Security by Design — UX and AI in Modern Cybersecurity
Good design is actually a lot harder to notice than poor design, in part because good designs fit our needs so well that the design is invisible, serving us without drawing attention to itself.
— Don Norman, “The Father of User Experience”
In a recent Threat Vector podcast, host David Moulton sat down with Nelson Lee to discuss how user experience and artificial intelligence are revolutionizing cybersecurity operations.
In an industry often dominated by technical capabilities and threat intelligence, the human experience of using security tools frequently takes a backseat. Nelson Lee, who leads product engineering at Palo Alto Networks, brought a refreshing perspective shaped by his experience at consumer tech giants, Google and Apple. His insights revealed how thoughtful design and emerging AI technologies are reshaping cybersecurity operations from the ground up.
The Critical Role of UX in Security Tools
Security tools often present a unique design challenge. They must balance comprehensive functionality with operational simplicity. As Lee explained, the cybersecurity domain involves extraordinarily complex datasets, threat scenarios and response options that must be made accessible to human operators under significant time pressure and constraints.
“Security analysts are drowning in information but starving for context,” Lee noted. “The tools we build need to cut through the noise and highlight what matters, when it matters.”
This complexity creates real consequences. When security tools are difficult to use, practitioners avoid them or use them inefficiently. In contrast, intuitive interfaces drive adoption, loyalty and proficiency. Lee pointed out that humans are “fundamentally lazy”— not in a negative way, but in how we naturally conserve energy.
We gravitate toward tools that make our jobs easier and avoid those that create friction. This reflects Don Norman’s concept of affordances, where good tools make their functions obvious through design. When security interfaces fail to provide clear affordances, making actions possible but not discoverable, users struggle to leverage the tool’s full capabilities.
Lee highlighted a clear example with Arcade, the Palo Alto Networks platform for retainer services for Unit 42 – their threat intelligence arm. Before Arcade, security teams would waste valuable time digging through emails for contact information during critical incidents. It’s not so efficient when every minute counts during a breach. To help combat such inconveniences, Arcade now enables one-click incident response, providing immediate access to crucial information, precisely when teams need it most.
Building Information Architecture for Complex Security Operations
So, how do you make complex security workflows intuitive without oversimplification? Lee emphasized the foundational importance of information architecture – how we organize and structure information to make it accessible and understandable.
“This concept of information architecture is really important,” Lee noted. “We as humans like to categorize things and understand: ‘OK, that’s an incident. What’s an incident? How does that relate to an alert?'”
The right information architecture creates an intuitive understanding of how different elements relate to each other. It should be discoverable without requiring a manual. Lee recommended a “breadth-first” approach to UX design, where users start with a high-level view before drilling down into specific areas.
AI as a Transformative Force in Security UX
When discussing the future of security interfaces, Lee became energized about the potential of large language models (LLMs) and generative AI. Far from just augmenting existing interfaces, he sees AI fundamentally transforming how we interact with security systems.
“LLMs have been absolutely mind-blowing for me as far as the last two years in playing in this space. In regards to UX, I actually think LLMs deeply simplify UI and UX,” Lee explained. “The beautiful thing about an LLM is it’s like talking to someone…almost all the information you can get. If you can ask the right question and someone just gives the answer, that’s the easiest. You don’t have to go fumbling or hunting through a UI or dashboard.”
The conversational approach enabled by LLMs represents a paradigm shift in human-computer interaction, moving from visual interfaces requiring navigation to conversational interfaces that deliver exactly what you need without hunting for it. As Lee predicted, “It’s going to be much more natural, much more like how we talk to one another.”
Designing for Trust in AI-Powered Security
Despite the promise, Lee acknowledged the challenges of AI hallucinations and accuracy. The solution lies in thoughtful design choices that enhance trust and verification:
- Creating UIs that make verification seamless, such as hover interfaces that display source content.
- Running queries through multiple models and comparing results.
- Building verification into the workflow, rather than adding it as an extra step.
Lee observed:
From what I’ve seen personally, yes, it might create more problems, but the value it brings is tremendously more than that.
Measuring Success in Security UX
How do you know if your security UX improvements are working? Lee recommended a combination of quantitative metrics (user engagement, task completion rates) and qualitative feedback. The most important questions remain: Are you solving a real problem, and what is the impact of the problem you are solving?
Early in development, qualitative feedback from design partners helps shape the experience. Once deployed at scale, quantitative metrics reveal how the solution performs across a wider user base and different use cases.
When measuring the impact of security UX improvements, organizations should consider tracking these key quantitative indicators:
- Engagement Patterns – Frequency of tool usage, feature adoption rates and depth of interaction with security dashboards.
- Efficiency Indicators – Number of steps required to complete common security workflows and rate of successful task completion on the first attempt.
- Error Reduction – Frequency of user mistakes during critical security procedures and number of help desk tickets related to tool usability.
On the qualitative side, that could mean:
- Contextual Feedback – Structured interviews with security analysts about their workflow challenges and improvements.
- Sentiment Analysis – How security teams feel about using the tools during high-pressure incidents.
- Pain Point Identification – Specific frustrations that persist with current interfaces.
- Mental Model Alignment – Whether the tool’s organization matches how security teams naturally think about threats and responses.
The Future Is a Frictionless Security Experience
When asked about his vision for the future of security, Lee described a world where systems work intelligently in the background:
I want eyes and ears all the time watching out for me, analyzing what’s going on, and telling me what I need to know. I have systems, solutions, sensors all working together, and there’s something watching for me and doing the analysis. Ultimately, if something does happen that I need to know about, you’ll tell me. And if not, you’ll just take care of it. That’s the dream – just keep me secure. I don’t even have to worry about it.
This vision of frictionless security experiences, powered by AI and thoughtful design, represents the next frontier for cybersecurity teams. As Lee emphasized, “We’re in the middle of a huge paradigm shift. Change is coming – or it’s already here for that matter.”
By embracing design principles and emerging AI capabilities, security teams can build tools that not only protect organizations but do so in ways that enhance rather than hinder human capabilities.
Listen to the Threat Vector episode Smart UX, Safer Systems with Nelson Lee now.
The post Security by Design — UX and AI in Modern Cybersecurity appeared first on Palo Alto Networks Blog.
