Over several years, I led UX efforts for a cross-functional initiative to design a groundbreaking financial quantification experience for cybersecurity risk. In collaboration with a cyber risk quantification partner (and later, the acquisition of VisibleRisk), we set out to help Chief Information Security Officer’s (CISO) and Security Managers understand their security posture in real-world financial terms.
Role
Lead UX Design
Company
Bitsight
Project Type
Research & Design
The Problem
Cyber risk quantification is a deeply complex, probabilistic domain and for most security leaders, it’s anything but intuitive. Our challenge was to take advanced modeling, including Monte Carlo simulations, and surface them in a way that Bitsight’s core users, Security Managers and CISO’s could quickly understand, trust, and act on.
Project Goals
Translate Complex Simulations
We needed to make thousands of Monte Carlo threat outcomes digestible—so users could clearly see the range of possible impacts, not just the average. That meant visualizing logarithmic data and probabilistic distributions in a way that felt human and actionable.
Connect Cyber Threats to Real Financial Exposure
Our users needed to know: what does this risk actually mean in dollars? We designed a workflow that mapped threat vectors to financial loss scenarios, helping users see how Bitsight risk data connected directly to bottom-line exposure.
Deliver a Trusted, Understandable User Experience
Trust was everything. We worked closely with stakeholders and CISOs to ensure that what we surfaced felt credible, not just mathematical. Every interaction and visualization was tested to build user confidence in the results.
Drive Remediation Through Clear Calls to Action
It wasn’t enough to visualize risk—we needed to help users act. We designed flows that not only showed exposure but tied it directly to Bitsight’s risk vectors, prompting remediation efforts that could measurably reduce financial risk.
Deep User Research Across Industries
We conducted in-depth interviews with over a dozen CISO’s across sectors from healthcare to finance to manufacturing, to understand how they currently approached cyber risk, where gaps in knowledge or tooling existed, and what kinds of insights would actually move the needle. This research helped us cut through technical noise and design for clarity, not just completeness.
Our Persona Map
We conducted workshops to define user personas based on their ‘Jobs to be Done,’ identifying primary performers as well as those who might serve as buyers or be indirectly impacted by the problem space.
Our Research Findings
After significant time really digesting the problem space and gathering feedback we had a good framework for the opportunities and where the users had pain in the process.
Testing, Testing, Testing!
We tested and retested data visualizations, risk scenarios, and interaction flows working with our partner companies, internal stakeholders, and real users. Through each iteration, we refined how scenario-based outcomes and Bitsight risk vectors were presented, ensuring users could trace the path from risk to financial exposure to remediation. Ultimately, this drove adoption and became a foundational experience within the platform.
Iterating with Security Controls
Over the course of a couple of years, we conducted multiple usability tests to assess whether Security Analysts, IT Managers, and Vulnerability Managers could effectively correlate the simulation findings with security scenarios, and subsequently map those scenarios to major security control frameworks such as the Center for Internet Security (CIS) framework.
Our usability tests were conducted by providing prompts that guided users to identify potential loss points across various controls and to evaluate scenarios that would most significantly impact those controls.
Ultimately, we found that users either struggled to clearly understand how a BitSight finding mapped to a specific scenario and why that scenario was linked to a particular security control, or they were more familiar with, or preferred, alternative frameworks such as the NIST Cybersecurity Framework or MITRE ATT&CK, rather than the CIS Controls.
We also usability tested the workflow for inputting the data in order to accurately run the model and return results, and though the process was arduous and tedious, the users found it to be intuitive enough to complete without intervention.
Keep Going
There is more to explore, rummage through more of my recent design work.
Design System
Unified, scalable design system for a product suite.
Design Tokens
Powering themes, accessibility, and consistency.
Still Not Enough? Time to Raid the Archives
Check my older work, that I have not had the heart to retire yet.
Hope to hear from you
Please, take a moment and send a message and lets connect.
