← Work

Amazon · Summer 2024

Giving investigators their inner Sherlock Holmes back.

Redesigning a dashboard used by Amazon's security investigators — built into an existing case management system — to help them prioritize work, track progress, and act without friction.

RoleUX Design Intern
TimelineSummer 2024
TypeNet-new Feature Design
FocusEnterprise UX, Workflow Design

The setup

An unreleased product just went public.

Day 0

Photos of an unreleased Amazon Echo appear online. The product hasn't been announced. How did this get out?

12 hours later

A security investigator — let's call her Lisa — gets assigned to find the source of the leak before more information escapes.

Day 1, morning

Lisa opens the Investigations Dashboard. She has 17 active cases and no idea where to start. The tool she relies on most is working against her.

Discovery

The system was making investigators feel like they were guessing.

I surveyed and interviewed 18 security investigators. What I found was people adapting to a broken tool rather than the tool adapting to them.

17
Average active cases per investigator at any given time
50%+
Of investigators find it hard to collaborate with supporting teams
~0
Investigators who primarily used the dashboard to start their day

"I feel like I'm guessing what to do next. I just open cases randomly and hope I pick the right one."

— Security Investigator, survey response

Three challenges surfaced in nearly every interview: knowing which case to work on first, tracking progress across a large caseload, and reaching supporting teams when a case got stuck waiting on someone else.

Defining

Two investigators, the same broken tool.

Lisa
Senior Investigator
Needs to quickly prioritize her caseload and track progress across all of them. Currently digs into each case individually to understand status — a process that can take her entire morning.
"I spend more time figuring out what to work on than actually working."
Raj
Mid-level Investigator
Has been flagged for missing response deadlines — not because he's slow, but because he never knew his cases were stalled waiting on another team. By the time he realized, it was too late.
"I got in trouble for something I didn't even know was happening."
1

Logging in — no starting point

The dashboard shows a wall of case IDs and subjects. Nothing about status, urgency, or what needs attention today. Investigators have to memorize which numbers map to which cases.

2

Case prioritization — forced guessing

With 17 average active cases, there's no system for surfacing what's most critical. Investigators click through cases one by one, hoping to stumble onto something urgent.

3

Tracking progress — invisible bottlenecks

Cases stuck waiting on another team showed no signal. Raj's missed deadlines happened because nothing in the interface communicated that a case had stalled — or who was responsible for unblocking it.

The old system

Tables stacked on tables.

Before proposing anything, I audited the existing dashboard. The fundamental problem: every case was represented as a row in a table, with only the case ID and subject visible. Nothing else.

Before — existing system 17 cases, no priority signals, no next steps
All Cases (17)
Case IDSubjectOpenedStatus
SEC-2847Unreleased Product Photo LeakApr 2Active
SEC-2831Unauthorized Data Access — AWSMar 29Active
SEC-2819Supplier NDA Breach InvestigationMar 25Active
SEC-2807Insider Threat — Finance TeamMar 20Active
SEC-2794Third-Party Vendor Access AuditMar 15Active
SEC-2781Phishing Campaign — EU RegionMar 10Active
SEC-2770Code Repository ExfiltrationMar 6Active
SEC-2762Employee Device CompromiseMar 1Active
SEC-2751Access Control Policy ViolationFeb 25Active
SEC-2743Social Engineering Attempt — HRFeb 20Active
+ 7 more cases not shown · No priority indicators · No status details · No next steps

The audit logs were just as unhelpful — timestamped entries with no context. And there was no visual distinction between a P1 case that needed immediate action and a low-priority case from three weeks ago. Everything looked the same.

The core problem

The system was built around data storage, not decision support. It showed investigators everything equally, which meant it helped them with nothing specifically.

Feature 1 — Case prioritization

Give investigators control over their signal-to-noise ratio.

The goal: let investigators pin specific cases to surface focused status at the top of their queue — cutting through 17 cases to show what actually needs attention that day.

I explored three directions, each with a different approach to how much information a pinned case should show.

Design A
Minimal flag + modal
A pin icon on each row. Clicking it flags the case; details open in a modal overlay.
Rejected — too many clicks to get useful info
Design B — Selected
Inline priority cards
Starred cases surface as rich cards at the top — status, summary, latest update, next step, and lead in one view.
Validated — A/B preference + data sufficiency tests
Design C
Full sidebar panel
A persistent right-hand panel showing starred cases. Rich but took up too much real estate.
Rejected — reduced space for active case work

Design B was validated through preference tests with 12 investigators and data sufficiency tests — confirming that the card showed exactly what was needed to take action without opening the full case. Engineers implemented it; I then ran usability tests measuring time-to-first-action, information clarity, and error rate.

Priority cases — watch list SEC-2847 is pinned to the watch list
My Queue 3 active sort: SLA ↑
pin to watch list
61
SUS Before
88
SUS After
Usability score jumped from "Ok" (61) to "Excellent" (88) on the System Usability Scale (SUS) — a 44% improvement. Time-to-first-action dropped significantly. Errors from misreading case information fell to near zero across all test sessions.

