifty large scale projects since 1975.

From the perspective of a designer, we must consider how the new capability fits into the existing cybersecurity portfolio and, more broadly, into the organization. We have to replaster the walls. We must make sure it fits in the studio. From the defensive perspective, this makes a lot of sense. A criminal faced with a strong control will look at the environment for other weaknesses and take advantage of gaps. From the usability perspective, Robert Irwin reminds us that how something is seen is as much about the thing as it is about the overall experience.

Security is not the control itself. Security is the surroundings.

Robert Irwin’s Double Blind exhibit at the Vienna Secession, Austria.
Photography: Philipp Scholz Ritterman

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.