"The Field:
Cybersecurity Interaction Design
A Path for a Better “Data Protection” and “Privacy” in the World
The field of "Cybersecurity Interaction Design" is focused on the specialized practice of designing the user experience for digital products, applications, and solutions for the protection of computer systems, networks, servers, and databases from data disclosure, theft and destruction.
Today, “Cybersecurity” and its broader field data protection are critical processes used to protect online identities, data, privacy, and other sensitive assets. Data protection involves protecting the ‘online presence’ (data, identity, assets), while cybersecurity focuses on the protection of networks, computer systems, other online components, and the data stored therein from unauthorized access.
"Interaction Design", also known synonymously in the industry as either "User Experience Design" and/or "Product Design", consists of a group of technical skills needed to create new digital products with the goal of improving the efficiency and usability of their software Graphical User Interfaces (GUIs). Specifically, Interaction Design is a fundamental process essential for the design and development of state-of-the-art human-computer-interactions critical to the functionality of digital devices including touchscreens, gesture, and speech interfaces.
Interaction design is unique in comparison to other STEM disciplines because it focuses on how digital products interact with users such as how they work and function in terms of users’ intuitiveness and effectiveness while using digital products. Successful interaction designs generate high customer satisfaction, larger adoption, and greater retention all of which substantially maximize business outcomes from both a revenue growth and a brand visibility perspective.
Steve Jobs, the co-founder of Apple, once described the essence of design in technology through the following quote:
"Some people think design means how it looks. But of course, if you dig deeper, it's really how it works. The design of the Mac wasn't what it looked like, although that was part of it. Primarily, it was how it worked. To design something really well, you have to get it. You have to really know what it's all about. It takes a passionate commitment to really thoroughly understand something. Most people don't take the time to do that. "
Another famous technology & design saying is: “Good design is good business”. Quoted by then-IBM president Thomas J. Watson Jr. in his 1973 keynote speech at the University of Pennsylvania, this saying has since become the mantra for designer experts in boardrooms to stress the very important role of technology design in business operations.
Because interaction design ultimately determines how people interact with computers, and general information & technology communications more broadly, it is of profound economic, business, and cultural importance. Simply put, interaction design determines the ‘value’ of a communication service to its users, and the quality of experience they have when using it.
Therefore, interaction design is the most important aspect of the customer experience (UX) process, because it acts as a product, solution, or services front-line gatekeeper and also the marketing machine for every single consumer and user. Steve Jobs also said, “You've got to start with the customer experience and work backwards to the technology. You can't start with the technology and try to figure out how to sell it."
For example, the user-friendly and simple interaction design of the Microsoft ‘Windows’ operating system (OS) was the single most important feature which propelled, and has sustained, Windows OS as the dominant market leader in the computer desktop space. As of June 2021, Microsoft Windows controlled approximately 73% market share of the worldwide computer desktop OS space.
Likewise, and more recently, the advent of Apple’s touchless iPhone, iPod, iPad, Apple Watch, AirPod, and other IoT (‘internet-of-things’) technology products quite literally have revolutionized the entire modern world through the Apple product lines’ sleek, seamless, and user-friendly interaction design. Not only did these new Apple consumer product lines completely disrupt the legacy business communications industry by overcoming once market leaders such as BlackBerry, which were not able to achieve the same success of Apple devices in terms of interaction design. Apple’s interaction design of its ‘i” line of products has influenced our modern culture and essentially how we live our lives through how we interact and communicate, how we consume media, how we exercise, how we consume, work, and spend our down time and socialize.
In the last 10 years, Interaction Design has become pivotal in solving some of the biggest issues in IT targeting the most critical sectors including healthcare, finance, transportation and retail – among others. One of the most difficult challenges during these recent years has been conditioning and normalizing the modern world to increasing digital transformation while providing proper online security. The design and development of data protection and cybersecurity applications made by expert is the only way to preserve data assets & privacy of people as well as businesses, organizations, industries, governments, and sovereign nations.
