Cyber Risk Reports

Paladin Cyber’s Shield secures companies against ransomware and other common attacks by layering critical protections into one easy solution. To keep the business secure against cyber threats, the company needs to have an overview of all of the risky actions that their employees take and instructions on how to handle them.

The most important part of making companies more secure is always keeping an eye on what is happening in your organization. Does everyone finish their training? Are there any employees that don’t know how to recognize a phishing email? This case study presents the report that has been built for the admins of the company to assess these risks and keep their companies safe.

🔥
Disclaimer: To comply with my non-disclosure agreement, I have omitted and obfuscated confidential information in this case study. All information in this case study is my own and does not necessarily reflect the views of Paladin Cyber.

-01 INTRO

My role

This is a project that I worked on in 2019. I led the design process of this project from the initial kick-off to the final deliverables. For this project, I collaborated with the rest of the product team, having weekly reviews of the progress and with the main stakeholders. After the design has been finalized, I supported the engineering team during the implementation.

-02 PROBLEM STATEMENT

Cyber Readiness Level

Our promise is that we will keep your business secure. In order for that to happen, we need you to use the tools provided and train your employees to identify danger and avoid cybercriminal tactics. In order for that to happen, the person responsible to administrate this task needs to have an overview of the general Cyber Readiness Level, recommendations on what needs to be done to improve, and the actions that are taken by the employees.

-03 PROJECT GOALS

What do we want to achieve?

The goals of the project are:

-03 SOLUTION

Dedicated report for the admin

The solution that we came up with was to create a dedicated report where the administrator can see at a glimpse where their company stands in terms of cyber readiness and how to improve it. Some of the things that were considered while working on this project:

-04 PROCESS

Design process

Each project is unique, so my process differs as well. The illustration presents the standard process that is followed by my team but let’s see how did it go for this particular project:

  1. Discover - this step covers the user research part where we observed the behavior of the user to get a clear idea of what are the challenges that they face with the current implementation and the part where we interview the stakeholders to get a better understanding of the business needs.
  1. Define - at this step we researched our competitors to understand the market and we analyzed the materials gathered during the discovery phase to come up with a list of key findings and requirements.
  1. Ideate - with a clear problem statement, the team gets together and discusses all the ideas and potential solutions.
  1. Prototype - This is a very important step that starts with the diagram flow, and the low fidelity prototypes, and ends up with the final high fidelity designs. At the final steps, the designs are discussed with the rest of the team in order to gather feedback and improve.
  1. Test - In order to make sure that the design is functional and clear for the final user we performed a semi-structured usability test.
  1. Deliver - Create the deliverables for the engineering team; support them through the development with additional information.

-05 DESIGN THINKING

Solution breakdown

The report starts with the general Cyber readiness score that will be detailed in the report. We associate color and a risk level to this score so that the user can understand what exactly does it mean. Next to it, we present a list of actions that the user can take in order to improve that score. We wanted to make the feature enable very easy so by pressing the button, the feature is enabled.

What happens when all of the features are enabled? What will the “Improve readiness” section look like in that case? That section will never be empty - we added some general tips for the admin on what should be done outside of the system to keep their company secure.

The next section presents high-level information regarding the actions of the employees. There is no point if all of the features in the toolkit are enabled by the admin if the team does not use them. That is why, here the admin can see an overview of the number of the users that are using the Browser protection, Inbox protection, and the number of users that performed risky actions.

You can notice that the stats present the change that took place since the last month - the admin can see if there has been an evolution 👍 or a regression 👎 and act a.

The report continues with a detailed component of each one of the items that contribute to the general score. Let’s take a look at these widgets:

Another component present in the report is the phishing simulation results. The employees of the company are tested with phishing emails and the admin can see the overview of the results and go into more detail to identify the users that committed these mistakes and need more training.

For the case in which the feature is disabled, we have a special visual treatment that calls the attention of the admin. Also, additional details are being provided on why is this needed and how will that help the company in regards to their security.

👩‍🏫
There are some exceptions among the employees where nothing else can be done on the platform to help them so the admin needs to intervene offline- for example, employees that keep failing phishing tests definitely need additional help. We want to help the admins prepare for the discussions so we provide them concrete examples with explanations that they can use in these additional training sessions.

-06 CONCLUSIONS

The results

After implementing the report in the product, we saw an improvement in regards to the time interacted with the platform from the admin side. A considerable number of users after receiving their monthly email reminding them about the report would open the platform and study the results. Besides that, we saw an increase in the reminders sent to the employees and the completion rate for the training, and the usage of the tools offered.