Security Empowerment

PROJECT OVERVIEW

This project came to us via Risk Management. Earlier this year we discovered some ‘bad’ guys were using social engineering to mine Realm data.

There has been NO data breach, we are secure, and data is continually being guarded.

These people used standard invite requests and registration links to gain access to sites. At that point, the online directory was the place they were able to gather limited information.

This year we found suspicious emails on 647 sites.

The problem is that’s really hard to know what’s real and what’s not.

Product Type /

Web / Mobile

Role /

UX/UI Design

Year /

2022

CONTEXT

Reassure participants that we at ACST take data security and privacy very seriously. There have not been any data breaches.

This project will help us give our ministry partners the tools within Realm to empower them to secure the privacy of their staff and congregants'/parishioners' contact information.

PROBLEM

1. Currently, Ministry partners don’t have the ability to control at a church level what displays for a profile that is viewed by congregants with a login. Privacy is controlled by the congregates, but our Ministry Partners don’t have a level of control for what’s seen by congregants.

2. As a company, we know how important data is and the need to be secure. We need to make sure clients understand the importance of keeping their data safe.

UX OUTCOMES

(The improvement we want to make in someone’s life.)

If we do an awesome job providing better security in Realm…

Congregants will be empowered to take control of their privacy.
Staff will be empowered to set security measures that work for their church.
Church staff will be aware of and be able to take appropriate actions on suspicious accounts.
Congregants’ contact information will only be accessed by trusted people within the church.

SUCCESS METRICS

(The exact moment we’ve achieved our experience outcome.)

If we do an awesome job providing better security in Realm…

Reports of phishing scams in Realm by ministry partners are reduced by 100%.
Delete 100% of all known phishing scam accounts.

PROGRESS METRICS

Determine how many attacks have happened in the last year
Determine suspicious behavior.
Determine how this affects native apps

PROJECT GOAL

Empower church staff to set security measures in Realm that protect their congregation from incidents.

USER GROUPS

Administrators using Realm’s Connect or Multiply packages.

IDEATION

WIREFRAME

1. Preventing malicious people from entering church sites

2. Additional warnings when inviting people

3. Detect suspicious account activity and make admins/staff aware

4. Leverage member status to create guardrails

5. Signed in with the Attending or Other member status

VALIDATION TESTING

Participants
There were a total of six participants across six sessions. Participants were recruited from the UX Research Participant database. The target audience was Realm administrators with a Connect or Multiply package. A range of denominations, typical weekly attendances, and geographic locations were represented.

Purpose & Goals
The purpose of these sessions was to provide a tool that will empower church staff to set security measures in Realm that will protect their congregation from incidents. The main goal of this study was to determine if the security measures put in place using member status meets the needs of our ministry partners. We also explored the value of warning messages when sending Realm invites.

FINDINGS

General

Note: All participants in this set of sessions were closed model churches.

Note: Participants were divided in experiencing someone that was not part of their congregation requesting a Realm log in. The participants that had experienced this stated Realm did not help them recognize these unfamiliar profiles.

Prototype 1 _ Member Status for Additional Security

Validation:

Participants are utilizing the default member status field at their church.
Participants found the new Security and Privacy screen intuitive and easy to understand.
Participants found the additional information bubbles on the child profile and contact info toggles helpful.

Opportunity:

The option to control contact information on a more granular level was desirable. Consider providing additional contact information controls such as the ability to choose if names and photos are displayed.

Prototype 2 _ Security Reminder for Invites

Note:

In addition to sending Realm invites, participants are mainly receiving requests for a Realm Connect login through the sign up request feature through Realm.

Opportunity:

While participants found the security warning message useful, the wording in the message was not immediately clear to all participants. Consider additional validation on the messaging.

A: Realm Invites / Adding a New Profile

B: Realm Invites / From an Existing Profile

Validation:

When sending a Realm Invitation from an existing profile in Realm, participants were very confident the profile was a trusted source.

Prototype 3 _ Reviewing the Realm Account Sign Up Requests Page

Note:

Participants are currently using the reporting dashboard overview at their church.

Validation:

Participants found the warning message on the Realm account sign-up request screen useful.

Prototype 4 _ Reviewing the Realm Account Sign Up Requests Page

Validation:

The new member status column on the new people screen in the reporting dashboard was useful and desirable.

Opportunity:

Participants stated they would also like the ability to view the new member status information directly from the profile in Realm as well. Consider adding this functionality to profiles.

Prototype 5 _ Signed in with the Attending or Other member status

Congregant/Parishioner’s Perspective

Validation:

The limited view directory from the congregants perspective was satisfactory.

Note:

The data was not significant enough to validate if being able to receive and respond to chats without the ability to initiate a chat is a desirable feature for limited view access congregants.