Eliciting Persona Characteristics for Risk-based Decision Making

Personas are behavioural specifications of archetypical users in Human Factors Engineering and User Interaction research aimed at preventing biased views system designers may have of users. Personas are therefore nuanced representations of goals and expectations that should be addressed when designing systems. Previous work has shown how personas may be validated by grounding in qualitative models; however, more evidence is needed on the applicability for grounding models in risk decision making research. We present an approach for eliciting persona characteristics for risk-based decision making by using Observe Orient Decide Act (OODA) as a modelling baseline. The approach illustrates how modelling personas based on decision makers’ understanding of risk facilitates designing for risk and uncertainty.


INTRODUCTION
Risk-based decision making (RBDM) is explained as an attempt to make informed decisions under conditions of risk and uncertainty.In cyber security risks are unwanted outcomes resulting from threats, while uncertainty may be characterised by time limitations, insufficient information, and constantly changing environments.Understanding risk-based decision making is a step towards the identification of design requirements that would facilitate decision making under risk and uncertain conditions.To achieve this, research techniques must be capable of complementing the differences between system design and risk-based decision making methods.

Risk Rationalisation Process
The Risk Rationalisation Process (RRP) (M'manga, 2018) was devised to communicate the rationale behind RBDM.The Risk Rationalisation Process builds on Boyd's (1996) Observe Orient Decide Act model (OODA) by describing decision making factors that go beyond OODA's situation awareness focus.This includes recognising that decisions are products of multiple weighed and validated options, decisions are goal driven, and that decision making is an iterative process.While RRP facilitates the understanding of RBDM, it is individually not sufficient for eliciting and specifying design requirements for RBDM.In summary, RRP comprises the following eight steps:

1) Situation Assessment
How may the situational be understood?
2) Goal formation What is the goal(s)?
3) Information exploration Which information is relevant for decision making?

4) Information needs assessment
Where can additional decision making information be sourced?

5) Information limitations analysis
What remains unknown?

6) Options generation
What are the alternative decision options and their implications?

7) Options validation
Where could assumptions be incorrect?

8) Option selection
The most informed and objective option is put forward as the basis for a decision.

Personas
Personas are an archetypical representation of target users, that represent user requirements in user centred design (Cooper et al., 2014).As a representation of a group of target users, their formulation is a result of thematic refinement from a user behaviour corpus.Personas are defined by their characteristics which typically include; activities, attitudes, aptitudes, motivations, and skills.
The authenticity and use of personas have however been called to question (Chapman and Milham, 2006), citing a lack of traceability between persona and source data.However, some of the arguments posed by the critics have no bearing.For example, the expectation that two separate teams working on the same data should arrive at identical personas is an impossibility.The nature of qualitative research is not to produce exact replicable results, but provide consistency (Carcary, 2009).In regards to traceability, Faily & Fléchais (2011) have demonstrated how Toulmin's argumentation model (claims, grounds, warrants) (Toulmin, 2003) can validate the grounding of persona characteristics in source data.
To illustrate; Ben, a Penetration tester persona, has the characteristic (claim) "ethics is a passed on soft-skill that pen testers are obliged to pick up".This is validated by the respective grounds "need to understand client's business to avoid conflict with IT"; these grounds are connected to the characteristic with the warrant "pen testing industry dies if people lose faith in what we do".Both the grounds and warrant are traceable to empirical data (Faily, 2018).
Given that personas are an established technique during the early stages of design, our research aimed at exploring the question; how might persona characteristics be grounded in risk-based decision making research (data)?

Risk rationalisation process to persona mapping
Our approach was to first identify ways of relating RRP to personas validated by the argumentation model (Toulmin, 2003).By doing this, elicited persona characteristics addressing risk and uncertainty would both be authentic, traceable to empirical data, stand up to validation, and grounded in rationale risk-based decision making data.
The Risk Rationalisation Process has seven steps from Situation assessment to Option validation that outlines a normative approach to risk rationalisation.Option selection, the final step in RRP was intentionally left out as it is only a product and not a risk rationalisation facilitator.On the other hand, the argumentation model only has the three key parts; claim, grounds, and warrants.Randomly matching the two methods had a high likelihood of producing redundant or inconsistent persona characteristics.For examples, information identified during Information limitations analysis could also appear during Option validation as a reason for selecting one option over another.
To overcome this problem, we analysed RRP and categorised it into the three groups of Assessment; steps related to situation understanding, Goals; steps related to option selection, and Validation; steps related to verification (see Figure 1).These were then mapped to claim, grounds, and warrants respectively.

