Signal | Human Risk Intelligence
Designed a security incident investigation screen that puts the human behind the alert at the center, giving analysts the context they need to make better decisions, faster.
Role: Product Design (Independent Concept)
Deliverables: Single-screen deep dive · Interactive prototype · Case study
Focus: B2B Enterprise UX · Dense data interfaces · Human-centered security
Security teams don't lack data. They lack the story behind it.
When a data exposure incident is detected, existing tools show a file name, a severity level, and a policy violation. What they don't show is who the person is, whether this was a mistake or intentional, and what the right response actually looks like. Analysts are expected to make consequential decisions about real people, with almost no human context.
The gap isn't in detection. It's in interpretation. An alert that says "HIGH RISK" without explaining why, or who, forces analysts to guess. Signal replaces the guess with a structured human profile, a behavioral timeline, and an intent model that makes the story legible before any action is taken.
Design Decisions & Trade-offs
Spectrum, not binary
The intent gauge shows a confidence percentage rather than a binary label. Reality is a spectrum. A 30% deliberate score requires a different response than 80%. Showing the number forces precision.
Transparent signals vs. cognitive load
Showing the individual signals that built the score adds complexity. But hiding them would make the system feel like a black box. Analysts need to be able to disagree with the model, so we showed the reasoning.
Action weight and consequence
Notify manager and Escalate to Insider Threat are both recommended, but one is reversible and low-stakes, the other is serious and permanent. The design had to communicate that difference before the analyst clicks.
The Screen
One incident. One analyst. Every relevant signal, in a single view.
What the screen is actually doing
Every column in the layout carries a distinct job. The left column answers who. The center column answers what happened. The right column answers how certain we are and what to do next. Together they replace a single alert with a complete picture.
Who
Human context
The left column establishes who the person is before showing what they did. Tenure, clearance, manager, and device make every other signal meaningful.
Profile · tenure · clearance
Risk score + 24h delta
Peer deviation · watchlist status
What happened
Incident timeline
The center column shows a sequence, not a snapshot. Each event is timestamped and ordered — turning isolated alerts into a readable narrative.
What to do
Response
The right column produces a score the analyst can interrogate. Every contributing signal is listed with its weight — so the model can be overridden, not just accepted.
68% deliberate
Notify manager · escalate to insider threat
Design decisions
Identity before severity
Tenure and clearance change the meaning of every other data point on the screen.
Sequence, not snapshot
A retry 2 seconds after a block is evidence. A single alert is just a flag.
A model you can argue with
Signal weights let analysts override. Trust requires transparency.
What This Proves
Signal demonstrates that enterprise security tools can communicate in human terms without sacrificing technical depth. Designing for data-dense B2B environments doesn't mean accepting visual chaos. It means building structure that holds under pressure. The intent model, the behavioral timeline, and the action hierarchy all speak the language of the domain: they show that good design isn't decoration. It's operational clarity.
© 2026 Guy Bar-Sinai. Built with intention.
This site is a design exploration.