The 2021 Deloitte’s article, “Report of Impact of COVID-19 on Cybersecurity” makes the following finding:
"The coronavirus pandemic has created new IT design challenges and risks for businesses as they adapt to the ‘new normal’. As a result, companies and governments around the world, while accelerating their digital transformation, are raising cybersecurity as a major concern."
An example of criminals exploiting the cybersecurity weaknesses in remote working has been the series of cyberattacks on video conferencing services. Between February 2020 and May 2020 more than half a million people were affected by breaches in which the personal data of video conferencing services users (e.g., name, passwords, email addresses) was stolen and sold on the dark web.”
In other words, cybercriminals are increasingly targeting Personally Identifiable Information (PII). PII records are incredibly valuable because this sensitive information can be used to steal identities for fraudulent and other nefarious purposes. Even more general information as innocuous as an email address can be used to create fake online accounts in an unsuspecting victim’s name. Examples of PII records include full names, email addresses, contact numbers, addresses, social security numbers, tax identification numbers, banking and/or financial information, and related data that aids in the identification, verification, or validation process such as unique answers to security questions.
It comes as no surprise that in the last decade, cyberattacks have collectively leaked hundreds of millions, if not billions, of PII records, including the following notorious cases of major cybersecurity breaches:
eBay - one of the largest online e-commerce platforms in the world - suffered a crippling cyberattack in 2014 resulting in the leak of 145 million user records. The leaked data contained email addresses, birth dates, encrypted passwords, mailing addresses, and more personal information of eBay users. According to The Guardian, “Exposure of personal information such as postal addresses and dates of birth puts users at risk of identity theft, where the data is used to claim ownership of both online and real-world identities. Users are also at risk of phishing attacks from malicious third-parties, which use the private details to trick people into handing over a bank account, credit card or other sensitive information.”
Equifax - one of the largest of the four major credit reporting agencies in the U.S. – faced an unparalleled data breach of PII in 2017 when cyber attackers’ successful stole hundreds of millions of highly sensitive and confidential records of individuals in the U.S. The breached PII data included names, addresses, social security numbers, driver licenses’ numbers, and much more. Alarmingly, 200,000 of those records also included credit card numbers making it the worst data leak in history. All told, this breach victimized approximately 143 million U.S. individuals, or roughly over 40% of the entire U.S. population.
Starwood Hotels and Resorts - now owned by Marriott International – became the next major victim of cybercrime in late 2018 when it announced it had suffered a significant cyberattack resulting in the leak of hundreds of millions of customer records. The attack came to light on September 8, 2018, when an internal security tool reported suspicious activity to access Starwood’s internal guest reservation systems.
As a result, cybercriminals were able to extract the data of almost 500 million guest records by November 2018, making this incident the second-worst cyberattack in history involving the cybertheft of PII including leaked data such as names, email addresses, phone numbers, and other sensitive information like credit card and passport numbers, and resulting in disastrous impacts on the lives of innocent people and families.
Most recently, the U.S. Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center’s (IC3) released a cybersecurity public service announcement in 2019 finding that $26.2 billion dollars was the estimated total domestic and international loss collectively reported between June 2016 and July 2019. The FBI warned that the ‘business email compromise scam’ was carried out because some subjects compromised legitimate business or personal email accounts through social engineering and computer intrusion to conduct the unauthorized transfers of funds. See Id.
For FY 2022, the President of the United States has proposed earmarking $58.4 billion on IT for civilian federal agencies to be spent on delivering critical citizen services, keeping sensitive data and government systems secure, and furthering the vision of a more digitally secure U.S. Government. See Id.
Furthermore, in 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet in response to “a significant number of ransomware incidents including recent attacks against a U.S. pipeline company and a U.S. software company which affected managed service providers (MSPs) and their downstream customers”. See Id. The CISA fact sheet further stated that: “Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organization and erode customer trust.” See Id.
