Information and Data Security

Contextual Research

My Role

Research Lead

What I Did

Affinitization

Interviews

Type

Group Project 

Duration

10 Weeks

Contextual Research

Secondary Research

BRIEF

Contextual research is gathering quantitative and qualitative data on people in their everyday environment (such as school, at home or work). As contextual researchers, we observe how they feel and complete an activity and then gather big and thick data based on our observations. Observations, interviews, and sensory cues all help us have a better understanding of the user and what they want, based on how they feel when they interact with their electronic devices on a daily basis.

Our team spent 10 weeks researching what the Ideal Experience of Information and Data Security should be like. In todays world people don’t know who they can trust and if their personal information is being taken or used without their knowledge. To gather data my team interviewed 15 users, 3 experts, deployed a cultural probe with over 60 participants, and a sensory cue kit with 10 participants

The Team:

Research Plan:

In this project, our team utilized methods of contextual research to analyze Information and Data Security. Over these 10 weeks some methods we utilized were Observation, Secondary Research, Stakeholder maps, Interviews, Cultural Probes, Sensory Cue, Affinitizing, and How Might We questions.

Observation:

In contextual research, the first step is observation. Observations are completely non-bias and non-judgemental. This is used to see how people act in a real-life context while using the product being researched.

Our team completed 12 hours of observations. Over the 12 hours, we observed and covered 9 different locations. Some of our key observations were the number of people that used public wi-fi, what tasks people were completing in public settings, and how comfortable people seemed with sharing their information.

Our team found that this method was not the most effective method for gathering large sums of data.

Screenshot of Observation Document

Secondary Research:

Secondary research helps gather prior knowledge to have a better understanding of the topic. This can be done by completing a SWOT Analysis, a Popular Media Search, an Eras Map, and other research methods.

For our secondary research, we watched a Netflix film, The Great Hack by Lawrence Chadbourne, and other short videos about information and data security which helped our team have a deeper understanding of how valuable and important data is in our society. We organized all our data in a Excel spreadsheet to show the topic the source was relevant too, the link we found it at with citations, and a short summary. 

Screenshot of Secondary Research Document

Stakeholder Map:

Stakeholder mapping is a visual strategy used for identifying 

 

 

Interviews:

Our team conducted 3 expert interviews in various fields relating to Information and Data Security. Before conducting these interviewed we develop a guide of questions that we wanted to ask. In this guide there and six different kinds of questions. First there are closed and open ended questions. Then there are brain-based, heart-based, problem oriented questions, and future based questions. Using all of these kinds of questions allows us to gather more in-depth data. 

Expert Interview : Ricardo Irizarry

Ricardo graduated from the Gallatin School of Individualized Study at NYU in 2018, concentrating in Philosophy, Politics, and Economics and minoring in Psychology. He has put years of effort and research in simplifying cybersecurity for the average user and created a proof-of-concept of a viable, user-friendly solution for online security and anonymity called Ghost smart-router. Ricardo has designed Ghost to cater to the current and future needs of internet users globally with privacy and security at its core.

“The ideal secure data environment would be one where the data has been taken offline and put on a system that is air-gapped, where there is no internet connection nor has it ever been connected to the Internet, and that would be the ideal security.”

“To assume the identity of a person, you don't necessarily need to know the security questions or password you just need to be able to hack the email that you know that bank account uses. You hit change password button, you already have access to the email. When the email arrives you hit the link you change the password done bank account hacked.”

Expert Interview : Scott Welcome

Scott is an IT Director at Wellpath. He has worked in the field of technology for 25 plus years. His prior experience included owning and managing his own computer store, serving 6 years as a C.T.O and managing partner at TCI (cable and internet provided with over 100 properties). At Wellpath he oversees the security and network operations of, jails and prisons, local detentions, and civil hospitals.

“However, it can happen where hackers get through so that's where making sure that your users are trained well enough to know when they see something to not do it or click it or things like that”

“Society might improve their data security by stop going on social media and telling everybody where they're at every minute of the day. I would say being smart about what you do online, and just really paying attention”

“Make sure you have a separate email just for your crap that you register and things to, and just delete it all don't even look at it, and then you know, have one for your family. I've got God knows how many email accounts. When you see things that look odd, even if it comes from somebody you know, call them, ask them, don't just click it.“

Expert Interview : Josh Prowant

​Josh is a multi-disciplined technologist with experience in various ​Digital Forensics and Incident Response (DFIR)​ roles. ​As a Cyber Security Engineer at PNC, he focuses on reverse engineering malware, threat research, and application support and automation.

“Our company has physical security and multiple authentication methods such as badges and tokens. Employees are asked challenging questions when attempting to access sensitive information. When customers try to access the information they have multiple levels of authentication to make sure they are who they say they are. Our company also educates customers by providing resources for fraud activity so they are more aware.”

“To steal someone's identity, hackers need passwords and a little bit of public information about them. This includes the city they last lived in, spouse’s last name and other information that would be needed to answer stock questions. Hackers use open-source intelligence and some social engineering to gain this information.”

Cultural Probes:

What is a Cultural Probe?

