Are Usability & Security Opposites in Computing?

krozinov writes "Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words, the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases where both computer security and computer usability went hand in hand with each other and actually improved together. In the last few years security has been the biggest buzzword in computer systems and as such has become part of our computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also do it securely. Can the two continue growing together? This paper argues that it can, as evident by the most recent Indian Assembly Election."

No.

[sporty]

I can make a horrible to use app that is insecure, and with a bit of effort, make a system that is secure, but easy to use.

Take pgp and email. There are TONS of plugins for various emali clients to support signing and encrypting email. Yes, encryption can be broken someday, it's true, but if someone made a plugin that bumped it to 16k keys, it's easy and fairly secure. If people are further educated and enforcfed to not share their password and private key, it's quite possible.

If you make a system that requires dozens of passwords to do things, duh, people will reuse their passwords or make they simple, or worse yet, put them on their monitors.

Article summary

[daveschroeder]

Q. Are Usability & Security Opposites in Computer Systems?

A. Yes, for instances where security measures do decrease usability. No, for instances where they don't.

A2. Yes, for instances when software makers don't care about security, nor about integrating it properly. No, for instances where they show they care about security and want to do it properly.

Come on, seriously. Sometimes, various measures for security make things "harder" to use. But there are so many things which define "security". Authentication, authorization, encryption, access, and each at several different levels.

The ultimate answer is, yes, security and usability are opposites when the responsibility for the security measures rests entirely upon the end user. Simple example: Make a user have a password, and they'll make it their dog's name (not secure). Force it to be too complex, and they'll forget it (not usable). Mandate that it be changed every week AND be too complex, and they'll write it down (not secure or usable).

When the security measures are administered by a skilled external entity (such as a knowledgeable and sensible IT staff) or integrated seamlessly into applications and operating systems (by knowledgeable and sensible software makers), they can be "usable". In fact, "usable" is the wrong word: it should be "transparent".

There are ways to make good security - whether it's for an entire organization or a single workstation - usable, and non-intrusive. It just takes someone with the skill, knowledge, and foresight to do it.

Re:Symantec says "Yes!"

[gcaseye6677]

Norton products are perfect examples of security made so cumbersome as to be useless. Every machine I've ever used with Norton Internet Security has some major function, such as network connectivity, disabled until Norton is shut down. After enough tinkering, you can get Norton to work and still allow yourself to use the internet, or print, or whatever. As soon as you change anything, time to reconfigure Norton. Then there's the incessant popup nagging reminders or alerts. I'll take viruses and spyware over Norton anyday. I just wonder how much longer this company will be able to continue living off their reputation, since it is the only way they can get people to buy their overpriced bloatware.