In 2021, U.S. cybersecurity attacks on key infrastructure critical to national security have brought this issue front and center. The May 07, 2021 cyberattack on Colonial Pipeline effectively shut down 45% of all U.S. pipeline infrastructure transporting gas to the East Coast. This emergency caused immediate spikes in the nationwide retail price of gasoline for everyday Americans as the media extensively covered the shutdown of retail gas stations and panicked queues of cars lining up for gas reminiscent of the 1970’s Oil Embargo. This gas shortage panic rippled through the South and up the Eastern Seaboard to the entire East Coast including vast areas of the American North East. This incident lead President Biden to declare a national state of emergency on May 09, 2021, and subsequently on May 12, 2021, he signed Executive Order 14028 increasing software security standards for the government by mandating a tightening of detection and security on existing systems, improving information sharing & training, and establishing the U.S. Cyber Safety Review Board to improve national-scale incident response.
Only a few weeks after the Colonial Pipeline cyberattack, on May 30, 2021, JBS suffered a crippling cyberattack on its vital supply chain infrastructure. JBS is a global meat processing company and one of the largest beef, pork, and poultry slaughterhouses and wholesale transporters and distributors of animal meat products in the U.S. This cyberattack lead to an immediate spike in wholesale meat prices in the entire U.S. The situation became so grime that the U.S. Department of Agriculture was unable to offer wholesale beef and pork prices on June 01, 2021. The cyberattack on JBS also ushered in the 2021 supply chain crisis and the accompanying surge in inflation in consumer prices. The fact that the U.S. could not rule out nefarious cyberattacks from either cybercriminal groups or actual nation states is even more troubling.
According to the European Union’s (EU) General Data Protection Regulation’s (GDPR) European Commission: “Companies/organizations are encouraged to implement technical and organizational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’).” See Id.
Specifically, alternate (or multi-layered) security strategies, tactics and patterns are considered at the outset of the software & feature design process. Then, only the best (and most secure) design features and processes are selected and enforced by the architecture, and then are subsequently used as the guiding principles for developers. This ‘secure-by-design’ (SBD) design process emphasizes and encourages the use of strategic design patterns with clear beneficial security attributes, even if those design patterns were not originally devised with security in mind.
SBD is increasingly becoming the mainstream development approach to ensure security and privacy of software systems. In this approach, security is considered and built into the system at every layer and starts with a robust architecture design. Security architectural design decisions are based on well-known security strategies, tactics, and patterns defined as reusable techniques for achieving specific quality concerns. Security tactics/patterns provide solutions for enforcing the necessary authentication, authorization, confidentiality, data protection, data integrity, privacy, accountability, availability, safety and non-repudiation requirements, even when the system is under attack. In order to ensure the security of a software system, not only is it important to design a robust intended security architecture. but it is also necessary to map updated security strategies, tactics and patterns to software development in order to maintain security persistence.
Technologies such as: Multi Factor Authentication (MFA) and Data Loss Prevention (DLP) are currently at the forefront of cybersecurity measures used to protect PII. DLP technologies have the capability to ‘de-identify’ sensitive information by automatically implementing SBD features such as masking a date of birth or securing a credit card number with a randomized digital token, key, or device account number (iPhone’s Apple Pay). However, because data overflow is exponentially spreading at an incredible speed, it is now almost impossible to de-identify sensitive information of hundreds of millions of datasets in real time and more sophisticated interaction designs are needed.
To this end, innovative interaction designers and engineers are currently developing a new generation of state-of-the-art DLP tools using behavioral analytics, AI, and automation to provide real time prevention mechanisms without the need of any user intervention.
For example, the U.S. Health Insurance Portability and Accountability Act (HIPAA) sets national standards and provides examples on how to protect sensitive patient health information. Due to HIPPA regulations, U.S. healthcare organizations are adopting and implementing mandatory masking strategies for sensitive information before other industries and economic sectors in the U.S. Interaction designers and software engineers are critical players in developing software detectors to identify and remove sensitive information according to stringent HIPAA standards. Most of the software out there can handle thousands of data full of sensitive information.
“Cybersecurity Interaction Design” is one of the most relevant fields to guarantee the future of a safe digitized world. “Security by Design” (SBD) is at the core of the skills needed to protect fundamental individual privacy rights and the personal identifiable information (PII) of individuals, organizations and governments around the world.
