The other day, for reasons I hope are for the best, I was locked-out of LinkedIn. Something to do with the fact, I suspect, that I forgot my password (senior moments, I know.)
As a result, my account was suspended pending “account recovery.” Which hopefully means it’ll be towed to somewhere safe and refurbished with shiny new opinions and an upgraded profile fit for the 21st Century of business-preparedness. Probably not though.
So for a while I had some free time to do something else with my time than envy-scroll posts about my network’s (notworks?) ability to secure new jobs, new projects and new relationships.
This made me think about how companies approach online security and how engineers ‘design-in’ systems to deal with threats.
One engineer who writes on this asks his “development teams that every user story have at least three abuser stories to go with it.” And with “any new capability, think at least hard enough about it that you can imagine at least three ways that someone could misuse it.”
It’s a striking way to think about an approach to solving something. I usually start with thinking positively about how to help someone with something. Which clearly in security terms is ridiculous. But when I think about it, helping to ‘dissuade’ people is what I’m almost always doing.
If I take brand guidelines, the explicit message ‘do this.’ The implicit one is ‘or else’.
If it’s selling a new service or product or experience, it’s ‘chose this! / no! not the other one!”. And to do that we put ourselves (or at least try to think ourselves into) the persona’s of our potential audience’s shoes.
I’m pretty sure most are familiar with user persona’s (admission here – my experience is limited and heuristic, rather than the great skills those who are better acquainted with them possess. So this is written from a perspective of relative ignorance!)
Mostly the personas or users or audiences I’ve come across read as though the assumption is ‘they’ are pre-disposed to like what we’re offering. So they’re framed in that bias – ‘towards us’. Sure, there’s likely to one outlier or anti, but that’ll be, what one in six? Eight?
What if for every positive user, we considered at least three (as the security expert would say) abusers. Three times as many people who would actively seek to undermine your efforts?
Might that give us an interesting bit of insight about what not to do when we build or secure our ideas around how to reach people – or possibly reach people we wouldn’t otherwise have interested? Then again don’t ask me. I can’t give you permission right now.