Design thinking cybersecurity.
Video Transcript
“As not-for-profit CEOs and Boards cyber security sits firmly on the table as a topic that is, and will become, more important in your governance and management discussions.
This video showcases a design thinking approach to improving cyber security in not-for-profit organisations, in particular those with a mobile workforce delivering services offsite.
RMIT defines design thinking as:
“a process for designing real solutions for real people. It's a fluid, collaborative process that involves dealing with ambiguity and uncertainty.”
A perfect tool for the world we face moving forward.
Cybersecurity.
Cyber security has been traditionally thought of as a technology issue, requiring a technology solution. I have taken a different approach and looked at it as a human issue.
Cyber security protects against cyber criminals using different methods to launch cyber-attacks that include malware, phishing, ransomware, man-in-the-middle attack, and other methods. A cyber-attack is an attempt to disable computers, steal data, or use a breached computer system to launch additional attacks. Cybercrime is increasing in frequency and scale.
Did you know that employees are the weak link in cyber defences and often the entry point for cyber-attacks?
The reality is employees undervalue the importance of cyber security. They have a low level of vigilance. They don’t see it as a personal problem.
Let’s start by tracking a range of stakeholders on a 2 by 2 with the X axis measuring Level of Concern and the Y axis measuring Level of Vigilance to cyber security.
The bottom left quadrant measuring low concern and low vigilance has too many stakeholders in it.
The design thinking challenge.
Our design thinking challenge is to create a solution that increases the cyber security concern and vigilance of those stakeholders in that bottom left quadrant.
I use the Double Diamond design thinking process. The design thinking double diamond is a tool that can be used to develop and evaluate new products, services or solutions. The two diamonds represent the balance between divergent or creative thinking and convergent or analytical thinking.
Lets follow the design thinking process through the Discover, Define, Develop, Deliver phases as we seek out a solution for improving the cyber security of those stakeholders with low vigilance and compliance.
Discover
I started the discovery phase by interviewing 2 stakeholders – a Board member and a Service Staff member.
I then used the responses from the interviews to create personas and empathy maps for both stakeholders. For the Service staff member I also built a customer journey map that mapped out a day in their work life as it related to cyber security.
From the interviews I quickly discovered that the 2 stakeholders have 2 very distinct sets of needs and that a single solution was probably unlikely. The Board member was more focused on system level issues and solutions whilst the Service Staff Member had needs relating to the use of, and support for, the technology they used every day.
The customer journey map for Service staff highlighted this distinction. It became apparent their daily interaction with technology was a greater issue, and potentially offered more scope for a solution that delivered a high impact outcomes.
2. Define
To define our problem statement I used the 5 Whys process to distill the problem statement and created a series of user stories using the “Wants to, Because, But” format.
As a result the design challenge statement became:
“How might we make engagement with cyber security simple and fun so we can improve the digital safety of our team and customers?”
The biggest change from the initial problem statement was the decision to focus on the needs of one particular stakeholder – Service Staff – as they had a unique problem that if fixed would result in a solution that would significantly reduce the original problem.
3. Develop
Now that I had an improved understanding of the specific problem that required a solution I moved to developing a solution.
An ideation workshop was set up using Zoom and online collaboration tool Miro. The purpose of the workshop was to creatively think about possible solutions. We used the Brain Writing technique which encouraged participants to generate ideas and then share them with all participants for iteration.
The solution that had the highest number of votes from all participants was described as:
“a program of points and status that you earn when you complete specific cyber security tasks or training modules. Points can be redeemed for $ value gift vouchers and status can be used for performance reviews and promotions.”
We called this idea the “Frequent Cyber Program”.
4. Deliver
To deliver a solution we prototyped the idea using the Qantas Frequent Flyer program as a template. Here’s the initial prototype.
The Frequent Cyber program would be a phone app linked to an employee’s IT profile.
Service staff would be able to earn Frequent Cyber points by completing tasks that improved cyber security. The initial task list for earning points was:
Change passwords frequently
Updating apps frequently
Flagging potential spam emails when they are received
Using VPN rather than public or unsecured WIFI
Not storing data in unsecure spaces like phone or desktop
Points would be scaled for higher levels of compliance. As an example, change your password every 90 days get 10 points, 20 points for every 60 days or 30 points if you change your password monthly. Points could be accrued and used to purchase from an employee gift store which would have vouchers, goods and services and charity donation options.
Status credits would be earned from completing online or in person training sessions of topics about, or relevant to cyber security compliance. Silver, Gold and Platinum Frequent Cyber status would be linked to performance reviews and annual performance ratings. Getting promoted to higher roles could also have a Frequent Cyber component.
By incentivising positive behaviours and gamifying the act of cyber security compliance the Frequent Cyber Program would support the improvement of employee compliance to cyber security.
To test our prototype we used a pivoting framework to ensure our idea was robust.
Pivoting involves running the prototype through a set of 10 pivots that encouraged us to look at our solution in new ways, highlight different parts of the solution, shifting our paradigms and identify alternatives, looking for underutilised components or new uses. The Frequent Cyber Program solution is already simple and focused. Whilst the pivoting exercise was interesting is did not yield any major insights that could improve or change the design.
I also tested the prototype with a Service Staff member, a Manager of Service Staff and a HR Manager to get their initial reaction. In these conversations I identified a potential challenge in that management and non-management staff had very different views on the number of points that could be accrued, their value, and the value of any rewards on offer. This challenge would need to be addressed before final implementation.
There is also an extensive existing knowledge base for solutions like the Frequent Cyber Program in the areas of gamification, the psychology behind loyalty programs and the nudge theory of behavioural economics. An initial review of this literature identified a number of theories, ideas, concepts and models that could be used to further enhance the prototype before final implementation.
So there you have it, a design thinking solution for cyber security.
I used the Design Double Diamond framework.
I started with a general problem statement that people were a weak link in cyber security.
To discover more about the problem I interviewed stakeholders, created personas, empathy maps and a customer journey.
This information helped us define the problem into a specific problem statement; “How might we make engagement with cyber security simple and fun so we can improve the digital safety of our team and customers?”
To develop a solution I held an ideation workshop and the idea of the “Frequent Cyber Program”.
To deliver the solution I prototyped the program and tested it with stakeholder feedback, a pivoting review, and a review of existing literature.
I think the “Frequent Cyber Program” has merit and could significantly improve the level of vigilance of employees around cyber security. What do you think?
If you want to discuss more about how design thinking can be used to create solutions to some of your organisation’s future challenges and opportunities message me on LinkedIn or visit my website at insight & foresight.
Have a great day."
Video prepared as final assignment for TRMIT DTR101 Design Thinking for Innovation Course.
