Security and Usability review

Wendy M Grossman ZDNet.co.uk

Published: 12 Dec 2005

It is a truth universally acknowledged that most security products lack usability. In fact, as Lorrie Faith Cranor, an Associate Research Professor at Cargnegie-Mellon (formerly at AT&T Research), and Simson Garfinkel, author of a number of books on security, say here, security that is unusable isn't security at all. But does a product that's usable necessarily have to be insecure?

This book, subtitled Designing Secure Systems That People Can Use, is a collection of papers studying the question of how to build good -- that is, usable -- security, completely rejecting the traditional notion that you must trade one off against the other. Unlike most collections focusing on research, this book is strongly practical. Take passwords, for example -- the subject here of a chapter by well-known Cambridge security researcher Ross Anderson and others. Most of the rules for generating 'good' passwords violate known principles of human psychology, which comes as no surprise to anyone who's written down their randomly generated, utterly unmemorable password. Anderson and colleagues did a study to test the truth of password myths. Are mnemonic passwords actually easier or harder to remember than randomly generated ones or passphrases? How much guidance should people be given in choosing passwords? Like the other papers here, the research leads to practical recommendations.

The result is a wealth of useful information on a wide range of security topics: evaluating authentication mechanisms, designing challenge questions, the use of new technologies such as biometrics. A second section considers how to guard privacy and anonymity; Cranor's own contribution here focuses on her work on the Platform for Privacy Preferences (P3P), which is, unknown to many users, built into browsers such as Internet Explorer. The third section focuses on commercial implementations and the vendor perspective, with insider contributions covering such products as Firefox, Zone Alarm, Lotus Notes/Domino and Groove Virtual Office. A final contribution in this section is a discussion of Microsoft's user research.

The fourth and final section, 'The Classics', offers usability guidelines, more on passwords, a study of file-sharing usability focused on KaZAa and an evaluation of the encryption software PGP5.0 aimed at studying whether traditional usability standards can be appropriately applied to security products. Since PGP was in many ways the very model of the modern, unusable yet important security software, it's a good choice if you know a little Net history.

Overall, this book straddles the line between pure academic research and business practicality, so that there can be few interested in security who won't find something of value. However, Cranor and Garfinkel themselves say they expect the book to appeal to various classes of reader in the following order: researchers in the field of security and usability; then students; finally professionals.

A decade or so ago, computer usability was a relatively new field, with researchers scrambling to try to understand how to make computer systems that worked for people instead of against them. In some ways, it's astonishing that it's taken so long to begin to develop a similar set of principles for security products. But there's only one thing to say about that: it's about time.

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular

• Most Recent
• Most Popular