MinterEllison is re-examining cyber security “interventions” in business processes through a user experience lens, which has led it to provide users with more context about why an alert was triggered and a faster process to overturn any false positives.

Head of cyber and information security Sunil Saale told IQPC Australia’s cyber security A/NZ online series that the law firm is applying both user-centred design (UCD) and continuous improvement (CI) to its cyber security tooling and practices.
Saale said the IT security team wanted to limit its “interference” in the day-to-day business processes of users.
“If a cyber security product is poorly designed, and we put that into a user’s workflow, it results in a poor user experience,” he said.
“If you look at any technology or any process that starts interfering with the user’s business processes, they will seek out different options just to meet their deliverable or to bypass it.
“If they’re bypassing [the tool or control], you’re probably at a higher risk than you were [when not] using it.”
Saale said that cyber security incursions into day-to-day processes risked creating “poor user sentiment” aimed at IT security.
“As and when we start interfering in the user’s or business’s processes, it results in a very poor sentiment,” he said.
“They think, ‘These guys are deploying products without any empathy for how we do our jobs on a day-to-day basis’.”
Saale said that through a UCD process, MinterEllison had determined to offer users more context as to why a cyber security tool injected itself into their workflow.
He said existing tooling sometimes offered block screens or pop-ups with incomprehensible error or alert codes.
“A normal user outside of cyber security has no idea what that is,” Saale said.
“The design needs to change. We need to give context about it and educate the user.
“When we block a particular webpage, [we need to] tell them what it’s about.
“When we interfere in a business process, we [need to] tell them why we’re interfering and what is the benefit for the overall firm.”
Saale said the firm ran continuous improvement over its website unblocking process, shaving several steps and hours off what would otherwise be an interruption to a staffer’s hunt for information.
If a user came across a blocked website that they legitimately needed access to, they previously raised a ticket in ServiceNow.
The IT helpdesk then contacted the user for more information to update the ticket; the user then needed a partner’s approval; and finally the ticket ended up in an IT security queue for permanent unblocking or perhaps just temporary access rights.
“Typically this process was taking between two and four hours, and it’s a stop in the user’s process - they want to consume particular information and we’re interfering in that process, so it was causing a lot of disruption,” Saale said.
After running this through a continuous improvement process, the company cut out several steps and saved users substantial time.
“We created a ServiceNow form, and as soon as the user sees a blocked page, they go to ServiceNow, they enter all the details that they can, and that initiates a workflow,” Saale said.
“It sends off an email to the partner, it fires off another email to IT security. Everyone’s copied on the emails as well. We just reply ‘approve’ and it goes to helpdesk to register access.
“So we have reduced about three steps in there but more important than that we have reduced the turnaround time.
“That’s really important because with this process, the user doesn’t mind spending 10 minutes as opposed to spending two hours on a particular process just to get a website unblocked.”
A further improvement was made whereby users are displayed statistical and other context on why a cyber security tool had intervened in work they were doing.
“When we block a particular website or hold off an email, we post stats to educate the user as to why we’re blocking a particular website,” Saale said.
The stats might show, for example, the high number of email attachments that are sandboxed and checked by MinterEllison every day, or how many websites are blocked versus freely accessible through the company’s corporate environment.
“When my email is delayed, if this particular stat is surfaced up and published, the user will have an appreciation about the product that we use … and about why we interfered in the process and what the value [is],” Saale said.
“Or when we block a particular website, a user might think ‘why is IT blocking so many websites?’
“When we look at the stats, they tell a different story. Of the 280 million websites we scan and allow, we only block about 10 million. That gives a different context to the user.
“It’s not that we’re blocking every website and trying to interfere in every process.
“It’s only when we have strong signals to block we go and block it, and if there is a false positive there’s an easy way for the user to unblock it as well.”