Slashdot Mirror
Are Usability & Security Opposites in Computing?
krozinov writes "Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words, the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases where both computer security and computer usability went hand in hand with each other and actually improved together. In the last few years security has been the biggest buzzword in computer systems and as such has become part of our computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also do it securely. Can the two continue growing together? This paper argues that it can, as evident by the most recent Indian Assembly Election."
Most applications manage being both unusable and insecure just fine.
- create a series of passwords, which may be as simple as adding a number to the end.
- or, write down passwords
System Admins and Managers can force unique passwords, keep a long password history, and check desks, but then the burdon falls more heavly on their help desk system.No matter what the password policy eventually users will need to have a password reset, each time is a cost on the tech support system. Proper security whould have a security officer phyically identify each user before reset but that would be costly, so they instead ask a couple of profile questions. Which open up social engineering issues. So generally, the harder your password policies are, then the easier your reset policies need to be, (unless cost really isn't an issue).
The force that blew the Big Bang continues to accelerate.
I can make a horrible to use app that is insecure, and with a bit of effort, make a system that is secure, but easy to use.
Take pgp and email. There are TONS of plugins for various emali clients to support signing and encrypting email. Yes, encryption can be broken someday, it's true, but if someone made a plugin that bumped it to 16k keys, it's easy and fairly secure. If people are further educated and enforcfed to not share their password and private key, it's quite possible.
If you make a system that requires dozens of passwords to do things, duh, people will reuse their passwords or make they simple, or worse yet, put them on their monitors.
-
ping -f 255.255.255.255 # if only
One of the things that has killed both usability and security of modern computers is feature creep. The ability to run Visual Basic scripts as part of your file browser. Javascript interpretations of file names.
Most people forget that computers should only have one button. It should be marked "do exactly what the user want me to do," and it should do exactly that. Unfortunately, many systems are not designed from the viewpoint of a new user, but rather the professional user who created the system. There are five or six areas where a command can be found in the windows Explorer interface, and a given command can be in one, two, or all of them. Very occasionally, a command will only be available in the help file. sKill is far more usable than Kill -3.14159265, yet is no less secure. If end-users couldn't see what they couldn't access, they would have a much less cluttered interface and less obvious routes of attack.
The ______ Agenda
"Instinct tells us that computer security and computer usability are inversely proportional to each other."
I don't think this is particularly true. In all walks of life, if something is more usuable, then it tends to be more secure, if only because if it is easier to lock something then people are more likely to lock it.
If it is easy to use the security features on a computer, people will. A lot of home routers tend to be left in an insecure state simple because securing them is too complicated and it is the type of task that can only be done if you already know how to do it.
I would be willing to bet that if you did a survey of the broadband routers installed by 'normal' home users, the ones with the highest usability of the firmware, would also tend to be the ones that have been scured the most.
The hassle of viruses, worms and other crap which appear on people's machine causes many usability problems in my book. The more maintenance you need to do on a machine the less usable it is. A windows machine needs plenty of work to keep up with updates, spyware, adwares and viruses. On the other hand the OS which doesn't execute things automatically when you visit a web site doesn't require as much maintenance.
I always use the analogy of cars. Cars have locks on their doors, then you have to use your key to turn the motor on. Now imagine cars without locks on their doors. One less hassle in the way of doing what you want right? How about no keys to turn on the car. It automatically turns on when you put your seat belt on. Wow! What an amazing car!! Guess what though? That type of car wouldn't stay in the driveway for very long. Well a Windows computer is that type of usable car that doesn't stay in your driveway for very long. Linux might ask you to put a key in the door and turn the engine on with that same key but at least it's still in the driveway when you need it.
Architecturally, it is generally accepted that the security of a building is opposed to it's accessibility. Take for example a grocery store. The ease with which customers can get in and out is directly related to how easy it is for the place to be robbed. Movie theater design is similar.
