Service Design is a tool that can improve the efficiency of security solutions.Business Security Best Practices, Latest News // 16.03.2016
Here at Business Security Insider, we mostly discuss the latest threats, anatomy of attacks, and the security measures needed to prevent them.
However, we rarely discuss the actual development of security software. Naturally, a lot of it goes back to the nuts and bolts that researchers, analysts and security experts create in the labs and in the field, and to the developers who then implement it. Yet is there anything else to it?
Whatever technology you have under the hood, it is only as good as the person handling the daily administration. If they are burdened with too much information and false positives, they might miss the alert of a legitimate attack. Plus, investigating all those false positives is also prohibitively expensive, increasing the total cost of ownership (TCO) of security.
Thus, if the security management processes are not designed well enough, it will take more time and increase the risk of human error, which will then need to be corrected – wasting even more time – or at worst, create security vulnerabilities that can be leveraged by attackers.
This is where Service Design steps into security software development. So what is Service Design? In essence, Service Design is a form of conceptual design that involves using many cross-disciplinary tools like interaction design, process engineering, UI development and careful analysis of user needs and experience. The purpose of Service Design is to make the service you deliver more useful, intuitive, efficient, and effective.
This is especially important for complex systems like security software portals, which have high information density. Lots of complex technical information is packed into one portal, with a large variety of possible actions and options based on this formation.
Thus, it is imperative that the system supports the IT admins by presenting only the relevant technical data and status/feedback information. Of course, the necessary actions also need to be presented in an intuitive and easy-to-use manner. Taken together, Service Design provides several benefits:
So how does this show in the software implementation itself? A good example is a process that automatically guides you to manage the right target organization or group, without having to look for them manually. This makes a lot of sense for admins who manage separate organizations or office groups, because they receive only the relevant information and actions related to that specific organization or group.
By designing the processes in this manner, we can increase the efficiency of administration, but also ensure that the IT admin doesn’t, for example, accidentally configure a production machine to use similar security settings than say, the marketing department. Naturally, it is important to make sure that switching from one scope to another works smoothly.
In addition to always working in the right scope, the design of the portal has to make all the relevant security management tasks as easy and efficient as possible. For example, in the case of installing the latest software patches for a number of different devices. Rather than having to spend a lot of time figuring out which devices are missing which updates, a cleverly designed and engineered process will readily provide that information for the admin, significantly increasing the resolution time of the task.
You also need to communicate with the person using the software, by providing them the right information at the right time. This means that the design of informative messages and dashboards has to ensure that they are available when needed (but not disruptive to work), descriptive, and easy to understand, giving the admin a good understanding of what is happening.
So for example, feedback messages should be shown whenever the tasks have succeeded, if there’s an error, or as the process is still ongoing – or if there are important things that you need to react to. This ensures that the admin is not flooded with information or distracting notifications, but rather, has all the relevant information they need to make educated decisions on what to do next or what is happening during a process.
Consequently, the admin feels more on top of the whole situation, makes better decisions, and is less prone to make errors or ignore a key piece of information.
As the security landscape is becoming more complex and harder for people to manage, it is only natural for us to utilize all the possible tools at our disposal to find more efficient solutions to handling it.
As such, Service Design is another tool for us that can improve our solutions and the efficiency of using them – and by extension, the amount of security they provide to users.
by Tomi Jokitulppo, F-Secure UX Lead.