SESSION ID: IDY3-R07 The Value of Human-Centered Research in Identity and Access Management Keita Wangari Charlotte Massey Juliette Hainline Senior UX Researcher Google Cloud UX Researcher Google Cloud UX Researcher Google Cloud #RSAC Agenda 1 | Human-Centered Research 2 | Case Study: Security Center 3 | Case Study: Alert Center 4 | Apply & Resources #RSAC #RSAC 1 | Human-Centered Research #RSAC Is it software testing? #RSAC Is it usability testing? #RSAC Is it about making users happy? #RSAC Old World Deployment Environment On-premise | Corporate desktop-based | VPN only access | Employee-only access 7 #RSAC Old World Deployment Environment On-premise | Corporate desktop-based | VPN only access | Employee-only access Requirements gathering Launch UAT (user acceptance testing) Regression testing Interface testing Stress testing Usability testing Satisfaction surveys Helpdesk Tickets Logs 8 #RSAC New World Deployment Environment Cloud first | Anytime, Anywhere access | Many apps & devices #RSAC Technology is just one dimension. 10 #RSAC The other is people. Their behaviors, preferences, & goals in response to technology. 11 #RSAC IAM Policy Business Outcome Mandated by CEO, regulators, security, compliance, etc. Desired gains & behavior as a result of the policy. IT team #RSAC IAM Policy Business Outcome Mandated by CEO, regulators, security, compliance, etc. Human Behaviors, Goals, Preferences Have Impact IT team #RSAC IAM Policy Unintended Business Outcome Mandated by CEO, regulators, security, compliance, etc. IT team #RSAC business disruptions IAM Policy workarounds Mandated by CEO, regulators, security, compliance, etc. productivity decrease IT team low adoption rollbacks rework helpdesk overload #RSAC Human-centered research starts here. #RSAC Who are the users? What’s the context? What are their behaviors, mental models, & goals? IAM Success Factors Heard at Gartner IAM Summit Recognizing data quality challenges from the beginning, enabling painless migration, understanding how the business works, and putting employees in control are core zero-trust principles. ~Large Tech Company Experience should be user-centric rather than IT-centric. Hyperfocus on usability, both external & internal. ~Large Coffee Company We can’t control the interface but can control the metadata, what they review, what’s on the screen. ~Large Home Improvement Retail Company ~Large Health Insurance Company 18 #RSAC #RSAC This is Human-Centered Research EXPLORE & STRATEGIZE What’s next? Who are the users? How are we doing? What are the users’ needs? RELEASE & MEASURE CONFIGURE / BUILD How should we design? Are we on the right track? 19 Fitting Human-Centered Research into Development EXPLORE & STRATEGIZE Journey mapping Job shadowing User interview Critical user journeys Survey Usage data analytics User feedback & bugs Benchmark test Survey RELEASE & MEASURE CONFIGURE / BUILD Usability test: mocks/prototype Survey Heuristic evaluation Concept testing: wireframes/mocks 20 #RSAC