However, usability overcomes some of these problems by making entrances obvious, door opening automatic, lighting bright, etc. I believe a comnputer interface should be the same. Just because I have to remember a password, doesn't mean that entering it need be. Perhaps many passwords presents a different problem, but one of the supposed ideals behind biometric data is that it can be greatly complex and yet still readily available. But does that mean it's less secure?
There is no need to use a SlashDot sig for SEO...
Q. Are Usability & Security Opposites in Computer Systems?
A. Yes, for instances where security measures do decrease usability. No, for instances where they don't.
A2. Yes, for instances when software makers don't care about security, nor about integrating it properly. No, for instances where they show they care about security and want to do it properly.
Come on, seriously. Sometimes, various measures for security make things "harder" to use. But there are so many things which define "security". Authentication, authorization, encryption, access, and each at several different levels.
The ultimate answer is, yes, security and usability are opposites when the responsibility for the security measures rests entirely upon the end user. Simple example: Make a user have a password, and they'll make it their dog's name (not secure). Force it to be too complex, and they'll forget it (not usable). Mandate that it be changed every week AND be too complex, and they'll write it down (not secure or usable).
When the security measures are administered by a skilled external entity (such as a knowledgeable and sensible IT staff) or integrated seamlessly into applications and operating systems (by knowledgeable and sensible software makers), they can be "usable". In fact, "usable" is the wrong word: it should be "transparent".
There are ways to make good security - whether it's for an entire organization or a single workstation - usable, and non-intrusive. It just takes someone with the skill, knowledge, and foresight to do it.
Usability, security and cheapness. You can have any two
Can the two continue growing together?
I've used OpenBSD on my desktop for ages. Pick a nice WM and you're set.
Security does not preclude usability.
Trolling is a art,
You're computer isn't very usable if it gets polluted by viruses :)
Seriously though, there is an inconvenience, but that's all. I have to configure my router to let BitTorrent through, but the fact that I have to do this gives me an immense boost to my computer's security, by virtue of the fact that nothing is sent to my comp's ports unless I tell the router to let it through.
**This begins my ever-changing sig
We need a -1 RTFA moderation option!
**This concludes my ever-changing sig
I agree with you about the broadband firmware, but you would probably also find that the most "secure" routers are also the ones behind which it is the gretest hassle to play games, use p2p apps and various other direct-connect items, therefore its usablity to the average user is less.
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Useability is what happens after security is cleared. Securitys whole point is to give useability to those that are authorized to have it. If security is interfering with useability, then you will find that even people with authorization will start looking for ways to subvert it. Thus, any security that interfers with useability is bad security.
Its kind of like welding car doors shut and calling it more secure. It is until people start entering through the windows on a daily basis.
Just look at CD copy security measures that get cracked in minutes because they interfere with useability.
Perhaps you could word it more meaningfully as "security vs. freedom". Those two generally have to battle it out, and not just when it comes to computers. For a computer example, if you secure a machine from user tampering, the users won't be able to change everything they want. If you don't allow users to delete files, then they might not always be able to delete the files they want. However, this need not affect usability when it comes to useful tasks.
Speaking of freedom and security, someone wanna lay out the Franklin quote? (I bet it shows up in this post before the day is done).
I called it the Security to Convenience scale. Where 10 is perfectly secure and 1 is perfectly easy to use. However, in this notion security features can be seen as usability bugs.
I've already discussed this humorously here. The point being that if you really want to you can see things like BSODs as security features. Difficulty in configuration can be seen as a usability feature because it prevents security.
If you squint hard enough all bugs are features and all features are bugs. This view point is utterly useless in the real world, however, strangely orthogonal it may be. It still bears thought for the system designer to consider that his perfectly secure system may render the system so close to useless as to make it practically so... and thus cost him his job either directly or indirectly.
[signature]
Are Usability & Security Opposites in Computing?
I propose the following experiment. Yes, yes I know there are service packs and patches available, that's why I'm calling this an experiment.
Take a Windows XP CD and load it onto a system you're not using for anything important at the moment. Do not connect it to a network in any way, shape, or form. Load the PC up with applications. Roughly judge load times, mouse and keyboard times...mess around with it a while and see how responsive it is. Not too bad, right? Fairly useable.