Cybersecurity Interaction Design
A Path for a Better “Data Protection” and “Privacy” in the World
The field of "Cybersecurity Interaction Design" is focused on the specialized practice of designing the user experience for digital products, applications, and solutions for the protection of computer systems, networks, servers, and databases from data disclosure, theft and destruction.
Today, “Cybersecurity” and its broader field data protection are critical processes used to protect online identities, data, privacy, and other sensitive assets. Data protection involves protecting the ‘online presence’ (data, identity, assets), while cybersecurity focuses on the protection of networks, computer systems, other online components, and the data stored therein from unauthorized access.
"Interaction Design", also known synonymously in the industry as either "User Experience Design" and/or "Product Design", consists of a group of technical skills needed to create new digital products with the goal of improving the efficiency and usability of their software Graphical User Interfaces (GUIs). Specifically, Interaction Design is a fundamental process essential for the design and development of state-of-the-art human-computer-interactions critical to the functionality of digital devices including touchscreens, gesture, and speech interfaces.
Interaction design is unique in comparison to other STEM disciplines because it focuses on how digital products interact with users such as how they work and function in terms of users’ intuitiveness and effectiveness while using digital products. Successful interaction designs generate high customer satisfaction, larger adoption, and greater retention all of which substantially maximize business outcomes from both a revenue growth and a brand visibility perspective.
Steve Jobs, the co-founder of Apple, once described the essence of design in technology through the following quote:
"Some people think design means how it looks. But of course, if you dig deeper, it's really how it works. The design of the Mac wasn't what it looked like, although that was part of it. Primarily, it was how it worked. To design something really well, you have to get it. You have to really know what it's all about. It takes a passionate commitment to really thoroughly understand something. Most people don't take the time to do that. "
Another famous technology & design saying is: “Good design is good business”. Quoted by then-IBM president Thomas J. Watson Jr. in his 1973 keynote speech at the University of Pennsylvania, this saying has since become the mantra for designer experts in boardrooms to stress the very important role of technology design in business operations.
Because interaction design ultimately determines how people interact with computers, and general information & technology communications more broadly, it is of profound economic, business, and cultural importance. Simply put, interaction design determines the ‘value’ of a communication service to its users, and the quality of experience they have when using it.
Therefore, interaction design is the most important aspect of the customer experience (UX) process, because it acts as a product, solution, or services front-line gatekeeper and also the marketing machine for every single consumer and user. Steve Jobs also said, “You've got to start with the customer experience and work backwards to the technology. You can't start with the technology and try to figure out how to sell it."
For example, the user-friendly and simple interaction design of the Microsoft ‘Windows’ operating system (OS) was the single most important feature which propelled, and has sustained, Windows OS as the dominant market leader in the computer desktop space. As of June 2021, Microsoft Windows controlled approximately 73% market share of the worldwide computer desktop OS space.
Likewise, and more recently, the advent of Apple’s touchless iPhone, iPod, iPad, Apple Watch, AirPod, and other IoT (‘internet-of-things’) technology products quite literally have revolutionized the entire modern world through the Apple product lines’ sleek, seamless, and user-friendly interaction design. Not only did these new Apple consumer product lines completely disrupt the legacy business communications industry by overcoming once market leaders such as BlackBerry, which were not able to achieve the same success of Apple devices in terms of interaction design. Apple’s interaction design of its ‘i” line of products has influenced our modern culture and essentially how we live our lives through how we interact and communicate, how we consume media, how we exercise, how we consume, work, and spend our down time and socialize.
In the last 10 years, Interaction Design has become pivotal in solving some of the biggest issues in IT targeting the most critical sectors including healthcare, finance, transportation and retail – among others. One of the most difficult challenges during these recent years has been conditioning and normalizing the modern world to increasing digital transformation while providing proper online security. The design and development of data protection and cybersecurity applications made by expert is the only way to preserve data assets & privacy of people as well as businesses, organizations, industries, governments, and sovereign nations.
