Case Study

8 personas with Behavioral Realism tested Open Access Policies

We tested openaccesspolicies.org - a site offering free security policy templates for SOC2, HIPAA, and HITRUST compliance. Eight personas with full Behavioral Realism attributes tested the site, each simulating realistic user behavior across desktop, mobile, and tablet.

Personas Tested
8
Observations
68
Success Rate
100%
Screenshots
56
Sorting by
Time Available
C
Carlos
P
Priya
M
Michael
S
Sarah
D
David
J
Jordan
T
Taylor
R
Robert
3 minutes
Unlimited
CC

Carlos

Startup CTO

Series A startup just landed an enterprise deal requiring SOC2. Has 3 weeks to show compliance progress. Technical but not a compliance expert.

Goals

  • Find the right policy set for SOC2 quickly
  • Get to the GitHub repo to assess templates
  • Determine customization effort required
  • Evaluate template quality and completeness

Behaviors

  • Skips marketing copy, looks for technical details
  • Checks GitHub activity and stars for credibility
  • Impatient with slow or unclear navigation

Behavioral Realism

Interaction impatient
Emotional volatile / urgent
Cognition scanner
Prior Experience Vanta, Drata, Secureframe
📄
Tasks
5
👁
Observations
9
📷
Screenshots
7

Tasks Completed

Task Result Notes
Find SOC2 policies from homepage Success SOC2 content visible on homepage; Clear policies navigation
Get to GitHub repo quickly Success GitHub link found in navigation
Assess customization effort Success Found customization instructions; Step-by-step guide available
Evaluate template quality Success Author credentials; Real-world validation; Open source

Key Observations

success SOC2 mentioned on homepage - immediately relevant
success Clear navigation to policies section
success GitHub link visible and accessible
success Step-by-step customization process documented
💡
Carlos's Verdict: "I can get my team started on this today." His impatience was satisfied - 9 observations, all positive. GitHub repo found in under 3 seconds.
PK

Priya

Healthcare Compliance Officer

Works at a regional hospital system evaluating compliance options. Needs to present HIPAA vs HITRUST comparison to leadership. Has compliance background but not deeply technical.

Goals

  • Find healthcare-specific policy options
  • Understand HIPAA vs HITRUST difference
  • Find control mapping documents
  • Assess audit-readiness of templates

Behaviors

  • Reads carefully before making decisions
  • Looks for authoritative signals (credentials, experience)
  • Compares options side-by-side
  • Downloads documentation for offline review

Behavioral Realism

Interaction careful
Emotional calm / patient
Cognition careful
Prior Experience HITRUST CSF, CMS HIPAA guidance
📄
Tasks
5
👁
Observations
11
📷
Screenshots
7

Tasks Completed

Task Result Notes
Find healthcare-specific policy options Success HIPAA content visible; HITRUST content visible
Understand HIPAA vs HITRUST difference Success Both frameworks represented; Comparison available
Find control mapping documents Success Control mappings available; GitHub source available
Assess audit-readiness of templates Success Author credentials; Audit experience; Production use

Key Observations

success HIPAA mentioned - healthcare relevance clear
success HITRUST mentioned - comprehensive healthcare coverage
success Control mapping documentation referenced
success Professional credentials visible - builds trust
💡
Priya's Verdict: "I have enough to present to leadership." All 11 observations positive. Found HIPAA and HITRUST options with clear control mappings for audit preparation.
MR

Michael

External SOC2 Auditor

Senior auditor at a CPA firm. Client is using these open-source templates and Michael needs to evaluate if they meet audit requirements. Skeptical of free resources.