Now, plug your netcard directly into your net. No firewall. I suggest plugging the box directly into a cablemodem. Wait 24 hours.
Notice any difference? This is exactly why Usability and Security are NOT opposites. Any box that's running 99% cpu with malware and viruses is damn near unusable.
Weaselmancer
rediculous.
I couldn't agree more. In fact, I'd go as far as to say that usability is a necessary minimum requirement for security. After all, a very large proportion of attacks succeed because of a simple human failure, not an electronic one.
For example, if banks would stop constantly requiring me to remember seventeen different ID numbers, "memorable" words and phrases, I might notice the e-mail they send out reminding me not to give out my PIN number to anyone else.
On a more techie level, languages where it's easy to code properly make careless errors like allowing buffer over-runs or SQL injection less likely.
At the heart of good usability are principles like KISS and not giving the user unnecessary chances to go wrong. These don't exclude giving the user power, but what better partner for keeping a user safe than not giving them silly chances to do dangerous things?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
There is often a trade-off between security and convenience rather than usability. It is necessary to strike the right balance between the two. There is little point in adding layer upon layer of security for something which is not worth protecting. Equally, a little inconvenience can be justified for the protection of something valuable.
I realize this wasn't meant to be about politics, but the topics are connected. When you abstract ideas about computer security to general axioms, I think you'll find that they have meaning in personal/political security.
you're confusing usability in this case with convience. there's a distinct, yet important difference. usability means something is easy to do and use -- for example it's easy to install an app in mac os x. you just drag a .app file to the applications folder. this is far more usable than a windows wizard installer (less complex, less steps, less reading, less chance for error, etc). however, lets say i set my account up to be a "Standard" user in mac os x. now when i perform this operation, i get an authentication dialog that asks me for an administrator username and password. this is an inconvience. the usabilty has not suffered, but an added dialog to keep security intact has been added. they do not conflict directly.
increased security only has the effect of reducing convience. i could make myself an administrator and never get a password dialog. this wouldn't have any effect on the original usability of the system. likewise, i could encrypt all my ram and swap space. this would increase security, but have no real effect on usability. security is implemented with policies, and as long as those polices are reasonable (i.e. require a methodology that isn't directly in conflict with a program trying to do it's job) then the only thing it will do is require the user to enter additional passwords when designed properly. a poorly designed system (windows) doesn't implement this policy well. doing operations like copying files to admin-writable-only folders in windows is an example of a poorly implemented policy. in mac os x, i'd get an authentication dialog. in windows, i simply would get an error, with no added dialog to request a username and password.
- tristan
There are brilliant designs that are both simple to use and secure (and usually simple to build into the bargain). The problem is that there are not so many
brilliant designers out there. Coming up with these designs often involves novel functional decompositions, new UI metaphors, unusually structures interfaces or something else that is hard to get to by "normal" design processes.
We mac users have the best of both worlds.
I hate sigs.
Good security fosters good usability, and good usability fosters good security. When either is considered a-holistically, it results in a detrimental relationship to the other. We all need to learn how not to think like a-holes.
You see? You see? Your stupid minds! Stupid! Stupid!
I installed Norton Internet Security a few weeks back, and by default it kills all connections to shared resources... I've got a linux computer that's basically just a samba drone, and for whatever reason, Norton keeps blocking access.. Eventually, I had to turn all share blocking off to keep it from happening intermittently. There's no user-friendly way of telling it during install or configuration, "hey idiot, I'm connected to several drives/printers for sharing, open up those ports" It doesn't even bother to ask, it just shuts em down.. And did it again after a liveupdate.
On my XP box, I'm paranoid enough about trojans and activex lunacy that I like to monitor in realtime what is asking for net access and block it accordingly, but at the price of these anoyances, I almost uninstalled it.
I think the Macintosh OS demonstrates the direct relationship of the two pretty well, even though other companies may not.
