Tina Lindgren and Johan Thulin presenting at Paranoia 2019, a Nordic cybersecurity conference.Fotograf: Mark Stegelmann

A more creative security process using Design Thinking

Johan Thulin, senior consultant in Cyber Security at Combitech, reflects on how security can become a natural part of projects. As well as how an organization can develop a product or system where security doesn’t get in the way. Can Design Thinking contribute to a solution?

Security is one the biggest challenges in a connected world. We are constantly reminded of this by any number of publications that describe attacks against connected devices. At the same time my colleagues and I – who work with information security – often have knowledge of how to make that system secure, or prevent the attack that was described in a given article. So how can it be that security remains a large challenge and a limiting factor, one that sometimes even limits our abilities to fully utilize the potential of digitalization?

There are naturally many reasons, and I’m not going to claim that I have all the answers, neither about the nature of the problem nor the solution. I have no silver bullet, and I’m certainly no Arya Stark in Game of Thrones, who can dispatch an army with a single thrust of a blade. Be that as it may, I do think that the pathway to a solution is that we discuss and expose the problem.

Security tailored to an organization

I’ve often wondered why security is so seldom baked into projects right from the beginning – leaving security to be something that pops up at the end because some regulation requires it. Naturally, there are several reasons. Sometimes it’s because the project owner avoids touching security issues until he or she is absolutely forced to. But often I think it’s because we simply choose a simpler solution and just point towards a collection of security requirements, such as in a standard. I’ve even heard security experts ask very early in a project  to see a complete system description, or ask if an information inventory has been conducted… neither of which exists so early in the process, of course.

We security experts tend to be seen as – and to take on the role of – auditors, not as constructive problem solvers and system builders. I believe we must all be better at adapting ourselves and working under existing circumstances. Early in a project, it might be sufficient to establish the things that are so obviously good to have, such as encrypted messaging, or to authenticate all users, and so forth. And then as the solution develops and takes form, we can add details and make things more concrete.

As I see it, we security experts have to work at finding solutions that enable, rather than limit or constrain. That’s what I often hear from customers… that they don’t want that absolutely secure system that will withstand every possible threat and problem. What they want instead is a system that is adapted to the organization’s true threat profile.

Creativity + security with Design thinking

For my work, in order to inject security early on and create engagement, I recently tried working with a design team that uses the Design Thinking method. This proved to be a way to get security ideas into the early design phase.

The method builds on three points:

  • Capture the users’ desire for security (through Design Thinking).
  • Don’t be a nay-sayer, and create a more inclusive and solution-oriented working atmosphere.
  • Design better security by daring to try new solutions to old problems.

Our first challenge concerned getting users to describe which security functionality they actually wanted. We chose to survey users’ needs with the help of User Journeys and discovered that it was rather easy to complement these with statements about what the users didn’t want to happen. For example, if users say they “want to use their mobile phones to open and start their cars”, we could build out this statement with “only my own mobile phone can open and start the car”. The functional requirement then also became a security requirement. This creates a function that users actually think is important, and can relate to, even if it’s nothing that they would instinctively mention – probably because they consider it obvious.

To achieve this kind of dialogue with users, we quickly realized that there are communication challenges. My colleagues and I are used to talking with security experts and developers using words like “requirement satisfied” or “authentication token”. We had to re-school ourselves, so that we could understand each other and have a constructive dialogue.

What I also noted was that requests or limitations often had to be stated at a high level for users to be able to relate to them. We could seldom formulate a solid, clear security requirement directly based on user requests, because then we would have a big heap of them. So we utilized a middle ground, where we formulated one or more security objectives based on the functionality desired by the users. These objectives can be viewed as high-level requirements, or just as objectives, formulated in a way that is understandable to users, and that explains the purpose of the security functions we later will have to develop.

The principal of Design Thinking is to understand the true problem that a product should solve, and then use an iterative process and prototypes to test , and find the best solutions. I believe this method should be useful in identifying better and more effective security solutions. It’s about finding that happy medium, where the users’ requirements and desires also mean something.

Searching for a new mindset

It might be possible to build a system that is completely secure, but at the same time is completely unusable, or a system that is extremely easy to use, but isn’t secure at all. But I would like to challenge that ordinary view that you have to compromise. Can’t we find a third way and a common mindset, where security experts contribute to more and better functionality, as well as value beyond just security? We have to ask ourselves what we need to carry this out, and for my part I believe it’s about being better at identifying threats and risks. What do you think?

Would you like to learn more?

Johan Thulin supports and advises Combitech’s customers on information security. At Paranoia 2019, the Nordic cybersecurity conference, he and Tina Lindgren,senior consulant in cyber security and phD in information theory, presented on creative thinking in security work. For further information, see contact cards.