User research meets infosec

Or, my journey and a few thoughts on security data science

When I first noticed discussions of ‘infosec data science’ and ‘machine learning for security’ on infosec Twitter a few years ago*, I was immediately curious and began researching to learn more.

I’m a security engineer, but my background is in cognitive psychology and user behavior analytics. Before joining the security team at my current company, I worked as a quantitative researcher on our qualitative UX research team. When I was brought on, there was a gap between the data scientists and the UX researchers. The research team needed someone who could move comfortably between qualitative and quantitative methods and act as bridge between the two types of work. As time went on, I had the opportunity to grow my computational analysis skills and began doing heavier, larger user analyses.

I eventually specialized in studying feature usage and spent my time looking for users who were doing unusual (non-malicious) things with our app. This was particularly useful to the UX researchers, because anytime we found interesting usage patterns, there was a good chance that the user would have insightful feedback about how we could make an existing feature better, or even an idea for something new we could build.

At the time, I didn’t even realize I was doing anomaly detection. It occurred to me, though, that the work I was doing might somehow be useful across other domains, specifically security. When an opening on our security team came available, I made one of the smartest decisions I’ve ever made and applied.

As I got up to speed on application security practices, I looked for opportunities to incorporate my research skills into my work as a security engineer. I built tooling to help provide useful data to my team; I studied application traffic patterns and set up alerting based on what I learned; I gained an understanding of what normal user behavior looked like. After several years, I felt like I had enough context and domain knowledge to meaningfully approach user research from a security perspective.

So, of course I was interested in learning more about how other researchers were applying these methods to security. I searched for conferences, talks, and blogs on the topic, but nearly everything I found was heavily focused on things like adversarial machine learning, model hacking, and machine learning for malware classification. While these are fascinating topics that become more relevant every day, I think we’re overlooking the value of security-focused user research.

Maybe it’s not as glamorous as adversarial machine learning, but it’s just as useful and, perhaps even more importantly, I’d argue it’s more accessible. If you’re a marketing or BI analyst, user researcher, or data scientist and this resonated with you, know that there’s a place for you in security.

*This is not to say these fields didn’t exist before a few years ago, but it’s when I first became aware of them.