MY SECRET DIARIES
Usability and security are opposing forces, if and only if the program has optimal usability and security. To make such a program more usable, by definition it requires removing a feature, or compromising security to make it easier. To make such a program more secure, it requires either removing a feature or adversely affecting usability by adding another hoop to jump through.
Note they aren't strictly speaking opposing forces, since "remove features" can both enhance security and usability. It's just that if your program is already optimal and you need to push it harder, something else has to give.
You don't have to be a cynic to observe few programs are optimal, and therefore most software engineers don't have to think in this way. Thus, as a practical matter in the current environment, no, they are not opposed. But they should be.
(As a PS, I'd define security as "Ensuring the computer does what the owner wants, no more, and no less, with the computer owner having all relevant information about and control over what the computer does." But that definition has yet another idealogical focus, no?)
Paypal's CEO, Peter Thiel, once said "There's a trade-off between privacy, security, and convenience, you can have any two at 100 percent, but the third will be almost nonexistent." Convenience is closely related to usability.
This is obviously a simplification, however there's a lot of truth to it. For example, at some level, any form of authentication is going to degrade privacy at some level.
The two opposites are "Complexity vs. Security." Those two exist as opposites only through casual analysis and not as a hard rule. The root of the problem being bad programming. (No finger-pointing needed... the culprit might be a lazy programmer or a demanding boss who cares more about the deadline than quality tested code.)
The fact seems to be that the more complex something becomes, the easier it is to break. So in reality, we should expect to see security improvements with decreased complexity in the U.I. As for other methods of hacking software (such as non-UI doors like APIs and network related exploits) the same rules might apply where keeping the complexity to a minimum might easily lead into less opportunity for exploits and thereby improving security.
Frankly, from where I sit (a non-developer with a basic understanding of programing concepts) I think security issues arrise from really bad programming habits and it's a damned shame that it's just not taught in school... for example, getting graded on your code by avoiding exploitable coding practices and such. As it is, security-minded coding is something that is gained through experience...usually a bad experience.
I've said before and I'll say it again.
"Simplicity is the key to security and usability"
Problems arise in both area's when you try cramming in features at the last minute. Scope/Feature creep are what makes systems (almost anything) indecure/unreliable and ultimatly unusable.
...yup...
Work is punishment for failing to procrastinate effectively.
Something I read somewhere;
'Some people are of the mistaken impression that being secure is synonymous with being a big pain in the ass'
Its so true...
In the free world the media isn't government run; the government is media run.
With SSH I can have secure remote login without password. In addition I get nice things like port-forwarding and compressed connections.
With Telnet I had less functionality, little security and had to either use my password each time or have even less security (rhosts).
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I don't think they are exactly opposites. There are situations where they conflict; e.g. having to enter a password before you can use a service.
Actually, security and usability often go hand in hand. I don't think email would be very usable if people constantly messed with your account. Another example is Windows vs. GNU or BSD: I think Windows has very low usability, due to the knowledge and action required to keep the system healthy. Part of this stems from the bad security of Windows. (puts on asbestos underwear)
Please correct me if I got my facts wrong.
I tried to think of all of the usefull things that I own with one and only one button: flashlight, some of the electrical circuits in my house, electric toothbrush, signal booster for headphones, Taboo buzzer. It's a pretty short list.
If your computer can figure out exactly what I want to do with only 1 button, you should do it without me having to press it.
but of course the windows update page only lets you in if you are on a Microsoft Operating System.
Windows Update, that is windowsupdate.microsoft.com, will only work on MS operating systems using IE. However, patches and service packs are available as binary downloads through the Microsoft Support Center (or whatever they call it) from any browser, any OS. Last time I went to Windows Update, I seem to recall that there was a link to the Download Center where you could download these binaries outside of the 'Windows Update' system. Here is the Download Center.
I however fully expect to have to reinstall everything from scratch in a few months when the next gaping hole is discovered.
