Phishing is the leading cause of security breaches because it exploits a system’s greatest weakness: human error. It notoriously comes in the form of a shady email from a Nigerian prince, but more commonly, it looks like an attachment from a coworker with sensitive information. Once downloaded, that attachment may not be the “Big Spreadsheet of Bonuses” that you thought it was, but malware instead. Yikes!
Duo Security’s mission is to democratize security, so we wanted to build a simple and free phishing tool for IT administrators to evaluate their employees’ risk.
Before designing anything, I worked with my Product Manager to research and define our user personas’ goals when it comes to phishing simulations.
Gary is an IT Administrator who’s concerned about phishing attempts against his small organization. However, he hasn’t had the necessary time to examine tools to help him do this because it takes too long to get value from them - setting them up and waiting for reports takes too long.
Brian is an IT Director who works in security at a larger organization and would like to assess the risk of his end users to drive security awareness. He wants to run a phishing simulation and show the results to his CISO (Chief Information Security Officer), so they can move towards adopting a 2FA solution.
I looked at existing phishing tools to see what a typical simulation looked like and the messaging that an IT Admin would be familiar with, as well as assessing what worked well and what didn’t.
Competitive Usability Testing
The user knows best, so I worked with our Design Researcher to conduct a round of 5 usability tests on a competitor’s product to gather extra insights to inform my designs.
Two Distinct Parts
1. The creation of the campaign
2. The results of the campaign
To avoid locking myself into a specific design too early on, I wrote out the crucial steps on sticky notes and re-arranged them until they made narrative sense.
I then iteratively added in-between steps to iron out the transitions between each major checkpoint.
Once I had settled on a workflow that felt alright, I made a wireframe prototype of the first part - the campaign creation workflow.
There were a few goals of the final report of the phishing campaign results.
How is the campaign going?
These phishing campaigns would run over a period of time, so there needed to be a way to communicate how it was going.
The boss wants to see results.
After the campaign was over, the IT Admin or Director would report the results to the CISO so they could decide, based on the information, what to do moving forward.
Leads, Leads, Leads!
This free tool had another purpose: provide our marketing and sales team with leads for potential paying customers of Duo’s 2FA security product.
Based on these goals, I knew a dashboard of some kind would be needed. So I pulled inspiration from other dashboards, data visualizations, and infographics of any kind - finance, sports, life-logging, security, etc. Then I began wireframing.
Once I was feeling confident in the design direction, it was time to put it to the test. I made a prototype of the full process of creating a phishing simulation, then conducted five 30-minute usability tests with IT Administrators - some were our customers and some weren’t.
1. Identify areas of confusion on the interactive prototypes for the phishing drill tool.
2. Validate areas where the paths are obvious and messaging clear.
3. Gather information about the usefulness of the resulting campaign report data – strengths, weaknesses, omissions, etc.
After testing, I iterated on the prototype to fix the problems encountered during testing. The developers had already begun building the product, so I worked with a visual designer to get the design details polished and they were implemented with a quick turnaround.
We demoed the phishing tool at RSAC Security Conference 2017 and kept a weekly pulse of usage statistics, like how many campaigns had been created and how many people were phished. Later on, this standalone tool was incorporated into Duo's Administration Panel so that our paying customers could run phishing campaigns using the same users already in their Duo account.