Select Page

How to strengthen your cybersecurity with user research

CYBSAFE-SebDB Webinar-preblog-221011MS-36

22 November 2022

User research: How to conduct it, and wield its powers for good

What makes a good movie? I’d argue that it’s characters with good backstories. There’s nothing more satisfying to me than seeing how a character’s past experiences shape their worldview. Than understanding what drives them to keep going.

A backstory gives depth to a character and their motivations. It makes a character more engaging and believable. It helps explain their thought processes, and why they do things that might otherwise seem irrational and foolish.

“Okay, but what’s that got to do with cybersecurity?” You ask.

Backstories help us figure out why people do the things they do. In other words, they help us understand human behavior, or, in this case, security behaviors.

So, how well do you understand your users’ backstories?

Do you sometimes dismiss their behavior as irrational? Do you ask yourself why people are still falling for phishing scams? Why they just don’t learn?

simulated phishing ebook

But it’s only when we truly understand people that we can design the best solutions for them.

If we want to understand how to improve people’s security behaviors, we’ve got to look backwards to move forwards. We need to understand the barriers that get in people’s way, so we can figure out new ways to help them overcome them.

What is user research?

The CybSafe Science and Research (S&R) team has wide-ranging expertise. Things like psychology, behavioral science, cybersecurity, and cyber crime. As you may suspect, user research plays a big role in our work.

User research is about understanding people’s needs and problems. So, we run research sessions and workshops, working closely with CybSafe customers to gain insight into their thoughts and behaviors.

We also spend time observing how people work and use technology (because sometimes what people say they do, doesn’t match up with what they actually do). Then we use those insights to uncover new design opportunities and solutions.

3 tips for conducting user research

So, how do we do it? 

How do we gain an in-depth understanding of users and their needs? And how do we turn these research insights into solutions?

1. Ask the right questions

It can be tempting to jump to assumptions when trying to make sense of why people aren’t complying with security behaviors. How many times have you heard the following?

“People aren’t motivated, so let’s add some points and a leaderboard. That’ll make it more fun…”.

How about this one?

“People keep falling for phishing scams, so let’s add another training course. Maybe then they’ll finally learn…”.

Part of my job as a user researcher is to spot when assumptions are being made and to question them. What is the evidence that this is the root cause of the problem? Have we fully considered all of the possible options? How can we be sure that this is the best solution for our target audience?

By making sure that you fully understand the problem before jumping into a solution, you avoid going down the wrong path (which can be more costly).

2. Take time to plan

There are different kinds of user research methodsfield research, interviews, usability testing, surveys, card-sorting, eye-tracking, web analytics, and much more. The method you choose depends on the research question you’re trying to answer.

Qualitative research methods help you understand why people behave in a certain way, allowing you to collect in-depth insights into people’s needs and frustrations. Quantitative methods help you understand numerical data, how big is the problem, and how many people it affects.

Here are some more things to consider:


Who will you recruit to take part in your research, and how?


Are there any time constraints? What about technological or financial constraints?


What steps can you take to help ensure the reliability of your research? For example, how can you be sure that you’re measuring what you intend to measure?


What about the validity of your research? For example, does it reflect what happens in real life scenarios?

By taking the time to think through these issues and properly plan, you can be confident that you’re taking the most suitable research approach for your context.

Then it’s just a matter of getting out there, and making it happen—running your research sessions, and analyzing your data.

3. Work in product teams

Here at CybSafe, we don’t work solo. We work in multidisciplinary product teams with product managers, designers, and developers.

This close collaboration helps us ensure our research findings don’t end up in a dusty old cupboard somewhere. Filed away and forgotten.

Our end goal is always to discuss our results and figure out what’s next. How we can turn research results into actionable recommendations and design solutions.

Let’s take security awareness training for example. How can we tackle non-compliance? 

In an internal research study, “I needed to prioritize my main work tasks over completing training” was the top reason for non-completion. This suggests that people often have good intentions. And that’s in line with our previous research.

However, people are also under a lot of pressure. So, they prioritize other work tasks set by their manager. And they put off cybersecurity training. Or even forget about it completely.

Discussing this research insight with our colleagues, we took an evidence-based approach, guiding conversations away from abrasive solutions like creating more training materials.

To be innovative, we need something more nuanced. We need to explore ways to help people fit cybersecurity into people’s busy lives. Making it as easy as possible to do the right thing. This line of thinking has influenced some of the CybSafe platform’s latest features, like nudges and calendar integrations. 

But it also raises wider questions about how we can influence organizational work cultures to get cybersecurity closer to the top of the priority list. There are many factors at play here, and I could talk about them all day. But here’s what it comes down to: simple one-size-fits all solutions aren’t going to cut it. 

Taking a user-centered approach helps us to keep people at the heart of what we do—conducting user research and working together to develop products that deliver real value to people’s lives.

Interested in learning more about people-centric cybersecurity? Download our free eBook.

people centric security cover image
Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter

You may also like