Making Risk Management Intuitive

UX/UI

RESEARCH

The Challenge

When I joined SecurityHQ, Risk Center was at an inflection point. Designed to give CISOs a comprehensive view of security threats and mitigation strategies, it had been built quickly to capture an ambitious vision: a single location where security leaders could understand threats, prioritise risks, identify attack vectors, and access mitigation guidance. The foundations were there - but the product hadn't yet been validated with the people who needed it most.

The Problem

Despite its comprehensive feature set, Risk Center wasn't connecting with its intended audience. The signs were clear:

  • The mission statement was overloaded with jargon, obscuring rather than communicating value

  • Users couldn't grasp what features did or why they mattered, leading to confusion and frustration

  • Core functionality was difficult to navigate and use, creating barriers to adoption

  • Active usage remained disappointingly low, with users abandoning the product after initial exploration

I deduced that the root cause was product had been built without truly understanding the people it was meant to serve. We were solving problems we assumed CISOs had, not problems they actually faced. Without proper usability testing or validated personas, we were essentially designing in the dark.

It was time to start with the fundamentals: understanding our users.

Mapping the broken journey

With validated personas in hand, I could now see Risk Center through our users' eyes.

I mapped the current customer journey to visualise exactly where and how the experience was failing. What emerged was a fragmented path filled with friction points and moments where users simply gave up.

Validating the problems

To build a compelling case for change, I needed evidence that would resonate with the C-suite. I conducted an audit with our Cyber Security Managers (CSMs)—the team on the front lines managing customer risk portfolios and witnessing adoption struggles firsthand.

These weren't assumptions or hypotheticals. Our CSMs were in daily contact with CISO-level users, fielding their frustrations, workarounds, and feature requests. They had invaluable insight into where Risk Center was failing and, more importantly, why customers were walking away.

Understanding the risk ecosystem

Through these conversations, a pattern emerged that revealed the product's fundamental flaw: we were asking users to manually assess and input risks when we already had the intelligence to automate it.

Our platform was capturing incident data—real security events happening in real-time across customer environments. Yet Risk Center treated risk assessment as a separate, manual process. Users had to interpret incidents, evaluate severity, and manually create risk entries.

The opportunity was clear: automatically convert incidents into assessed risks, using the intelligence we already possessed.

Viability calculation

Key Findings: The Incident-to-Risk Opportunity

The CSM audit revealed concrete data that quantified the automation opportunity:

  • 26% of incidents are directly convertible to a risk - identified during service reviews, weekly client meetings, or threat intelligence searches

  • 45% of incidents can be linked to existing risks - depending on the log source and triggered use case

This represented hundreds of hours of manual work that could be streamlined through intelligent automation.

Proposed Integrated Workflow

To seamlessly incorporate risk conversations into existing touchpoints, I mapped how the incident-to-risk flow would integrate with current processes:

  1. SOAR automatically generates incidents from security events

  2. SOC Analysts review and enrich with context and analysis

  3. CSMs review status and discuss incident alerts with clients

  4. CSMs can convert or link incidents to risks directly within their workflow

This approach wouldn't disrupt existing operations—it would enhance them by embedding risk management into the conversations and reviews already happening. Risk creation becomes a natural extension of incident management, not a separate manual process.

Demonstrating the value

Key Decision Matrix

Scenario 1: Converting an incident to risk

  • Context: A user performs a scan of a network using a free tool such as advanced IP scanner

  • Threat: Some might have malicious code that you bring into your network. Threat actors also use IP scanners to perform reconnaissance.

  • Impact: If not addressed, this risk could lead to a legacy system being exploited, by the threat actor understanding the vulnerabilities

  • Next Steps: Convert the identified incident into an actionable item within the risk register.

Demonstrating the value

Scenario 2: Linking incident to Risk

  • Context: Type 8 logons (cleartext password authentication) are detected on a customer's legacy system. The system is cost-prohibitive to replace, creating a persistent security concern.

  • Customer Response: The customer acknowledges the risk but chooses to accept it due to the high cost of upgrading or replacing the legacy infrastructure. This decision is formally documented in the risk register as an accepted risk.

  • Risk Acceptance: The customer officially "accepts" the risk in the register, indicating acknowledgment and willingness to tolerate it under current circumstances.

  • Next Steps: Review and update the use case manager rulebook to incorporate the necessary rules and alerts for ongoing detection and prevention.

Follow up questions I had:

  • If they perform that again - what if the same risk is raised multiple times?

  • How do we avoid duplication?

  • Who has the authority to create/confirm a risk?

  • It may be too much noise, creating too many risks, what if it is already added?

  • Do incidents become read-only after they have been converted to a risk?

Scenario 2: Linking incident to Risk

  • Context: Type 8 logons (cleartext password authentication) are detected on a customer's legacy system. The system is cost-prohibitive to replace, creating a persistent security concern.

  • Customer Response: The customer acknowledges the risk but chooses to accept it due to the high cost of upgrading or replacing the legacy infrastructure. This decision is formally documented in the risk register as an accepted risk.

  • Risk Acceptance: The customer officially "accepts" the risk in the register, indicating acknowledgment and willingness to tolerate it under current circumstances.

  • Next Steps: Review and update the use case manager rulebook to incorporate the necessary rules and alerts for ongoing detection and prevention.

The Impact

  • Identified that requested "UI uplift" masked fundamental UX problems, recommending strategic retirement over costly rework

  • Used research and analysis to push back on stakeholders, preventing months of investment in a product with low adoption

  • Secured stakeholder agreement to retire the product until proper implementation was feasible, optimising development resources

Testimonial

Emily is an accomplished UX designer, and someone who's understanding of the user experience ties neatly into broader goals of a business, and was able to make a key difference in the US side of the business.

I worked closely with Emily on our risk register the risk register revamp, and what struck me was the ability to pivot away from traditional UX/UI concepts and more into the softer skills side, understanding the way in which people and clients interact with and consume our services.

Overall, working with Emily has been a pleasure.

Tim Chambers

Regional CSC Lead, MEA

Regional CSC Lead, MEA