I have recently been exposed to some projects which have used “personas” for the development of new products and services. I’ve heard of their use in design (as in product and user-based design) before and been impressed at how they focus design towards the goal of satisfying an eventual end-user need. I can’t help but wonder if the “persona tool” can be used to help security solutions better meet an end-user need and help the overal useability of security.

Personas are basically character profiles meant to represent the personality and use-case of an end-user of a product or service. Wikipedia has a good summary:

A user persona is a representation of the goals and behavior of a real group of users. In most cases, personas are synthesized from data collected from interviews with users. They are captured in 1–2 page descriptions that include behavior patterns, goals, skills, attitudes, and environment, with a few fictional personal details to make the persona a realistic character. For each product, more than one persona is usually created, but one persona should always be the primary focus for the design.

I can see them being useful in security for visualizing how users will interact with security solutions and use them in “real life.” For example a persona could help someone develop a password policy that not only has strong security requirements but will forsee how user’s will interact and use it.

This is a topic I’ll definately be exploring further. I would like to develop a framework for developing and applying persona’s to the creation of security controls and policies. Seems like it could have a definate impact on how “usable” security solutions are.