The importance of usable security

Posted Wednesday, September 30, 2009 - 13:18 by Paul Cuthbert

The Internet is a dangerous place, and it’s not getting better. The number and severity of security breaches is going up. Identity theft is on the rise, and still more commerce is conducted online. As security professionals we all know this, but why is it the case?

There are a plethora of security technologies out there, and many of them are good. Why can’t we just keep adding layers of security until a system becomes bullet proof? Of course, there are a number of reasons. Security costs money, and it needs to be managed. Many system owners also have the unfortunate habit of underestimating risk, finding it hard to justify the cost of extra security.

 These factors (and others) are substantial, however there is another major problem that needs to be addressed. This is the problem of client usability. Many security controls are inconvenient, or are just too hard to use. People either turn them off, or they circumvent them. 

Security controls can be grouped into two categories. There are those that are forced upon a user (corporate firewall, online authentication system, etc.), and there are those that are optional (home AV software, use of secure passwords, etc.) Both need to be user friendly.

In the first category, users will either hate you for a cumbersome security control, or they will find a way around it. For example, forcing people to change their password every X days encourages them to include an incrementing digit (or similar pattern) in the password, or to write it down. This makes the control ineffective. Blocking emails with attachments encourages users to use Web mail so that they can download what they need, or to transfer data via USB stick. The bottom line is that people need to get their jobs done. Anything that gets in the way of this is irritating and something to be circumvented.

Security measures that a user has some control over have an even greater need to be usable. If a home computer firewall keeps annoying you by popping up warning messages, the easiest thing to do is to turn it off (especially when those messages make no sense, because they reference some obscure system dll). The same applies to AV software. If it’s annoying or it gets in your way, it will be disabled by all but the most security conscious.

 As security professionals, we need to focus on usability. If a user sees a security control, it must be easy to use. It must require no training, and it must not get in the way of legitimate use. Ideally, the control should be invisible. These criteria are often difficult to meet, but they are essential. The alternative is that we end up with a system that is ineffective (or at least, downright annoying).

Comments

Excellent article and the

by Gabriel (not verified) - Nov 24 2009 - 10:19am

Excellent article and the points are well made...
I think a trap many security systems designers make, is to think of their security controls in isolation - ignoring the environments in which they work.  Systems (as a whole) need to be designed in such as way as to ensure that doing the right (secure) thing is always easier than doing the wrong (insecure) thing.  So, for example, a laptop configured to allow someone to work from home should make connecting to the (secure) office VPN easier than, connecting to the Internet.  But, more often than not, it's the other way round.
Humans are lazy.  We will always take the easiest option that gets us to where we want to be fastest.

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are human.
Image CAPTCHA
Enter the characters shown in the image.
By submitting this form, you accept the Mollom privacy policy.