A Cultural Probe allows researchers to gather people's emotions, desires, and other human qualities. This allows us to collect lots of qualitative data. We asked open-ended questions and asked participants to complete the activities they were given. This allowed us to learn more about their daily lives and the environment.

We needed to create a Cultural Probe that would resonate with our audience. To do this we wanted to include tasks that our participants complete in their daily lives. This could include filling out forms, asking open-ended questions, and completing surveys.

By creating a prototype we figured what were good questions to ask our participants so we could get the most data out of our Cultural Probe. This provided us the ability to create the best format for it. Also, we gained insight on the best order design for the probe so that it would make the most sense to our participants when they completed the forms.

When building our Cultural Probe station we created four separate sections. Each section consisted of a different task. This helped our participants know how many sections the survey consisted of and would allow them the ability to know how much time it would take to complete the entire survey. This also provided a more private setting for the participants.

 

Step 1: Survey

When our participants first walked up to our booth we asked them to complete this simple survey and to fill out as much information as they feel comfortable giving out. 

 

Step 2: Section One

We began with an initial assessment to see how many of our participants would read a contractual obligation such as a privacy policy before beginning our next tasks. Our policy was two-pages long and towards the end, it became completely irrelevant to the Cultural Probe with paragraphs of almost complete gibberish. After that, the participants would fill out a survey form asking for different amounts of personal information. Ranging from their first name to the last four digits of their social security number.

 

Step 3: Section Two

The second step was asking the participants to place a key token inside categories of applications they would feel the most comfortable giving this personal information to. Applications such as mapping services, messaging, game center, social media and tracking apps.

 

Step 4: Section Three

In the third section, we revealed to the participants the likely results of them having their information stolen by providing different amounts of it on the internet, based on their answers to the initial survey. We presented this section in a nonpartisan way to receive the true reactions of all participants.

 

Step 5: Section Four

To finalize, we asked participants to scan the code on the Cultural Probe that led them into an exit survey asking heart-based questions on how they felt going through the tasks, as well as receiving insight on the sensitivity of the information they provided.

 

We deployed our cultural probe out on Bull Street, in Savannah GA between 7:00 p.m. and 9:00 p.m on a Friday. During this time we had over 60 participants who completed the Cultural Probe.

 

Take Aways:


Some key observations that we gathered from deploying the Cultural Probe were that very few people cared to read the privacy policy. They did not bother to read it and went straight to filling out the survey. Some people were shocked to learn how little information hackers need to know to steal your identity and many people did not realize how much information they were giving out willingly without knowing what was going to be done with it.

The consensus we gained was that people believe that they are in control of their data and once they realize how vital their simple information is, they become scared and want to be more educated in data security. Many people were willing to give out perceivingly simple information about themselves at the beginning of the Cultural Probe.

 

 

Sensory Cue: 

What is Sensory Cue?

Sensory Cues allows us to understand how our consumers feel and behave when responding to the given tasks, such as what colors make you feel secure or what fonts you are most likely to trust. In our kit, we included six sections, a color wheel, user interface screens, photos of environments, general photos such as icons and computer screenshots, different fonts, and examples of different sounds. This allows us to understand what consumers prefer to see and hear in a product that makes them feel it is safe. They also desire a site that looks simple and is easy to use and protects their data.

We first started our sensory cue by asking our participants if we had their verbal consent to take audio, video and written notes on the information and data they provided to our research.

 

 

 

Affinitization:

Affinitization is a tool used to organize data. Affinity diagrams help you organize information into groups of similar items and synthesize user research findings by patterns and themes. Affinitization is a great way to make sense of qualitative research.

First, you start off by writing yellow sticky notes. These are individual data points from all of your research and findings. After you write all of the yellow sticky notes you will start or organize the sticky notes into groups of similar meaning. It is important to not group based on keywords off of the meaning of what the yellow is saying. After you finish organizing all of your yellows you will start writing blue sticky notes.

Blue sticky notes summarize all of your yellows within a group. With the blues, you should understand every yellow within it. After you finish writing blues you do the grouping process just like the yellows. After you finish grouping all the blues you will write pink sticky notes. Pinks are exactly like blues, summarized data from the blue sticky notes into the pink sticky notes. Lastly, group the pinks together and then write green sticky notes. Greens bring all your high-frequency points together and make them apparent. Throughout this whole process, you may have a few outliers which are okay and good to keep. These are low-frequency points and will not be brought into the greens. Once you finalize your greens you can develop a framework.

Framework:

Outliers:

Conclusion:

Frequently asked Questions:

Often after completing an interview or activity, our participants had questions regarding data and security. These are the highest reoccurring questions that are good indicators of what our users want to be informed about.

What are design opportunities?

Design opportunities are based on a given framework. After the framework is analyzed designers will develop solutions to the issues, wants or needs of the users. Focusing on our framework, here are solutions that could be designed to solve the issues, wants or needs our users are expressing.

     Design opportunities:

     -  VPN extension
     -  Encrypted external storage
     -  Encrypted password manager app
     -  Data usage script (read receipts of where your data is going who is using it etc.)

Sources:

© Sara Williams 2020. Proudly created with Wix.com