O'Reilly
September 23, 2005

Security and Usability: Designing Secure Systems that People Can Use

Sebastopol, CA--Conventional wisdom dictates that there must be a tradeoff between security and usability. To illustrate the point, Lorrie Faith Cranor, DSc, and Simson Garfinkel, Ph.D., contrast a computer with no passwords with one "that makes you authenticate every five minutes with your password and a fresh drop of blood." The former is usable, but not secure, while the latter is secure but holds little appeal to most users. In their new book, Security and Usability (O'Reilly, US $44.95), Cranor and Garfinkel contend that security and usability are not inherently at odds; in fact, tomorrow's computers won't be secure unless researchers, designers, and programmers can invent new ways to make security systems easier to use.

"As the world around us makes clear every day, if people are unable to use secure computers, they will use computers that are not secure," Cranor and Garfinkel remark in the preface to their book. Although theoretically secure, computers that aren't usable do little to improve the security of their users because these machines push users to less secure platforms. "As it turns out, the converse is also true: systems that are usable but not secure are, in the end, not very usable either," they note. This is because these systems don't last: they get hacked, compromised, and otherwise rendered useless.

"Having each worked in the area of security for the better part of two decades, it has become increasingly clear to us that the question of usability is among the most important in determining the overall security of a system, yet it is also one of the issues that is most frequently ignored," observes Garfinkel. "Although it has long been recognized that security systems need to be usable, there has been astonishingly little work done in this area to date. Indeed, some scientists have gone so far as to say that usability and security are inherently at odds, and in building secure systems it is necessary to figure out just how much usability needs to be given up.

"We don't believe this," Garfinkel continues. "We believe that it is possible, through the use of good research and practice, to build systems that are both secure and usable. This book is a guide to practitioners on how to do that, as well as a guide to researchers regarding which directions are likely to bring more fruitful results."

In the first book to be focused entirely on the subject of usability and security, Cranor and Garfinkel present thirty-four groundbreaking essays from leading security, usability, and human-computer interaction (HCI) researchers around the world. Balancing theory and fundamental principles with practical advice, they examine this important issue in detail.

"In order to build systems that are both secure and usable, it is important to have some understanding of both the computer security field and the human-computer interaction field. Most researchers and practitioners have been trained in only one of these fields. Our hope is that this book can help bridge the gaps for them and fill in some of the important background they need to work in this interdisciplinary area," says Cranor.

Security and Usability offers a window into the future of computer security where usable design and secure systems are no longer at odds.

Topics include:

  • Realigning usability and security: psychological acceptability, designing for actual (not theoretical) security, tools for usability evaluation, and trust designs and models
  • Authentication mechanisms: password memorability, challenge questions, graphical passwords, biometrics, keystroke dynamics, smart cards, and USB tokens
  • Secure systems: secure interaction design, anti-phishing, sanitization and usability, usable PKI, compartmentalized security, and ethnographic analysis
  • Privacy and anonymity systems: privacy design pitfalls, the Privacy Space Framework, the Platform for Privacy Preferences (P3P), web bugs, informed consent on the Internet, social approaches to security, and anonymizing technologies
  • Commercializing usability: vendor experiences in addressing usability issues at Microsoft, IBM/Lotus, Firefox, Zone Labs, and Groove Networks

    • Security and Usability brings together research findings, actual implementation experiences, practical advice, and recommendations for constructing next-generation operating systems. This volume is sure to become a classic reference and an inspiration for further research.

    Additional Resources:

    Security and Usability
    Edited by Lorrie Faith Cranor and Simson Garfinkel
    ISBN: 0-596-00827-9, 714 pages, $44.95 US, $62.95 CA
    order@oreilly.com
    1-800-998-9938; 1-707-827-7000

    About O'Reilly

    O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

    Contacts

    Customer Inquiries
    Sales/Customer Service
    707-829-0515

    PRESS QUERIES ONLY
    Contact
    O'Reilly Media
    (707) 827-7000

    © 2008, O'Reilly Media, Inc.