Persona characteristics elicitation
The second part of our approach took the form of a persona characteristics elicitation exercise aimed at validating the RRP to persona mapping, and additional validation for RRP's risk-based decision making facilitation.
The elicitation exercise was carried out in Japan with a group of 30 industrial participants undertaking a cybersecurity course.Cybersecurity was chosen as its activities exemplify RBDM in action.Participants were drawn from 11 different sectors including Transport, Oil, Electricity and Manufacturing, with experience ranging from 1 to 20 years.
Participants were trained on RRP and then provided with a cybersecurity decision making scenario containing elements of risk and uncertainty (see Figure 3).Participants were then asked to come up with a solution and provide a rationale for their decisions using RRP.Responses obtained were categorised as assessment, goals, and validation (explained in Section 3.1), these were then thematically analysed for clusters of risk rationalisation variables using the qualitative data analysis tool; Nvivo.Following the RRP to persona mapping, we used the Persona Case technique (Faily & Fléchais, 2011)   persona modelling (Faily, 2018b).Figure 2 summarises the persona characteristics elicitation flow from scenario to persona formulation

Decision making facilitation
The first part of the findings relates to RRP's capability in facilitating RBDM.
 Out of the 30 participants, 28 successfully used RRP to illustrate the rationale behind their decision.
 Participants found that the hypothetical nature of the scenario made identifying limitations in their rationale hard.Identifying limitations is an expectation in the two validation steps; Information limitation analysis and Option validation.Further investigations will be required with actual scenarios.
 A commonly proposed solution to the scenario was the use of the Shinkansen (bullet train) as a physical transfer alternative.This illustrates the influence national\geographic factors have on the participant's perception of risk, as it would be an unlikely option in other countries.
Putting the finding in perspective could imply carrying out a comprehensive risk assessment on the use of the Shinkansen as an information transfer alternative.
 While RRP has Situation assessment as a first step, findings have shown that this is only applicable to Reactive risk analysis.
Proactive risk analysis (illustrated in the scenario) inverts the first two steps, starting from Goal formation to Situation assessment.The reasoning behind this is that the goal prompting risk assessment precedes the risk encounter during proactive analysis.

Persona characteristics facilitation
The second part of the findings relates to validating the mapping from RRP to persona characteristics.
Fourteen RBDM persona characteristics (claims) were elicited for a persona (Rio), each with supporting grounds and warrants.As an example, the characteristic "Enquire on business partner's security capabilities" indicated that the participants were willing to negotiate lesser secure transmission options as grounds to the warrant "Transfer compatibility".The finding hints on a need to establishing procedures for the selection of lesser secure information transmission options.Figure 4 illustrates this characteristic as modelled in CAIRIS.

CONCLUSION AND FUTURE WORK
In this paper, we presented a method for eliciting persona characteristics for risk-based decision making by adapting techniques familiar to UX (User experience design) researchers and Human Factors engineers.
The premise of the method is to use personas in facilitating the specification of requirements during the early stages of design for risk-based decision making.
We demonstrated methods for authenticating and validating personas by proving traceability to empirical data, and by grounding characteristics in justified risk decision making.Our method focuses on eliciting characteristics for riskbased decision making.It does not, however, preclude the use of complementary methods for designing a well-rounded persona.
For future work, the personas will be re-framed as a goal model.Goal modelling is used in Requirements Engineering for specifying and negotiating requirements.Additional studies will also be conducted to further identify how RRP can support design for risk-based decision making.

ACKNOWLEDGEMENT
The research was funded by Bournemouth University studentship DSTLX1000104780R_BOURNEMOUTH_PhD_RB DM, with the initial collaborative meeting between UK/Japan researchers facilitated by support from the Great Britain Sasakawa Foundation.We are also grateful to DSTL for their sponsorship of this work.

Figure 1 :
Figure 1: Categorisation of RRP to elicit behaviour variables; these were exported to a spreadsheet and categorised according to Toulmin's argumentation model.Finally, the spreadsheet was imported into CAIRIS (Computer Aided Integration of Requirements and Information Security), a tool supporting the Persona Case technique, and capable of supporting argumentation models for.

Figure
Figure 3: Problem scenario