The 2021 Deloitte’s article, “Report of Impact of COVID-19 on Cybersecurity” makes the following finding:
"The coronavirus pandemic has created new IT design challenges and risks for businesses as they adapt to the ‘new normal’. As a result, companies and governments around the world, while accelerating their digital transformation, are raising cybersecurity as a major concern."
An example of criminals exploiting the cybersecurity weaknesses in remote working has been the series of cyberattacks on video conferencing services. Between February 2020 and May 2020 more than half a million people were affected by breaches in which the personal data of video conferencing services users (e.g., name, passwords, email addresses) was stolen and sold on the dark web.”
In other words, cybercriminals are increasingly targeting Personally Identifiable Information (PII). PII records are incredibly valuable because this sensitive information can be used to steal identities for fraudulent and other nefarious purposes. Even more general information as innocuous as an email address can be used to create fake online accounts in an unsuspecting victim’s name. Examples of PII records include full names, email addresses, contact numbers, addresses, social security numbers, tax identification numbers, banking and/or financial information, and related data that aids in the identification, verification, or validation process such as unique answers to security questions.
It comes as no surprise that in the last decade, cyberattacks have collectively leaked hundreds of millions, if not billions, of PII records, including the following notorious cases of major cybersecurity breaches:
eBay - one of the largest online e-commerce platforms in the world - suffered a crippling cyberattack in 2014 resulting in the leak of 145 million user records. The leaked data contained email addresses, birth dates, encrypted passwords, mailing addresses, and more personal information of eBay users. According to The Guardian, “Exposure of personal information such as postal addresses and dates of birth puts users at risk of identity theft, where the data is used to claim ownership of both online and real-world identities. Users are also at risk of phishing attacks from malicious third-parties, which use the private details to trick people into handing over a bank account, credit card or other sensitive information.”
Equifax - one of the largest of the four major credit reporting agencies in the U.S. – faced an unparalleled data breach of PII in 2017 when cyber attackers’ successful stole hundreds of millions of highly sensitive and confidential records of individuals in the U.S. The breached PII data included names, addresses, social security numbers, driver licenses’ numbers, and much more. Alarmingly, 200,000 of those records also included credit card numbers making it the worst data leak in history. All told, this breach victimized approximately 143 million U.S. individuals, or roughly over 40% of the entire U.S. population.
Starwood Hotels and Resorts - now owned by Marriott International – became the next major victim of cybercrime in late 2018 when it announced it had suffered a significant cyberattack resulting in the leak of hundreds of millions of customer records. The attack came to light on September 8, 2018, when an internal security tool reported suspicious activity to access Starwood’s internal guest reservation systems.
As a result, cybercriminals were able to extract the data of almost 500 million guest records by November 2018, making this incident the second-worst cyberattack in history involving the cybertheft of PII including leaked data such as names, email addresses, phone numbers, and other sensitive information like credit card and passport numbers, and resulting in disastrous impacts on the lives of innocent people and families.
Most recently, the U.S. Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center’s (IC3) released a cybersecurity public service announcement in 2019 finding that $26.2 billion dollars was the estimated total domestic and international loss collectively reported between June 2016 and July 2019. The FBI warned that the ‘business email compromise scam’ was carried out because some subjects compromised legitimate business or personal email accounts through social engineering and computer intrusion to conduct the unauthorized transfers of funds. See Id.
For FY 2022, the President of the United States has proposed earmarking $58.4 billion on IT for civilian federal agencies to be spent on delivering critical citizen services, keeping sensitive data and government systems secure, and furthering the vision of a more digitally secure U.S. Government. See Id.
Furthermore, in 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet in response to “a significant number of ransomware incidents including recent attacks against a U.S. pipeline company and a U.S. software company which affected managed service providers (MSPs) and their downstream customers”. See Id. The CISA fact sheet further stated that: “Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organization and erode customer trust.” See Id.
