Cyber security needs user research

Written on 19 August 2016

I recently attended an enlightening Cyber Security Tech Forum hosted at Canada House. The key focus of the event was Issues and Responses in Cyber Security and was sponsored by CGI and Blackberry.

My attendance initially was driven purely by personal interest, as cyber security is not something we usually equate with user research and design. However, as the event unfolded and the experts warmed to the subject, I was soon to learn what great a part we could all play.


Paul Clarke (MD, Xenubis) opened the session by declaring that the cyber security landscape has changed and “defence mode is now attacked mode”! This started me considering the four broad elements that contribute to cyber security:

  • The attacker
  • The consumer/defender
  • The device/touch-point
  • The infrastructure

As the discussion progressed Christoph Erdmann (MD, Secusmart GmbH) warned that current industry efforts to provide greater security was focused at the application layer, which is like “building castles on sand” – a foolhardy idea!

Thinking about the image of sandcastles prompted my imagination to consider human behaviour in battle throughout history. As an example, let’s look at medieval times for a second… based on the above elements we have a castle, which is the infrastructure and weapons that are the devices/touch-points. Now, combine those two elements and you have a potential recipe for disaster, but only when the human element enters. By nature humans will defend or attack whether that be on the battlefield or online but as the Chinese general Sun Tzu said the “best defence is a good offence”. This brings us back to Paul’s original comment that the most effective strategy to defend against cyber attacks is to adopt an attack mindset.

Andrew Rogoyski (Head of UK Cyber Security Services, CGI) and Prof Jim Norton (moderator) emphasised that to prepare ourselves for battle – “we need to know more about the user (attacker), their human behaviours and the psychology behind their decisions.”

And how do we learn more about users? Simply through in-depth, targeted user research.

In the above scenario the more the defender understands about the attacker and their behaviour the greater success they will have in surviving! In summary, it is vital, whatever the situation, whether that be on the physical battlefield, combatting cyber-attacks or designing products and services, that you understand all that you can about user types and their behaviours.

Here at Tobias & Tobias, we employ many techniques to fully understand user behaviour including such activities contextual interviews, user observation and behavioural analysis, usability testing. These research activities provide the building blocks for us to define and design services that people love to use.

Find out more about Tobias & Tobias UX research capabilities and services.

[Hero Image by Luca Bravo on Unsplash]

More from the blog