CyberOwl: Onboard Maritime Cyber Security
CyberOwl is a Cyber Security company headquartered in the UK, offering cyber risk monitoring and resolution for the maritime industry globally.
As the lead Product Designer, I was tasked with building up the CyberOwl onboard platform. Starting from a user-first approach, my role spanned from user research, prototyping to final UI designs.
The Project
The Brief: democratise cyber security across the maritime industry
For: CyberOwl
My Role: Product Designer
Tools: Figma, Sketch
Quantitative Surveys; Qualitative Surveys; User Interviews; Wireframes; Prototyping; Iterations; UI
The challenge:
Cyber Security is a complex field that requires technical knowledge in IT and cyber risks. In the maritime industry, vessels are at risk of cyber incidents that could bring a vessel to a halt. Often times, the crew needs to be involved to help the shore team resolve the issue. However, the communication means are manual (email, texts, back end forth) and the crew lacks the knowledge to feel confident in taking action. Those create a reluctance from both sides (shore and crew) to delegate, but still having the need for collaboration. Adding to the complexity, cyber policy deviances are at the top of the risky behaviour from the crew. Helping them understand the consequences of risky behaviour would alleviate the potential breaches.
The approach:
I started this project with speaking to our customers (IT shore) to understand the process of incident resolution and involvement of the crew. Those interactions were critical in thinking about the challenge at hand because the customers on the shore are the final decision makers when it comes to the choice of communication, the degree of delegation and the visibility needed for them to feel comfortable that the product will ease their processes.
I then conducted interviews with crew members to gain insights into their own challenges when dealing with Cyber Security.
The outcome:
The results from those conversations showed the lack of cyber knowledge was an hindrance to better collaboration: the crew didn’t want to take on those responsibilities by fear of doing something wrong; the shore didn’t trust the crew to make these issues a priority nor to understand potential risky behaviours that could be prevented rather than reacted. Communication was another important challenge, from the means of communication to the content of it. Tools such as emails or texts are often used, making it extremely cumbersome on both sides. The need for clear instructions for each party to feel confident in understanding, taking actions or delegating was another obstacle, due to the time involvement and the understanding of information.
The solution:
Providing a platform available onboard the vessels for shore to push incidents that crew could tackle, with simple steps to follow for resolution, adding notes and history to improve communication was the first step to redefine the workflow of those interactions. The second step was reinforcing the knowledge of Cyber Security onboard with a system of “just in time notifications”. A system of desktop notification would highlight the crew at the point of breach that this behaviour was risky and increase their awareness.
The Research
Starting the research, I focused on shore IT conversations for several reasons: their engagement in cyber hygiene is greater than the crew’s; the final controls are in the hands of the IT team, they are the ones who implement policies and make decisions for a safe and compliant process; finally, they are the ones who make the final commercial decision and hold the budget.
That being said, because the crew would be the end user I also wanted to understand their mindset and challenges. I therefore conducted several interviews with crew members.
User Interviews; Quantitative Survey; Prototyping
User interviews
1.
2.
The first phase of my research focused on the IT team on shore. Being the ones implementing rules and policies, it was important to understand their point of view and challenges. In the course of 4 weeks, I spoke to several personas, from operational IT to management.
The results:
Lack of trust in the crew to know what to do
Perceived lack of engagement of crew in cyber security
A captain’s ego is a tool to engage a healthy competition to be on top
Training is an exercise done once a year and stays high level
Having spoken to the shore teams, my next step was to get insights from the crew itself to understand their challenges but also to gauge their level of engagement in this topic.
The results:
Crew is responsible for many tasks in their day to day and their main focus is on getting the vessel from point A to point B safely
Their knowledge of IT is limited, hence they either perform tasks that are risky (i.e. non compliant behaviours) or simply don’t want to touch IT related topics by fear of reprimand or “breaking something”
This is however nuanced by factors like nationalities and age group of crew members - younger crew members feel mre comfortable with IT
Understanding of cyber security and compliant behaviour remains low despite training
Support and clear instructions is needed to feel comfortable in engaging in the topic
The Solution
The dashboard presents information needing attention to give the crew a quick glance of the state of their vessel’s cyber hygiene.
Shore can activate the certain categories, giving them control of what to push to the crew.
A notification center is also present, where all communication between shore and ship lives. This removes the need for various means of communication (emails, phones) and provides a consolidated view.
A performance widget is also present, tapping into the competitive mindsets of crews and captains. This also allows for positive reinforcement visuals.
Upon clicking into an alert, clear instructions are presented as a check list. This check list is curated by default by our security team, the customers can however add/edit/delete steps as they see fit, again leaving them in control of what they chose to present to their crew.
From my research, it was clear that knowledge in cyber security was a challenge for both parties, leading to behaviours putting the vessel’s IT at risk and for a mistrust to be installed.
The next step was hence to address this challenge by introducing a continuous training.
I introduced a mechanism of desktop pop up at the point of “bad behaviour”. Triggered by non compliant behaviours defined by the shore team, several pop up notifications can appear in relation to the risk, reminding the crew of the company’s policies or simply explaining the reason why this particular behaviour poses a risk.
By continuously communicating the risk, the crew is offered constant training in a short concise way, leading to less deviations.
Some customers have noticed a reduction of non compliant behaviours by 50% so far.
Final thoughts and learnings
This project was extremely interesting because it touches on human behaviour and sometimes conflicting interests from the “buying” party and the end users.
Juggling the need for control from shore with being helpful to the crew, in order to increase the engagement and inherently improve trust, was challenging but rewarding. After just a few weeks of launch the feedback was positive on both sides.
The collaboration needed with the development team was another important piece to make this puzzle successful. Their involvement was paramount to bring this idea to life and to create those “just in time training” notifications.