If you believe many industry experts, security and usability cannot exist in the same application. Security is, apparently, the art of making software difficult to use so it can’t be compromised – security by obscurity, if you will.
Not so, say editors Lorrie Faith Cranor and Simson Garfinkel, who set out to prove the point by assembling 34 chapters by 64 authors (including themselves), all describing they whys and wherefores of the ties between security and usability.
Security and Usability: Designing Secure Systems That People Can Use is a mix of academic and practical discussion. In their preface, the editors state, “Our goal is to make this book useful first for researchers in the field of security and usability, then for students, and finally for professionals.”
But that doesn’t mean it’s a dull academic tome. Far from it. In each of its six sections, a different facet of the problem is put under the microscope, starting with part 1: Realigning Usability and Security, and proceeding through Authentication Mechanisms, Secure Systems, Privacy and Anonymity Systems, Commercializing Usability: The Vendor Perspective, and ending in part 6, The Classics (a collection of classic papers on the subject).
The articles in each section, although packed with information, are in the main quite readable, and some are eye-openers. The description of a study on the usability of security devices in chapter 12 reveals how little has actually been done in making these devices user-friendly. Chapter 11 discusses identifying users by their typing patterns, and features a five page chart overview of previous research on the subject, and the chapter on graphical passwords introduces the concept of guessing entropy – the mathematics behind the ability of an attacker to guess passwords.
All is not abstract academic pontification, however. In the vendor perspective section, there’s a description of the thinking behind the design of popular software firewall Zone Alarm’s user interface, the five golden rules of product development according to the Mozilla Foundation, as applied to Firefox, a discussion about users and trust from Microsoft, Lotus’ description of embedding security in Notes/Domino and a Groove Networks (now part of Microsoft) case study on embedding usable security in Groove Virtual Office.
There are also real-world examples of what can happen when security is neglected or misapplied. In the “Sanitization and Usability” chapter, author (and editor) Simson Garfinkel describes what he and others have found on used (and in some cases, supposedly clean) computers. He also explains why the “format” command doesn’t really erase data, and why “delete” doesn’t really delete.
“The usability problem is that the operating system gives the user the appearance that the data has been removed from the computer when, in fact, the data have been made inaccessible by ordinary means,” he noted.
Author Lynne Coventry looks at other usability problems in her chapter on biometrics. She concludes that the notion that the technology is a usable form of security is “flawed”, but at the same time, does say that it is “interesting and even appropriate for certain niche market applications.”
Yet other papers look at authentication methods, security administration, and even designing systems that people will trust.
This is not a book you sit down and read all at once. It is a book you pick up, go through a paper or two, and think about for awhile. From the first chapter, “Psychological Acceptability Revisited” through the classic “What Johnny Can’t Encrypt”, the 700+ pages are packed full of the good, the bad and the ugly of usability as it applies to security.
Anyone who has to deal with either of these issues – and that is almost everyone in IT – owes it to him or herself to read this book.
Security and Usability: Designing Secure Systems That People Can Use. Lorrie Faith Cranor and Simson Garfinkel, editors. $62.95. O’Reilly, 2005.
