Why security and usability don't go hand in hand
ANY DISCUSSION about how to make security usable sounds a lot like the discussions of the 1980s about airplane safety.
At that time, the big issue was cockpit design: how could an increasingly complex set of instruments be organised to minimise pilot error? Those discussions translated into the software usability movement of the early 1990s, spearheaded by Donald Norman's 1988 classic book, The Design of Everyday Things. Every consumer and business software company has a usability group whose members were influenced by Norman; but many security people have never heard his name.
"The general issue we have is basically a failure to design security in," says 
, a lecturer in computer science at University College London who specialises, unusually, in security and human factors. "There's a rush for functionality, and we're failing to do risk analysis and consider that, and then once it's done go around the block again with design."
Security, like usability, works best if it's designed in from the beginning. But, she says, as a recent article in The Economist points out, "unless the functionality is in place and proven to be worth something to somebody, thinking about security doesn't happen – and then they wait until problems occur and the security measures are stuck on afterwards, and it always makes for a system that's less efficient and harder to use."
But the deeper problem is that most people – including security people – are goal-oriented.
"Security people perceive security as the primary goal," she says. "And of course it's not. In usability terms we distinguish between the primary and secondary goal – the production task and the enabling task. Security is enabling the long-term survival of the system, but people look at their primary task, their main job, and don't see the benefit of security. When that's the case, and they perceive it as an obstacle in the way of the goal, then of course they try to get around it."
So, the two problems with security become: "First, obstacles are made too big because of bad design, and second, they don't perceive or understand the risks." Plus, humans are generally poor at risk assessment anyway.
As we move increasingly into a situation where everything is computerised, these issues are going to loom larger and larger. "Almost everybody who uses a computer has to use security every day," she says, "and there's no concern about usability. Is the idea that it should be hard because it's important?" µ
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
Are you talking about Microsoft products, which fail on both security and usability?
Fascinating and refreshing point of view on security, gives some bit of hope to the future!
"Machines are only as secure as you make them, and security concerns are ever competing with the human necessity for convenience... More security means less convenience, but a security breach can be the least convenient moment of all."
As true, today, as when Jim Mock wrote it ten years ago.
If only the public sector realized this, lose a few bits of unencrypted data (because some moron sent important data unencrypted, lets face it that's pretty weak) and all of a sudden public sector systems are so locked down you can barely even use the system.
Thats government thinking for you, don't care in the first place, in the second place over-react to the nth degree to prevent being embarrassed again, whilst still not actually protecting vital systems like payments systems.
Shows you what their priorities are, not doing a good job, not doing an efficient job, not doing things securely; but just purely avoiding bad publicity.
Nice.
Password-related security will always be perceived as a barrier.
If I'm using my computer from home, where my Internet Service Provider (ISP) knows I am me, then why can't my ISP vouch for my identity?
By ISP I mean the company that connects me to the Internet, which in my case is the telephone company. In most cases, when I'm working from home, dealing with large companies, I would be happy to have the phone company "tell" whichever site I'm using that "Yes, he really IS who he says he is."
I don't know whether this kind of solution is possible, but wouldn't remove the needs for ID-and-password-based identity verification?
It does bring other issues with it, especially around privacy, so I'd like to see some solid legislation (laws) to protect identity privacy.
-=- Jerome
Who is this unnamed lecturer at University College London? If they've published on anything on human factors and security, I would like to read it.
I've long held that security is primarily a human-factors issue, that a good security implementation should be designed to enable the user to get their work done in the most secure manner possible with the least amount of effort required. It sounds like this unnamed lecturer is on the same wavelength.
In fact, security designed without consideration for human factors is nothing more than bureaucratic buck-passing. Let's say you have to enter an 8-digit password with at least one special character, a number, and at least one upper and one lower-case letter, change it every 90 days, and your companies' security policy does not allow you to write it down and keep it on your desk. Every part of this system has been optimized except for the human part, which is nearly impossible, but it is ignored because human factors has not made its way into the field of security yet. Its just not in the equation when the product is designed or purchased. The only way it manifests itself would be in the threats or punishment of users who can't or don't conform to the system. Usability is coming late to this space because security tends to be an internal tool, and internal tool tend to suck, because we are paid to use them. The ubiquitousness of this problem suggests that good metrics are not being used to pinpoint security weaknesses. The human element has always been the weakest link in security, and it amazes me that the IT industry is still shrugging their shoulders instead of growing a pair and doing some HFE.
Though i like the concept behind your idea, it would be an epic fail, for the simple fact of both VPN and remote desktop / VNC would easily defeat this.
After more then 20 years eating drinking, living and working in the computer industry I've come to the same conclusion early Unix gurus already knew for ages.
Computers are not for users.
And that is the cold, hard fact staring us all in the face.
A lot of people should not, have not never ever obtained or otherwise be exposed to such a thing as a silicon based machine. It ruined not only their until then peaceful lives and those concerned with security, privacy and the general advancement of humans as a race. Computer have become an obstacle for many, and that concerns many security and privacy experts. It has run out of hand, misused, abused the industry slaves away for another sickened Industry guided by hedgefunds and other non-productive, cannibalistic entities, like Gordon Brown.
Security, privacy and rigid code regarded as basic standards in the 70's and 80's have now succumbed to the commercial weight of the 'need' and the 'speed' of the masses guided by only a few commercially driven entities. Hence the need for Cobol programmers until to-day.
The performance of electronic devices often more driven by greed then by Moore's 'law' right is already cracking the security grid once deemed safe for even the biggest secret.
Now, lemme see.... where did I left that vSphere v4 CD ? Gonna build myself a nice cloud hashcracker.
“...says , a lecturer in computer science...”
Interesting omission from that sentence, and interesting to see what’s in its place when you “view source”.
Anyway, back on topic, there’s nothing wrong with writing down passwords, just keep that piece of paper in a safe place, that’s all. You know how to do it with your keys and your credit cards and your cash? Just do the same for your passwords.
This posting is brought to you by the CAPTCHA “TEDDJY”.