Travel Security Service Design Challenge – Higher Education & Research
#servicedesign #participatoryresearch #designresearch #codesign #designstrategy #theoryu #systemsmodelling #prototypelab
Industry: Higher Education
Role: Consultant
Team size: 3
No. stakeholders: 12
Facilitation team composition:
- Design and Innovation Consultant
- 2 Service Design interns
summary
- Led the delivery of a participatory design research project aimed at exploring how a top tier Australian University might better support their researchers to safely collaborate internationally and empowering operational staff to lead a program of service improvements.
- Facilitated a mindset shift in the approach to provisioning security services to researchers from command and control to partnership through design-based facilitation and coaching approaches.
- Co-designed three service design innovations that supported increased collaboration between operational staff and increased researcher compliance with travel security protocols.
- Improved the traveller experience for researchers by identifying and removing ineffectual and high friction protocols in the lead up to travelling overseas.
- Aligned and coached four departments with a history of collaboration issues towards a common goal and defined a new way of working between departments.
the ask
To review and bolster the provisioning of security protocols (including technical equipment) to researchers ahead of travel internationally in order to increase compliance. The risk of IP theft and personal harm to researchers whilst overseas made international travel high risk and very costly. The technical constraints regarding security access and provisioning were extensive and compliance with security protocols was historically extremely low.
The project sponsor was the Chief Information Security Officer (CISO) who represented an internal group of security officers and the operational staff responsible for managing the travel process. The catalyst for the project was pressure from the University’s senior leadership team to increase compliance to reduce risk of harm to researchers and IP theft. The underlying assumption from many of the security officers and operational staff was that researchers would not comply with security protocols because they didn’t see security as important or were apathetic.
The objectives of the project were to:
- Increase compliance from researchers with security protocols.
- Increase awareness of the importance of security protocols for researchers travelling overseas.
- Improve the relationship and collaboration between operational departments.
- Empower operational departments to lead continuous improvement changes in their areas.
the approach
The pervasive nature of the low compliance to security combined with fixed beliefs on the nature of the problem and strong opinions about the solution suggested that a highly participatory and transformational framework was required. It was also a requirement that the operational teams felt a sense of ownership of the project and were able to lead the implementation of any change interventions independently from the facilitation team upon completion. The Theory U framework was selected due to its highly participatory researcher approach and capacity to support individual mindset shifts and system level change. The process comprised of five key phases (see diagram below) and involved a series of workshops with a diverse group of researchers and the operational teams responsible for provisioning travel services to researchers. The aim of this approach would be to facilitate a lived experience of empathy with the researchers that challenged the entrenched belief systems of the operational teams and allow them to collectively see how they might be unintentionally creating the outcomes that they sought to remedy.
the work
Co-initiation: Uncovering the common intention and challenges.
The assumption that researchers were apathetic to security concerns manifested in strong beliefs from the project sponsor and operational teams that the solution was more controls and a general bolstering of the existing protocols. To test this assumption early in the project and ensure the right approach, rapid research probing activities were conducted using ethnographic interviews with a small sample or researchers and secondary research. These research probes were aimed at testing the assumptions of apathy, getting a sense of the disfunctions of the system and understanding what is known from the literature on the efficacy of control-based security interventions.
The outcome of the research probes indicated that researcher apathy towards security may not be the reason for the low compliance rates. Researchers were highly enthusiastic to participate in the research and expressed a genuine desire to help make the University more secure. Outcomes of the literature review found that control-based security approaches typically resulted in lower compliance and increases in security breaches. By articulating the outcomes of the initial probing research and presenting secondary research of the costs and inefficiencies of poorly designed control-based mechanisms of security (i.e., forcing people to change their password every 3 months resulting in more insecure password protection), the project sponsor and operational teams agreed to expand the scope of the research lens and conduct a deep dive on the lived experience of researchers whilst travelling.
Co-sensing: Deep listening to the whole system.
For co-sensing a full day research workshop with eight researchers and eight representatives from the security and operational teams were conducted. Researchers included a wide range of researcher demographics including early career researchers, international researchers and superstar researchers or department directors. The workshops included a speed dating journey mapping exercise whereby operational staff interviewed researchers and mapped their end-to-end international travel experience and then a 3D modelling exercise where researchers and operational staff were invited to map the research travel system.
