One of the tools of IT architects and UX designers is to work with so called ‘Personas’. Personas are fictional characters created to represent the different user types that might use a system, website, product or service. Using personas is common practice when dealing with UX design. But when developing a security architecture for a new system, service or website security personas are also valuable to use. Security Personas force you to think different about the goals and behaviour of attackers that are going to hit your system.
Security Personas identify the user motivations, expectations and goals responsible for driving bad behaviour. Of course not all personas will behave bad on purpose. Sometimes mistakes on the use of the system or social engineering will affect the way a persona can compromise your system.
Benefits of Personas
Personas help to focus and help to make design decisions concerning IT components by adding a layer of real-world consideration to the conversation. They also offer a quick and inexpensive way to test and prioritize those features throughout the development process. In addition they can help:
- Stakeholders and management to discuss architecture building blocks to protect your system.
- Information architects develop informed secure wire-frames knowing possible interface behaviour.
- System security engineers/developers to decide which approaches to take based on user behaviours.
- Testing
For security personas it is good to outline:
- Demographics such as age, education, ethnicity, and family status.
- The goals and tasks they are trying to complete using the system (or website),
- Their physical, social, and technological environment.
- Responsibilities: As implemented in future Identity and access management system, but also the formal organization responsibilities belong to the role within the organization.
Defining security personas is not hard. Some examples:
- employee
- visitor (in person)
- internet visitor (web)
- administrator
- manager
- director/CEO
- angry customer
- competitor/rival
- neighbour
Use security personas from the first start of your project. So when defining security requirements. We encourage you to share your security personas with us, since sharing and reuse is fun and profitable. Send your security personas to us.
Summarized:Using security personas help to get more focus when designing and developing IT systems and business processes.