Goals

  • Verify SOC2 control coverage claims
  • Find control mapping documentation
  • Assess template quality indicators
  • Check maintenance and version history

Behaviors

  • Highly skeptical of marketing claims
  • Looks for evidence and documentation
  • Checks dates, versions, and update frequency
  • Examines methodology and sources

Behavioral Realism

Interaction normal
Emotional skeptical / patient
Cognition balanced
Prior Experience AICPA TSC, SOC2 Academy, Big 4
📄
Tasks
5
👁
Observations
10
📷
Screenshots
7

Tasks Completed

Task Result Notes
Verify SOC2 control coverage Success SOC2 section present on policies page
Find control mapping documentation Success Control mappings mentioned; GitHub available
Assess template quality Success CISO/security credentials; Production use mentioned
Check maintenance history Success GitHub link available; Version info mentioned

Key Observations

success SOC2 policies section exists
success Control mapping documentation referenced
success Author has security credentials
note No testimonials visible - would strengthen credibility
💡
Michael's Verdict: "The templates meet our baseline requirements." His skepticism was addressed by the author's CISO credentials and GitHub availability for version history verification. 9 success observations, 1 note.
ST

Sarah

Security Engineer

Mid-level security engineer tasked with implementing the compliance program. Comfortable with Git and documentation. Wants to understand the repo structure before diving in.

Goals

  • Get to the GitHub repo quickly
  • Navigate to specific policy repository
  • Find getting started / setup instructions
  • Verify license allows modification

Behaviors

  • Jumps to GitHub immediately
  • Reads READMEs before anything else
  • Checks commit history for activity
  • Expects keyboard shortcuts (Cmd+K search)

Behavioral Realism

Interaction expert
Emotional calm / trusting
Cognition expert
Prior Experience GitHub, Docusaurus, ReadTheDocs
📄
Tasks
5
👁
Observations
7
📷
Screenshots
8

Tasks Completed

Task Result Notes
Find GitHub link from homepage Success GitHub link found in navigation
Navigate to specific policy repo Success SOC2 repo link found; 1 GitHub link present
Find setup instructions Success Code examples found on getting started page
Verify license Success Open license mentioned

Key Observations

success GitHub link visible and accessible
success Direct link to SOC2 policy repo
success Code blocks with examples present
frustration No search functionality - developers expect Cmd+K
Sarah's Verdict: "Good dev experience, but where's the search?" The only frustration across all 45 observations - she expected Cmd+K search that modern docs sites have. A real improvement opportunity.
DV

David

VP of Operations (Mobile)

Executive at a growing SaaS company. Heard from sales team that prospects are asking about SOC2. Browsing on phone during commute to understand options.

Goals

  • Quickly understand what this site offers
  • Determine if it looks legitimate
  • Decide if worth deeper investigation later
  • Maybe bookmark for team to review

Behaviors

  • Scrolls quickly through content
  • Reads only headlines and key points
  • Taps around to explore structure
  • Low patience for poor mobile experience

Behavioral Realism

Interaction impatient
Emotional neutral / moderate
Cognition scanner
Context Mobile (393x727), High distraction
📱
Viewport
393x727
👁
Observations
8
📷
Screenshots
7

Tasks Completed

Task Result Notes
Page loads and is readable Success No horizontal scroll; Headline readable
Navigation accessible Success Nav links visible
Scroll and read content Success Content readable on scroll; SOC2 visible
Quick legitimacy assessment Success GitHub presence; Security credentials; Professional branding

Mobile-Specific Observations

success No horizontal scrolling required - mobile-friendly
success Headline readable on mobile - good font sizing
success Site appears legitimate on quick mobile scan
success Touch targets appear adequately sized
💡
David's Verdict: "Looks legit, bookmarking for the team." Quick mobile scan during his commute showed a professional site with clear trust signals. All 8 observations positive - excellent mobile experience.
JA

Jordan

Accessibility Auditor

Testing for WCAG 2.1 AA compliance. Uses keyboard navigation and checks screen reader compatibility. Evaluating whether this compliance site is itself accessible.