The outcome of the workshops was a complete shift in the mental models of the project sponsor and operational staff. They were surprised to learn that researchers care more about protecting their IP and are vigilant about security when travelling overseas. They also had far more sophisticated techniques to protect themselves however the University protocols in place made it difficult for them to apply them unless they abandoned the protocols of the University. In other words, it was the controls that aimed to increase compliance that were actively driving the low compliance rates. This insight shifted the collective mindsets of the operational teams who by the end of the workshop unanimously agreed that more controls were not the solution and made a commitment to the researchers present to overhaul their current policies and practices. The new goal for the project being, how might be better enable researchers to protect themselves and their IP when travelling overseas.
Presencing: Connecting each individual and the group’s sense of meaning and purpose
To crystalise the insights from the workshop, a series of short check in sessions with each of the operational teams were conducted. These sessions invited stakeholders to reflect on what they had learnt, what they needed to let go of and what they felt needed to emerge. The teams’ new understanding that they had been unintentionally contributing the problem that they sought to remedy acted as a powerful catalyst for new ideas that the team were eager to explore.
Co-creating: Embracing the desired future possibilities.
To build on the momentum of the insights gained from the researcher workshop, a series of ideation and prototyping labs were conducted with the members of the operational and security teams. Three ideas emerged from the ideation process that the stakeholder groups felt would be the most impactful and these were quickly prototyped into high level concepts in the labs. Participants worked in groups on one prototype and then presented their concept to the other groups for feedback and iteration. The outputs of the prototyping sessions were captured in a take home canvas which would then be used to playback the concepts to researchers for feedback. Each group was assigned a lead who was then responsible for reaching out to the researchers from the first session to capture feedback and input on the concepts.
Ideas:
- Risk cube: a new risk model that enabled a more self-service approach to security protocols and allowed researchers to clearly understand what they needed to do and why, when travelling overseas. This included an uplift and removal of redundant policies.
- Travel portal uplift: centralisation and streamlining of all protocols that enabled a more self-service approach and allowed researchers to easily comply with the protocols that were relevant to them based on the risk cube.
- Culture program: To support the early researchers and first-time travellers, a cultural program that empowered researchers to take charge of their security was designed.
Co-evolution: Making commitment to collective action.
Prototype leads were responsible for collecting feedback from researchers and determining the best way to implement feedback. Feedback from researchers was overwhelmingly positive, with many researchers eager to be involved in the implementation process. Once feedback had been collected, each prototype was then prioritised for development and deployment in the respective areas. Business cases were developed for prototypes that incurred a cost i.e. portal uplift. Prototypes were implemented over the next 6 – 12 months in alignment with the University’s project delivery prioritisation process. The facilitation team formally completed their engagement with the stakeholder group at this stage of the project. Due to time constraints and irregular implementation of each prototype, no formal evaluation was approved to be conducted. Anecdotal feedback from the researchers engaged in the discovery remained positive post implementation.
the outcomes
- Facilitated a mindset shift in the approach to provisioning security services to researchers from command and control to partnership through design-based facilitation and coaching approaches.
- Co-designed three service design innovations that supported increased collaboration between operational staff and increased researcher compliance with travel security protocols.
- Improved the traveller experience for researchers by identifying and removing ineffectual and high friction protocols in the lead up to travelling overseas.
- Aligned and coached four departments with a history of collaboration issues towards a common goal and defined a new way of working between departments.
learnings
- Buy in to the approach by the project sponsor was critical in creating the space for deep listening and reflection which was integral to the mindset shifts achieved within the operational teams.
- Agreement to an evaluation process at the beginning of the project would have improved the perceived value of the project outside of the stakeholder group and improved prioritisation of the prototypes for implementation.
- Tactile tools created the psychological safety for participants to share their ideas and perspectives openly and allowed participants to critically engage with those ideas without ego or attachment.
- Training designer interns whilst delivering a project requires an overhead for additional scaffolding, training and coaching.