Security and Usability
By Lorrie Faith Cranor and Simson Garfinkel (eds)
It is a truth universally acknowledged that most security products lack usability. In fact, as Lorrie Faith Cranor, an Associate Research Professor at Cargnegie-Mellon (formerly at AT&T Research), and Simson Garfinkel, author of a number of books on security, say here, security that is unusable isn't security at all. But does a product that's usable necessarily have to be insecure?
This book, subtitled Designing Secure Systems That People Can Use, is a collection of papers studying the question of how to build good -- that is, usable -- security, completely rejecting the traditional notion that you must trade one off against the other. Unlike most collections focusing on research, this book is strongly practical. Take passwords, for example -- the subject here of a chapter by well-known Cambridge security researcher Ross Anderson and others. Most of the rules for generating 'good' passwords violate known principles of human psychology, which comes as no surprise to anyone who's written down their randomly generated, utterly unmemorable password. Anderson and colleagues did a study to test the truth of password myths. Are mnemonic passwords actually easier or harder to remember than randomly generated ones or passphrases? How much guidance should people be given in choosing passwords? Like the other papers here, the research leads to practical recommendations.
The result is a wealth of useful information on a wide range of security topics: evaluating authentication mechanisms, designing challenge questions, the use of new technologies such as biometrics. A second section considers how to guard privacy and anonymity; Cranor's own contribution here focuses on her work on the Platform for Privacy Preferences (P3P), which is, unknown to many users, built into browsers such as Internet Explorer. The third section focuses on commercial implementations and the vendor perspective, with insider contributions covering such products as Firefox, Zone Alarm, Lotus Notes/Domino and Groove Virtual Office. A final contribution in this section is a discussion of Microsoft's user research.
The fourth and final section, 'The Classics', offers usability guidelines, more on passwords, a study of file-sharing usability focused on KaZAa and an evaluation of the encryption software PGP5.0 aimed at studying whether traditional usability standards can be appropriately applied to security products. Since PGP was in many ways the very model of the modern, unusable yet important security software, it's a good choice if you know a little Net history.
Overall, this book straddles the line between pure academic research and business practicality, so that there can be few interested in security who won't find something of value. However, Cranor and Garfinkel themselves say they expect the book to appeal to various classes of reader in the following order: researchers in the field of security and usability; then students; finally professionals.
A decade or so ago, computer usability was a relatively new field, with researchers scrambling to try to understand how to make computer systems that worked for people instead of against them. In some ways, it's astonishing that it's taken so long to begin to develop a similar set of principles for security products. But there's only one thing to say about that: it's about time.
- Wendy M Grossman (ZDNet UK)
About the author:
Dr. Lorrie Faith Cranor is a principal technical staff member in the Secure Systems Research Department at AT&T Labs-Research Shannon Laboratory in Florham Park, New Jersey. She is chair of the Platform for Privacy Preferences Project (P3P) Specification Working Group at the World Wide Web Consortium. Her research has focused on a variety of areas where technology and policy issues interact, including online privacy, electronic voting, and spam.
Dr. Cranor plays the tenor saxophone in the Chatham Community Band. She spends most of her free time with her husband, Chuck, and her son, Shane, but sometimes she finds time to design and create quilts.
Simson Garfinkel is a postdoctoral fellow at the Center for Research on Computers and Society at Harvard University's department of Electrical Engineering and Computer Science. He came to Harvard after completing his Ph.D. in Computer Security at MIT's Computer Science and Artificial Intelligence Laboratory, where he studied computer security, usability, and forensics. Garfinkel is also the founder of Sandstorm Enterprises, Inc., a supplier of computer security auditing tools. Garfinkel writes a monthly column on computer security for CSO Magazine, for which he has received the 2004 and 2005 Neal Business Journalism award. This is Garfinkel's 14th book; he doesn't have any free time.
Have you read a good book recently that is topical and useful? If you'd like to share your review, do write in to us. The review should be between 300-400 words.
Email this article | Respond to this article