Summary
The National Cyber Security Centre (NCSC) had identified over 400,000 IP addresses vulnerable to cyber attacks. We created a simple online tool to help small organisations quickly identify, understand and solve IP address vulnerabilities without technical expertise.
The process involved six iterative design and testing cycles, and a total of 558 users. Through rigorous user research we uncovered the need to build trust in the NCSC, effectively communicate the importance of cyber security, and help users understand IP addresses.
Impact
THE CHALLENGE
Thousands of vulnerable businesses, 4 major barriers
Publicly available data had alerted the NCSC to 400,000 vulnerable IP addresses that left small to medium-sized organisations susceptible to cyber-attacks. However, without some technical know-how, the average small organisation wouldn’t know it was at risk until it was too late, which could cost it millions.
In addition, research on previous projects had already identified 4 major barriers that mean cyber security falls low on these organisation's agendas:
Small orgs are rarely aware that their business is at risk or what it's at risk of. They often mistakenly believe they’re too small to be targeted.
Without a dedicated cyber security or IT person, small orgs don't believe they have the expertise they need and don't know where to look for information.
Due to the perceived lack of risk, small organisation aren't motivated to take action until it's too late.
Cyber security is believed to be time-consuming and small orgs have little time for activities they don't believe are achieving business objectives.
DESIGN GOALS
A radically simple online tool
Our vision for “Check your cyber security” was a radically simple online tool that would help non-technical users identify, understand and protect their organisations against common cyber threats.
To achieve this, the service needed to:
Be quick to use
Require no prior knowledge or experience
Be low effort
Give users something of real value
IDEATION & PROTOTYPING
Bringing our vision to life
Knowing we needed to collect a user’s IP address before telling them if it was vulnerable or not, we started by brainstorming and sketching a number of possible solutions and ways to bring our vision to life.
Following this, we refined our pen and paper concepts to create a sketchy “vision prototype”. The objective was to tell a story that would engage NCSC stakeholders with a concept and encourage early feedback that we could use to iterate on our initial ideas.
USER RESEARCH
573 users, 6 rounds of design
Next, we designed a high-fidelity prototype to get user feedback on the proposition. The prototype was tested in 15 one-to-one sessions and 1 focus group.
The service then went through 6 rounds of iterative design and testing over the next eight months. It was tested with a total of 573 users across 2 days of guerrilla research, 2 online surveys and 6 days of usability testing. Rigorous testing like this is essential for government-backed services.
Each round surfaced unique findings and usability problems. However, a number of themes and design challenges cropped up time and time again and would be most critical to our design decisions.
Build awareness & trust
Many weren't sure they could trust the service because they haven’t heard of the NCSC. However, when they discover the NCSC is a government organisation, they’re immediately more trusting and more likely to use it the service.
As a result, we used NCSC and GOV.UK branding on the homepage to quickly build trust and put apprehensive users at ease.
Communicate value and encourage action
Some believe their organisation is too small to be targeted by cybercriminals. Others know they could be at risk but still don’t see cyber security as a priority.
We discovered that users are most concerned about criminals accessing their accounts and data, and that they're motivated by surprising stats. We therefore utilised these when describing the service and in designing the homepage.
Help users understand and find IP addresses
Often users were confident that they knew what an IP address was but their descriptions were wrong or they couldn't find their's.
To help, we created written and video content to help them understand IP addresses, why they’re safe to share and how to find their's. We also also implemented a feature to show users their current IP address, saving them from having to find it.
Provide actionable results
Some of the vulnerabilities the service finds are difficult to understand and fix. We found that users were more motivated to do something about them if they understood what the issue was, why it put them at risk, and guidance on fixing them was presented as simply as possible.
We collaborated with a content writer to design results cards that provided this information in that order: what is it, why is it a problem, how to fix it. We also used accordions to avoid presenting users with overwhelming amounts of copy and allow them to access they information they want as and when they want it.
FINAL DESIGN
Anyone in the UK can test an IP address in seconds
Check Your Cyber Security is a simple online tool that helps anyone in the UK to identify, understand and fix common cyber security vulnerabilities found at their IP address. A straightforward 3-step process takes them through the entire journey in seconds.
Discover checks: Users are introduced to a series of checks they can perform from the comfort of their browsers.
Perform a test: Users are guided through learning about the checks, performing them and getting their results in seconds.
Easy-to-follow guidance: Alongside the results of the check, users are given simple guidance on how to resolve the issues.