In 2021, U.S. cybersecurity attacks on key infrastructure critical to national security have brought this issue front and center. The May 07, 2021 cyberattack on Colonial Pipeline effectively shut down 45% of all U.S. pipeline infrastructure transporting gas to the East Coast. This emergency caused immediate spikes in the nationwide retail price of gasoline for everyday Americans as the media extensively covered the shutdown of retail gas stations and panicked queues of cars lining up for gas reminiscent of the 1970’s Oil Embargo. This gas shortage panic rippled through the South and up the Eastern Seaboard to the entire East Coast including vast areas of the American North East. This incident lead President Biden to declare a national state of emergency on May 09, 2021, and subsequently on May 12, 2021, he signed Executive Order 14028 increasing software security standards for the government by mandating a tightening of detection and security on existing systems, improving information sharing & training, and establishing the U.S. Cyber Safety Review Board to improve national-scale incident response.
Only a few weeks after the Colonial Pipeline cyberattack, on May 30, 2021, JBS suffered a crippling cyberattack on its vital supply chain infrastructure. JBS is a global meat processing company and one of the largest beef, pork, and poultry slaughterhouses and wholesale transporters and distributors of animal meat products in the U.S. This cyberattack lead to an immediate spike in wholesale meat prices in the entire U.S. The situation became so grime that the U.S. Department of Agriculture was unable to offer wholesale beef and pork prices on June 01, 2021. The cyberattack on JBS also ushered in the 2021 supply chain crisis and the accompanying surge in inflation in consumer prices. The fact that the U.S. could not rule out nefarious cyberattacks from either cybercriminal groups or actual nation states is even more troubling.
According to the European Union’s (EU) General Data Protection Regulation’s (GDPR) European Commission: “Companies/organizations are encouraged to implement technical and organizational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’).” See Id.
Specifically, alternate (or multi-layered) security strategies, tactics and patterns are considered at the outset of the software & feature design process. Then, only the best (and most secure) design features and processes are selected and enforced by the architecture, and then are subsequently used as the guiding principles for developers. This ‘secure-by-design’ (SBD) design process emphasizes and encourages the use of strategic design patterns with clear beneficial security attributes, even if those design patterns were not originally devised with security in mind.
SBD is increasingly becoming the mainstream development approach to ensure security and privacy of software systems. In this approach, security is considered and built into the system at every layer and starts with a robust architecture design. Security architectural design decisions are based on well-known security strategies, tactics, and patterns defined as reusable techniques for achieving specific quality concerns. Security tactics/patterns provide solutions for enforcing the necessary authentication, authorization, confidentiality, data protection, data integrity, privacy, accountability, availability, safety and non-repudiation requirements, even when the system is under attack. In order to ensure the security of a software system, not only is it important to design a robust intended security architecture. but it is also necessary to map updated security strategies, tactics and patterns to software development in order to maintain security persistence.
Technologies such as: Multi Factor Authentication (MFA) and Data Loss Prevention (DLP) are currently at the forefront of cybersecurity measures used to protect PII. DLP technologies have the capability to ‘de-identify’ sensitive information by automatically implementing SBD features such as masking a date of birth or securing a credit card number with a randomized digital token, key, or device account number (iPhone’s Apple Pay). However, because data overflow is exponentially spreading at an incredible speed, it is now almost impossible to de-identify sensitive information of hundreds of millions of datasets in real time and more sophisticated interaction designs are needed.
To this end, innovative interaction designers and engineers are currently developing a new generation of state-of-the-art DLP tools using behavioral analytics, AI, and automation to provide real time prevention mechanisms without the need of any user intervention.
For example, the U.S. Health Insurance Portability and Accountability Act (HIPAA) sets national standards and provides examples on how to protect sensitive patient health information. Due to HIPPA regulations, U.S. healthcare organizations are adopting and implementing mandatory masking strategies for sensitive information before other industries and economic sectors in the U.S. Interaction designers and software engineers are critical players in developing software detectors to identify and remove sensitive information according to stringent HIPAA standards. Most of the software out there can handle thousands of data full of sensitive information.
“Cybersecurity Interaction Design” is one of the most relevant fields to guarantee the future of a safe digitized world. “Security by Design” (SBD) is at the core of the skills needed to protect fundamental individual privacy rights and the personal identifiable information (PII) of individuals, organizations and governments around the world.