September 23, 2005
Security and Usability: Designing Secure Systems that People Can Use
Sebastopol, CA--Conventional wisdom dictates that there must be a tradeoff
between security and usability. To illustrate the point, Lorrie Faith
Cranor, DSc, and Simson Garfinkel, Ph.D., contrast a computer with no
passwords with one "that makes you authenticate every five minutes with
your password and a fresh drop of blood." The former is usable, but not
secure, while the latter is secure but holds little appeal to most users.
In their new book, Security and Usability (O'Reilly, US $44.95), Cranor
and Garfinkel contend that security and usability are not inherently at
odds; in fact, tomorrow's computers won't be secure unless researchers,
designers, and programmers can invent new ways to make security systems
easier to use.
"As the world around us makes clear every day, if people are unable to use
secure computers, they will use computers that are not secure," Cranor and
Garfinkel remark in the preface to their book. Although theoretically
secure, computers that aren't usable do little to improve the security of
their users because these machines push users to less secure platforms.
"As it turns out, the converse is also true: systems that are usable but
not secure are, in the end, not very usable either," they note. This is
because these systems don't last: they get hacked, compromised, and
otherwise rendered useless.
"Having each worked in the area of security for the better part of two
decades, it has become increasingly clear to us that the question of
usability is among the most important in determining the overall security
of a system, yet it is also one of the issues that is most frequently
ignored," observes Garfinkel. "Although it has long been recognized that
security systems need to be usable, there has been astonishingly little
work done in this area to date. Indeed, some scientists have gone so far
as to say that usability and security are inherently at odds, and in
building secure systems it is necessary to figure out just how much
usability needs to be given up.
"We don't believe this," Garfinkel continues. "We believe that it is
possible, through the use of good research and practice, to build systems
that are both secure and usable. This book is a guide to practitioners on
how to do that, as well as a guide to researchers regarding which
directions are likely to bring more fruitful results."
In the first book to be focused entirely on the subject of usability and
security, Cranor and Garfinkel present thirty-four groundbreaking essays
from leading security, usability, and human-computer interaction (HCI)
researchers around the world. Balancing theory and fundamental principles
with practical advice, they examine this important issue in detail.
"In order to build systems that are both secure and usable, it is
important to have some understanding of both the computer security field
and the human-computer interaction field. Most researchers and
practitioners have been trained in only one of these fields. Our hope is
that this book can help bridge the gaps for them and fill in some of the
important background they need to work in this interdisciplinary area,"
Security and Usability offers a window into the future of computer
security where usable design and secure systems are no longer at odds.
Realigning usability and security: psychological acceptability, designing
for actual (not theoretical) security, tools for usability evaluation, and
trust designs and models
Authentication mechanisms: password memorability, challenge questions,
graphical passwords, biometrics, keystroke dynamics, smart cards, and USB
Secure systems: secure interaction design, anti-phishing, sanitization
and usability, usable PKI, compartmentalized security, and ethnographic
Privacy and anonymity systems: privacy design pitfalls, the Privacy Space
Framework, the Platform for Privacy Preferences (P3P), web bugs, informed
consent on the Internet, social approaches to security, and anonymizing
Commercializing usability: vendor experiences in addressing usability
issues at Microsoft, IBM/Lotus, Firefox, Zone Labs, and Groove Networks
Security and Usability brings together research findings, actual
implementation experiences, practical advice, and recommendations for
constructing next-generation operating systems. This volume is sure to
become a classic reference and an inspiration for further research.
Security and Usability
Edited by Lorrie Faith Cranor and Simson Garfinkel
ISBN: 0-596-00827-9, 714 pages, $44.95 US, $62.95 CA
O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.
Return to: O'Reilly Press Room
Recent Press Releases
Press Release Archive »
Media Relations - North America & Conferences
Media Relations - Germany
Media Relations - Japan
Media Relations - United Kingdom