Feature 2 — Case transparency

The answer was already in the case log — just invisible.

With 17 cases to manage, investigators needed a way to quickly recall what was happening in a case without clicking into it. I tested three popover designs that appeared when hovering a case ID — each showing a different amount of information. The core question: how much detail is helpful before it becomes disruptive?

Option A
Sparse tooltip
Status + subject only. Fast to scan, but left too many questions unanswered.
Rejected — not enough info to triage
Option B
Medium tooltip
Added case lead. Better, but investigators still had to open the case for next steps.
Rejected — still required a follow-up click
Option C — Selected
Dense tooltip
Status, summary, lead, and next step. Enough to fully triage without opening the case.
Validated — workflow interrupt + backlog triage tests

Key finding

The dense popover gave investigators enough information to assess and act on a case without opening it — effectively a triage tool that didn't interrupt their flow. Investigators using option C were significantly faster at identifying bottlenecks than those using any pop-up or full-card alternative.

Case log — popover density comparison three iterations shown below, option C selected
Case Log 3 of 17 filter: assigned to me
Apr 4, 2024 · 14:30
Case ID ↕ Investigation Opened ↓ Lead Status
SEC-2847
Unreleased Product Photo Leak Apr 2 L. Chen Investigating
SEC-2831
Unauthorized Data Access — AWS Mar 29 R. Patel Bottlenecked
SEC-2819
Supplier NDA Breach Investigation Mar 25 L. Chen Active
Popover density — three iterations compared for case SEC-2847
A — Sparse
SEC-2847 · SEC OPS
Unreleased Product Photo Leak
Invest.
Echo device images published on third-party blog 48h before embargo.
Lead: L. Chen
B — Medium
SEC-2847 · SEC OPS
Unreleased Product Photo Leak
Invest.
Echo device images published on third-party blog 48h before embargo.
Filed
Evid.
Coord
Legal
Close
Lead: L. Chen
C — DenseSelected
SEC-2847 · SEC OPS
Unreleased Product Photo Leak
Invest.
Echo device images published on third-party blog 48h before embargo.
Filed
Evid.
Coord
Legal
Close
Apr 4 14:22Access logs exported from Portal
Apr 4 09:113 accounts flagged in eu-west-2
Next: Complete access log review by EOD

Feature 3 — Bottleneck visibility

Investigators didn't need to find the bottleneck. They needed to understand it.

Early in research I assumed the problem was investigators couldn't identify bottlenecked cases. I was wrong. They knew cases were stalled — what they didn't know was where in the process the stall was occurring and who owned it.

I designed a stage tracker embedded within each case, showing the investigation lifecycle as a series of steps with clear ownership and status at each one. The key insight: show investigators not just that a case is stalled, but exactly which step owns the block — and whether that block is preventing downstream steps from starting at all.

Investigation timeline — SEC-2847
SEC-2847 Unreleased Product Photo Leak
Opened Apr 2 · Lead: L. Chen
01 · Filed
02 · Evidence
03 · Coord
04 · Legal
05 · Close
Step 3 · Bottlenecked · 3 days stalled
Team Coordination
Waiting on Supplier Risk team response. No reply in 3 days. SLA breach in 2h.
Escalation contact
supplier-risk-escalations@amazon.com
Step 4 · Cascading block
Legal Review
Legal cannot start until step 3 resolves. This is not an independent issue — it is a downstream effect of the coordination block above.
Previously invisible to investigators
Before — what investigators saw
SEC-2847 Active No stage info
After — bottleneck located immediately
SEC-2847 Bottlenecked Step 3/5 · 3 days · cascade →4

This component was validated through concept and usability testing. The design shown above — stage bar with ownership labels, days stalled, and escalation contact — was consistently preferred. Investigators described it as "finally seeing where the fire actually is."

Outcomes

Lisa found her Sherlock Holmes again.

Across all three features, the redesigned dashboard showed substantial improvements in every usability dimension measured. The system went from something investigators actively avoided to a primary tool for starting and managing their day.

Measured results

SUS 61 → 88 — usability score across all three features. Time-to-first-action dropped significantly on the priority queue. Bottleneck identification went from "unknown" to correctly located on the first try for every test participant.

What I learned.

User-centered design is only as good as the research behind it. The bottleneck insight — that investigators needed location, not detection — only came from going deeper than surface-level complaints. If I'd stopped at "they can't find bottlenecks," I would have built the wrong thing.

Iteration isn't just changing the design. Each round of testing with investigators produced specific, actionable feedback that changed not just the visuals but the underlying information hierarchy. The SUS jump from 61 to 88 didn't come from polish — it came from repeatedly asking "does this actually reduce your decision-making time?"

Collaboration across functions changes what you build. Working closely with engineers shaped what was feasible; working with investigators shaped what was necessary. Neither alone would have produced the same outcome.