Simson Garfinkel’s “Keep It Simple” article on CSOOnline.com does a nice job of laying out one of the fundamental issues of computer security – how do you balance security against usability.
Garfinkel says:
“If you’re not thoughtful about your approach to balancing computer security with computer usability, you may end up with neither.”
Amen.
He also notes that a few new developments are helping out us users. “Today, features like file encryption and disk sanitization are built directly into applications and operating systems. The result is that using cryptography to protect a document is now much easier.”
Garfinkel advocates something he calls “secure usability”:
“A good user interface sitting atop a strong security substrate is a good start, but it’s still not enough to create applications where security and usability go hand-in-hand. That extra step?something I call “secure usability”?comes from a user interface that guides the user to secure practices by making other practices difficult or impossible.”
His conclusion is definitely worth spending some time to think about.
“I believe that we can ultimately resolve many of the apparent conflicts between security and usability in a way that addresses both concerns. In the case of passwords, the answer would be to use fairly short passwords but to constantly monitor users’ behavior to see if they do anything out of the ordinary. If a salesman, for instance, starts trying to download secret plans for an unannounced product, I would want that salesman stopped?even if he authenticated using a password, a smart card and an iris scanner. The balance between security and usability should be fluid, not fixed.”
We, the users, have already shown over and over again that we need to be protected against ourselves when it comes to security. I think that Garfinkel may be on to something that will actually work in most situations. As they say, however, the devil will be in th details.