Then you've bought into the FUD here. I keep my Win2k box somewhat updated, but strictly firewalled with the unnecessary services turned off. I have not had to reinstall the machine since I got it almost a year ago, and my previous machine ran for years without a reinstall. The only spyware I got was because of my own stupidity when I ran something named "START.EXE" that came along with a crack.. err security patch. I easily removed the spyware with the Adaware/Spybot combo. I use IE only for connecting to sites that do not accept Firefox (my company's webmail and Windows Update). I don't even run AV.. I go to one of the free online scanners every 6 months or so.
It's actually quite simple to keep a Windows box secure, despite what you read here every day.
Security is about mitigating risks. Users can not be asked to mitigate risks that they don't understand or believe in. Users must either a) choose to mitigate the risks or b) be forced to mitigate the risks.
If a user places them self at risk they should have the option to have that risk mitigated. If mitigating the risk causes the user no pain (no extra user action) then automatically mitigating the risk is fine; otherwise, risk mitigation should be opt-in/out-able.
If a system exposes some other entity which has control of the system to risk, that entity may require that if the system is used, the risks to that entity be mitigated. Thus users will be forced to accept the security measures. While some users will try to work around the measures, the measures are required. The measures should be made as easy as possible to accept, though education, reduction of overhead to the user, etc.
This applies to all kinds of security, including law. Drug laws are a good example. "Society" feels at risk from drugs, imposes security measures against drugs, and some "users of society" work around those measures to do drugs anyway. Society tries to make the laws easier to obey through education (propaganda?), by limiting access to drugs, by making drug use riskier, etc. The people that have problems with these laws are those people which do not agree with the risk assessment by society (many) and those which do not care about society but do agree with the risk assessment (few).
Computer security is the same. People have problems with measures when the measures pain them without convincing them of the worth of the cost. You can convince the user by:
- Reducing the cost of the measure to the user (that's UI work).
- Increasing the "return on investment" of the measure perceived by the user (that's education).
So:
- DON'T force security measures on users when the measures only protect the user and when the user doesn't want them.
- DO make the purpose of measures clear.
- DO make the measures as unobtrusive as possible.
Now a lot of risks involving computers do impact more than just the user. Consider worms where local host security hurts your neighbors (as your machine attacks them). This complicates things.
As a human being, you must decide whether you want to force measures on someone that they don't want, to protect only them. I don't like other people forcing decisions on me, so I would implore developers to make such measures optional (on by default if the cost is low and benefit high). You must also decide, whether you will force measures on users that don't want them, for the good of someone other than the user. As an application developer, you must consider that any measure that you force on a user, when they don't want the measure, will be seen by that user as a pain in the ass and will help support competing applications. Also, implementation measures will be criticized for usability just as any part of your application is criticized. There's nothing special about security in terms of usability. UI components for features that users don't understand are distracting and confusing, and bad UI components for features that users do understand are just plain frustrating.
If you start with only usability in mind, and end up with a design that has inherent security flaws, it's easy to end up in a situation where the only way to improve security is to reduce usability. Internet Explorer is, of course, the poster boy fo rthis problem.
If you start with security in mind, and maintain both security and usability goals, you can end up with a much more secure design that, by the end of the day, is also more usable.
For example, if you build a rendering component that doesn't contain a mechanism for breaking out of its sandbox, and then let specific applications add capabilities that objects they directly provide to the rendering engine can use, you can implement almost every piece of functionality that Microsoft designed ActiveX for without having an ever-tightening ring of increasingly annoying restrictions wrapped about the user.
The only difference is that rather than having Internet Explorer at the core of the system, so that everything ends up looking like part of IE, you have a variety of applications with embedded HTML panes that provide the same functionality.
What do you lose? The ability to have remote web pages embed trusted control inside their web pages... instead you need to explicitly install plugins or, for in-house tools, run an "intranet update" that downloads and updates the apps.
This seems less convenient, until you realise the browser is more convenient in other ways because it's not trying to second-guess everything you do... and, once enough people are using it, the convenience of a more spam- and virus- free mailbox has to count for something.