The EMERALD solution and especially the EMERALD UI is designed in a way that brings together the functionalities of the individual EMERALD components in an easy-to-use and intuitive way to serve as the main access point to the cloud cybersecurity domain for our target users. Thereby, our target users are compliance managers and auditors as well as technicians. To elicit our target users’ needs and raise the user acceptance, we developed together with the EMERALD pilot partners a set of personas. Personas are fictional, research-based representations of target users, designed to help the EMERALD consortium to understand and empathize with their target users. Their purpose is to guide decision-making by aligning the EMERALD solution with the needs, goals, and behaviours of real users.
The EMERALD personas can be divided into three different stakeholder groups – compliance stakeholders, technical stakeholders, and auditor stakeholders. For each of the stakeholder groups, we will present shortly their overall goal before we introduce each persona individually – first by presenting their working tasks followed by how the EMERALD UI could or should support them. For each persona, we have developed a so-called “Persona-on-the-go” – summarizing the main characteristics in one figure.
Compliance Stakeholders: The goal of compliance stakeholders is to thoroughly prepare for a certification; they would like to use the EMERALD framework to set-up, manage and monitor their certifications and enable lean re-certification. The following three personas belong to the stakeholder group:
| Riley – Cloud Provider Compliance Manager:Tasks: Riley’s tasks consist of checking audit timelines, organizing and delegating tasks during audits, being the contact person for auditors, and reporting audit status internally. Riley’s goals are to support the company in being trustworthy, perfecting audit processes, being up to date with security standards, and performing tasks more efficiently. Pain points for Riley are the dependency on others to finish tasks timely, the lack of efficient audit tools, and the lack of understanding of complex certification frameworks. EMERALD Context: EMERALD should help Riley with the day-to-day tasks by speeding up the work. For that, traceability and transparency of the work should be ensured. Further, process steps should be automated, and metrics, controls and evidence should be made reusable for upcoming audits. Simplifying the creation of audit reports would also help Riley in the day-to-day work. |  |
 | Emerson – Compliance Manager in Financial Services:Tasks: Emerson’s tasks consist of, among other things, the definition of the audit scheme including controls that must be fulfilled by the cloud provider, and assessing provided evidence for respective controls. In that, goals are to ensure that all service providers comply with the current regulations and ensure safety by mitigating risks associated with audit requirements. Pain points in Emerson’s day-to-day are that the communication with other departments is sometimes not fluid, tasks like verification of multiple evidence is not automated but must be done manually. EMERALD Context: EMERALD could help Emerson in the day-to-day tasks by allowing to create their own certification schemas, by providing a centralized point for evidence, metrics, and controls, further by automating tedious processes and management of numerous audits and thus minimizing human error and workload. |
| Dylan – Internal Control OwnerTasks: Dylan’s tasks consist of defining metrics, collecting evidence for controls, and assigning and delegating control implementation to the team. In that, the goals are to increase transparency, traceability, and accessibility of evidence. Additional goals are to have no non-compliances and to ensure high security. Pain points are manual tasks that must be addressed in addition to the day-to-day activities, repetitive tasks, and tracking control distribution can be difficult. EMERALD Context: EMERALD could help Dylan in their day-to-day tasks by simply delegating tasks, providing an overview of assigned controls and displaying assessment results. Further, tracking the progress of ongoing audits and the possibility of defining target values and having evidence monitoring and extraction tools. |  |
Technical Stakeholders: The goal of the technical stakeholders is to support the management and implementation of metrics and corresponding configurations. The following persona belong to this stakeholder group:
| Morgan – Technical ImplementerTasks: Morgan’s tasks include the implementation of metrics, the deployment of new cloud services and the upgrade of cloud services. Additionally, Morgan has to setup verification mechanisms as well as install roll-back mechanisms and has to do system configuration tasks. Pain points include the usage of different tools for different evidence collection, that there is no global overview of evidences, and possible impacts of cloud service upgrades. EMERALD Context: The EMERALD UI should provide a ToDo List, allow to check the status of controls and evidences, and provide the possibility to assign controls and metrics to other colleagues. It should offer a history view of changes regarding metrics and should allow to check the status of the certificate. |  |
Auditor Stakeholders: The goal of auditors is to use the EMERALD solutions to manage audits, to review controls, evidences, and the respective documents, and to easily create reports on different levels. The following three personas belong to the stakeholder group:
| Charlie – Internal AuditorTasks: Charlie’s tasks include managing audit processes, preparing audits, conducting audit interviews, and participating in compliance novelties training. Further, Charlie provides templates to customers, survey analysis, reports on different levels (organizational, technical), checks controls and procedures for non-conformities and checks evidence. In that, the goals are to provide easy access to information/evidence, reduce risks, fulfil audit KPIs, and help customers. Pain points are to get in contact with the responsible person and get the correct information, update different schemes, consider a vast number of requirements and controls for audits, manual, tedious processes, and distributed tools used during the audit. EMERALD Context: The EMERALD UI can support Charlie’s daily tasks by providing an overview of required information, enabling continuous capability checks, advanced searches, and reusable audit information. It offers features like information export, detailed report generation, and a simplified evidence management system for combining evidence from various sources. Additionally, it automates repetitive tasks, measures metrics, facilitates cloud service information exchange, and integrates external services like ticketing systems. |  |
 | Eero – External Technical AuditorTasks: Eero’s tasks involves the identification of attack paths, the improvement of customer systems and their components, enhancing cybersecurity through hardening measures, and conducting technical analyses using both tools and manual methods. Pain points are that the audit scope and target of certification are vague, that customers fail to do preparation work for the audit (access rights, authorizations, and processes), and that the communication about an audit scope itself as well as reaching a common understanding of the scope are challenging. EMERALD Context: The EMERALD UI should provide a clear distinction between manual and automated tests, including a task list for manual testing. It should allow manual enrichment of automated test results, such as marking false positives or adding detailed outcomes. The UI should guide inexperienced testers through manual test cases, support the creation of custom tests, and display raw data to build trust in the tool. |
| Jaarko – External Lead AuditorTasks: Jaarko’s tasks include ensuring an adequate scope, selecting the correct assurance level from the certification scheme, identifying appropriate controls, and verifying that the chosen metrics align with the assurance level of the selected certification scheme. Additionally, it involves auditing implemented controls, reporting findings, and making certification decisions. Major pain points include that customers are not prepared for the audits, the level of maturity of the customer cyber security solution (system and documentation) and that the customer is only interested in certification and not the cyber security (minimum level only). EMERALD Context: The EMERALD UI should allow auditors to adjust metrics target values and organizational metrics if they are deemed inadequate. It should provide visibility into external interfaces to assess their control and potential attack surface. Manual evidence can be added via the UI to supplement automated evidence, and auditors should be able to extract responsibility information from policy documents and track their update frequency. |  |