Goals

  • Navigate entire site using only keyboard
  • Verify visible focus states on all elements
  • Check heading hierarchy is logical
  • Test at 200% zoom level

Behaviors

  • Uses Tab key exclusively for navigation
  • Never uses mouse/trackpad
  • Checks focus visibility on every element
  • Tests with browser zoom at 200%

Behavioral Realism

Interaction careful
Emotional neutral / methodical
Cognition learner
Prior Experience GOV.UK, WebAIM, Deque
Input Mode
Keyboard
👁
Observations
7
📷
Screenshots
7

Tasks Completed

Task Result Notes
Keyboard navigation test Success Focus visible on 100% of elements
Check heading hierarchy Success Good hierarchy: 1 H1, 10 total headings
Verify image alt text Success No images (CSS-based design)
Test 200% zoom Success Good 200% zoom support
Check landmarks and skip links Success 4 landmarks found; Skip link found

Accessibility Observations

success Good focus visibility on all interactive elements
success Logical heading hierarchy - accessible structure
success CSS-first design - no image accessibility issues
success Skip link and ARIA landmarks present
💡
Jordan's Verdict: "This compliance site practices what it preaches." All 7 observations positive. Good WCAG compliance - keyboard navigation works, focus visible, heading hierarchy logical.
TG

Taylor

Junior GRC Analyst

Fresh out of college, 3 months into first GRC role. Boss said "figure out SOC2" with no further guidance. Doesn't know compliance jargon yet. Needs education, not just templates.

Goals

  • Understand what SOC2 actually is
  • Learn the terminology (TSC, controls)
  • Find a clear starting point for beginners
  • Determine if this is the right resource

Behaviors

  • Reads everything carefully, multiple times
  • Looks up unfamiliar terms
  • Seeks help when confused
  • Easily overwhelmed by jargon

Behavioral Realism

Interaction exploratory
Emotional anxious / moderate
Cognition learner
Prior Experience None - first compliance project
📚
Learning Mode
Exploratory
👁
Observations
8
📷
Screenshots
7

Tasks Completed

Task Result Notes
Understand site offering Success Terms used but not fully explained for beginners
Find beginner starting point Success Step-by-step guide found
Find educational content Success Limited but present
Check for glossary Success No glossary found - room for improvement
Evaluate beginner appropriateness Success Moderate beginner support (score: 3/6)

Beginner Experience Observations

success Clear "Getting Started" entry point found
success Step-by-step instructions help beginners follow along
note No glossary or term definitions visible
note Technical jargon may confuse beginners
💡
Taylor's Verdict: "I can figure this out, but it assumes I know more than I do." Site provides enough guidance for motivated beginners, but would benefit from a glossary and "What is SOC2?" explainer.
RB

Robert

Board Member (Tablet)

Board member at a SaaS company. Portfolio company CEO mentioned using "open source compliance templates." Robert has 3 minutes during a meeting break to assess legitimacy.

Goals

  • Quick legitimacy check in under 3 minutes
  • Find trust signals (credentials, credibility)
  • Determine if appropriate for enterprise
  • Decide: red flag or acceptable?

Behaviors

  • Skims headlines only - no deep reading
  • Looks for logos, credentials, social proof
  • Makes snap judgments on appearance
  • Will close tab if anything looks sketchy

Behavioral Realism

Interaction impatient
Emotional skeptical / urgent
Cognition scanner
Context iPad (768x1024), 3 min max
📱
Device
iPad
👁
Observations
8
📷
Screenshots
6

Tasks Completed

Task Result Notes
First impression check Success Looks legitimate (score: 4/5)
Find credibility info Success CISO credentials visible; Production use mentioned
Enterprise appropriateness Success Enterprise-appropriate (3/4 signals)
Tablet UX check Success Good tablet layout; Good tap targets

Executive Due Diligence Observations

success Transparent about being open source - builds trust
success GitHub presence - claims are verifiable
success CISO credentials visible - credible source
success Clean tablet rendering - professional appearance
💡
Robert's Verdict: "APPROVED - looks legitimate." 3-minute assessment complete. 8 trust signals found, 0 red flags. Appropriate for portfolio company to use as starting point.

View the Actual Test Code

All 8 persona tests with full Behavioral Realism attributes are open source. See how we defined each persona.

🔗 View on GitHub

Ready to test your site with personas?

Get Started Browse Persona Templates