Thinking about security and usability

IT security (and for that matter, other security concerns too) are often seen as conflicting with usability. There is something to that. If you take any given technology and turn up the level of security it provides, you will almost always decrease the usability of the system.

Consider passwords. If people are allowed to choose their own passwords, they will typically choose something very usable for them. They’ll pick their dog’s name, their wife’s name, their userid, etc. These passwords don’t provide much security. To compensate, we often turn up the security knob and require “stronger” passwords, e.g., minimum of six characters with no dictionary words and multiple “character classes.”

security-usability.pngAdjusting the password strength knob is reasonable to an extent. I’ve recently heard security officers consider requiring fifteen character passwords with multiple character classes. Such a password is unusable. Any system that requires that level of security should not be protected by user chosen passwords and possibly not by passwords at all. To maintain usability, while increasing security, you have to use a new technology.

Consider the graph to the right (click for a larger view). The graph illustrates this principle. The blue line represents a given security technology. As you increase the security, you decrease the usability. In such a security-usability graph, we really want to be in the upper right corner of the graph. But our blue line can’t get us there. When we make the passwords more complicated (secure), they become less usable. To get further up in the graph, we need to change the technology and shift the security curve to the right (the green line). For example, we might allow weaker passwords but require two factor authentication with a smart card.

Unfortunately, many proposed security technologies might even shift the graph to the left (the red line). These technologies provide less security for the same degree of usability.  Think of the prohibition on liquids while flying.  This provides no increase in security, while greatly decreasing the usability (or at least the enjoyability) of flying

security-usability2.pngIf we’re lucky, our security curves don’t look like the graph above and instead look more like the one to the left (click for a larger view). The advantage to a curve like this one is that there’s a fairly natural optimal point. We can increase the security while barely affecting the usability – at least up to a point.

I don’t know what the security curves for most technologies look like. But security technologists need to consider this and determine both the level of security and the level of usability needed in a given system. If you can’t achieve both, then you might need to think about a different approach or a different security technology. Trying to achieve a desired level of security without considering usability will result in the users ignoring or bypassing security in the future.

Just some thoughts.

From the very beginnings of American history (when Africans were sold into slavery, beaten, raped, tortured and murdered, counted as three fifths of a person, denied wholesale Jerseys the right to vote, essentially treated as less than human) through present times, African Americans have felt slighted by the federal government. During the civil rights era of the 1960s, under the FBI’s covert project COINTELPRO cheap jerseys wholesale (with assistance from local law enforcement), numerous peaceful activists and groups (including beloved figures like Dr. Martin Luther King Jr. and Muhammad Ali) were targeted and put under illegal surveillance. FBI Director cheap jerseys J. Edgar Hoover, falsely convinced that these groups were a danger to national security as fronts for Communists or co conspirators with Communists, ordered infiltration, psychological warfare and harassment. Over years, this government hostility led to multiple deaths and wrongful incarcerations and no doubt further undermined trust in the federal government. Activist Fred Hampton was flat out assassinated.Johnson Johnson has been ordered by a federal jury in Dallas to pay more than $1B to six plaintiffs who said they were injured by defectively designed Pinnacle hip implants and were failed to be warned about risks. J (NYSE:JNJ), which still faces nearly 9K lawsuits over the implants, stopped selling the product in 2013 after the FDA toughened regulations on artificial hips; it plans to appeal the verdict.The Herald Sun was only marginally kinder, describing the performance as and AFL CEO Andrew Demetriou (a self proffessed fan) could only say gave it his best what were people expecting? This is a man who looked like he might collapse when he sang in the 70s. Even if he was a clean living saint, 35 years of cheap nfl jerseys shop performing is going to put some sort of toll on your voice.The Angels presented David Ortiz with a painting. They gifted Vin Scully with a vintage microphone, a windbreaker from his high school, and silver from a New York hotel in which he worked as a teenager. On Sunday, the Angels commemorated Mark Teixeira final visit to Anaheim with a scoreboard message: Teixeira, Congratulations on a Great Career. was very nice, Teixeira said.Nor will be Manchester City, whose arrival in New York further suggests MLS is planning the next step. The league has many strengths. Most teams now play in new stadiums built for football, not vast bowls designed for baseball or NFL, cheap oakleys and have solid local support. Already on a par Baratas Ray Ban with the French and Dutch leagues in terms of attendances (and basketball and ice hockey at cheap football jerseys home), it has designs on parity with bigger European leagues. The problem, however, is the quality, which is more obvious now than ever.

Comments are closed.