Research : AI-Enhanced Security Automation
Challenge: Large scope, Multiple phases, Conservative users and stakeholders
Deliverables: Persona, Stakeholder map, User flow, RACI Chart, Inforgraphic
Role: User Researcher
The AI-enhanced Security Control Language Automation Project introduces a novel concept into the current workflow, with the goal of substantially enhancing efficiency, convenience, and more in the existing process.
Problem Statement
The client (agency name undisclosed) had gathered feedback regarding the difficulties Information System Security Officers (ISSOs) faced in expediting the Authorization to Operate (ATO) approval process. Several factors had impeded their ability to streamline this procedure. ISSOs' key responsibility revolves around retrieving and updating security documents, emphasizing the need to enhance efficiency in this critical task.
Goals & Metrics
I collaborated closely with a senior security officer to facilitate the client's comprehension of the underlying challenges.
We aimed to look at the current process holistically and propose a solution that could assist the ISSOs at the agency. Furthermore, our objective was to introduce AI technology to expedite the ISSOs' security documentation process. However, given that this was still a proof of concept, we set a goal to find an easier way to translate complex concepts into easily understandable terms and to gain a thorough understanding of the current process.
Users & Audiences
Information System Security Officers (ISSOs), the Chief Information Security Officer (CISO), Authorizing Officers (AOs), security stewards, project managers (PMs), product owners (POs), and all other security personnel associated during the Security Authorization Process.
Research
Comparative Analysis and ATO/RMF Research
I began by conducting a comparative analysis to identify best practices for crafting security documents within the Authorization to Operate (ATO) process and gain insights from this research. Given my lack of expertise in the security domain and unfamiliarity with terms like ATO and Risk Management Framework (RMF), I undertook further research to better understand the context and the intricacies of the process.
User Interviews:
To investigate further, I developed a research plan aimed at conducting user interviews. I engaged with 8 domain experts who played pivotal roles in the ATO process, including Product Owners (3), Information System Security Officers (ISSOs) (3), Security Stewards (3), and Information Architects (2). These interviews were conducted remotely, with a primary focus on comprehending their existing workflows, identifying pain points, uncovering the underlying causes, understanding their expectations, and exploring potential enhancements for the current process.
Concept Testing:
The senior security officer I collaborated with suggested incorporating AI technology akin to ChatGPT. This technology would enable Information System Security Officers (ISSOs) to make inquiries about security documents and retrieve necessary information from the AI platform. This proposal aimed to streamline and expedite the current process for ISSOs. Consequently, my responsibilities included creating a conceptual model to help the team grasp this new concept and conducting testing with relevant users.
Synthesis
Work in Progress
Proposed Solution
Work in Progress
The Testing
Work in Progress