Training video 1: CES Basics
In this case study, you'll see my process for addressing a customer problem, from problem framing to user research to concept to design to testing to deployment.
This case study describes a feature called Component Expert System (CES) that was developed for the IRM Analysis SaaS application, part of Clearwater Compliance's suite of SaaS apps ("IRM Pro") that help healthcare organizations perform cybersecurity risk management. These apps help keep patient information secure and the healthcare organization in compliance with government regulations.
Understanding Risk Management
Organizations use many digital systems and devices, many of which contain (or have access to) health information of patients and other protected information that is at risk of unauthorized access, theft, misuse, or loss.
Organizations use risk management software to keep track of all their assets and the status of the controls (mitigations) used to protect those assets.
The challenge is that there can be thousands, or even millions, of combinations of Asset, Threat, and Control to manage.
How I Got Involved
I was the first UX hire at Clearwater, which had never had a UX practice before. Product managers, business analysts, and developers were designing UX for their SaaS products.
Situation
Customers using IRM Analysis were falling short of their Risk Management goals for:
Completeness of Risk Analysis
Response Planning
Response Implementation
Customer’s risk management data was prone to errors and inaccuracies.
IRM Analysis users had too much work to do in the software and not enough time to do it.
Action Plan
Conduct quantitative and qualitative user research to understand causes of problems and define areas to focus on
Hypothesize effects of different solutions
Prototype solutions and test hypotheses with users and experts
Design final solution based on outcome of tests
Test and revise final solution via usability tests and data analysis
Roadblocks
Clearwater had never conducted user research before and depended on anecdotal evidence from risk consultants, support staff, etc for tackling UX problems.
Needed to convince Clearwater staff to base strategy and decisions on evidence gathered through research and not on their own intuition.
Tasks 1 (What I Did)
Conducted contextual inquiry field study onsite at large customer. I summarized findings in a report and presented the findings to stakeholders, including Product Management, Engineering, and SMEs.
Worked with SMEs to analyze customer risk management data and create a strategy for solving the problems found.
Created hypotheses to test via prototyping.
Overcoming Roadblocks
I convinced my boss, the Chief Product Officer, to allow me to tag along with 2 Clearwater risk consultants who would be helping a large customer perform a risk analysis onsite. I was able to conduct my UX field study during that week.
Problems found via Research
After reviewing user research findings and analyzing data with SMEs, I determined that the core of the problem was in component grouping.
As shown here, Assets (e.g. a Billing System) contain Components (e.g. a server) that are placed into groups with other components that have the same risk profile. This allows users to manage risk for many components from multiple assets as a group, saving time and making risk management more... manageable!
Problem: Difficult to differentiate component groups, and thus to decide into which group a specific component should be placed. Especially: No risk profile properties are associated with each group, e.g. operating system used by a server.
Problem: Risk of placing components with different risk profiles in the same group.
Problem: Grouping is a post-process -- No way to group components when their Asset is first inventoried (when information is freshly in mind).
Problem: Risk managers were using spreadsheets to manage grouping data (!) and then importing it (or rekeying it) into IRM Analysis.
Problem: Only risk managers were actually using IRM Analysis, even though the work could easily be distributed, such as to asset SMEs
Problem: Time-consuming audits and rework due to above problems
Hypotheses
Now that the problem was defined, I hypothesized about the effects of different solutions. These hypotheses then guided design and could be tested with prototypes.
Letting users attach risk profile data to each group will increase speed & accuracy of risk analysis.
Allowing grouping at asset inventory time will save time for users (no need to reestablish context).
Allowing additional users (e.g. Asset SMEs, Vendors) to use asset inventory and grouping features will decrease time required for risk analysis.
Risk profile data attached to groups will enable auto-grouping of components and auto-recommendations for creation of needed groups.
Increased accuracy and time saved by above changes will allow clients to get closer to reaching Risk Management goals.
Tasks 2 (What I Did)
Collaborated with users, product managers, and SMEs to devise overall solution.
Designed, tested, and revised UX wireframes and prototypes to test hypotheses.
Delivered final solution to development team and stakeholders via interactive prototypes and annotated mockups.
Created a series of training aids and videos, targeted at new users (e.g. Asset SMEs) who are not risk managers to help them understand how they can help with risk management using IRM Pro.
Results 1: Usability Testing
Users successfully completed 100% of assigned tasks in usability tests using new solution.
Positive user feedback on understanding the solution and ease of use.
Users reported increased confidence in IRM Pro and increased productivity.
Users were excited to eliminate spreadsheet usage for risk management.
Results 2: Analytics
Number of component groups increased by ~50%
Assets per group dropped by ~30%.
Number of groups containing assets with differing risk profiles dropped from ~10% to <1%.
Number of users using IRM Pro increased by close to 1000%.
Time to reach risk analysis goals decreased by 43%.
Clients were able to increase progress towards risk coverage goals by an average of 68%.
Training video 1: CES Basics
This is the first in a series of training videos I created for the new CES feature, targeted at those new users who hadn't used the software previously. The video describes the basics of managing risk using Component Groups in IRM Analysis.