What do you think?
Rate this book
Security and Usability: Designing Secure Systems that People Can Use
Human factors and usability issues have traditionally played a limited role in security research and secure systems development. Security experts have largely ignored usability issues--both because they often failed to recognize the importance of human factors and because they lacked the expertise to address them.
But there is a growing recognition that today's security problems can be solved only by addressing issues of usability and human factors. Increasingly, well-publicized security breaches are attributed to human errors that might have been prevented through more usable software. Indeed, the world's future cyber-security depends upon the deployment of security technology that can be broadly used by untrained computer users.
Still, many people believe there is an inherent tradeoff between computer security and usability. It's true that a computer without passwords is usable, but not very secure. A computer that makes you authenticate every five minutes with a password and a fresh drop of blood might be very secure, but nobody would use it. Clearly, people need computers, and if they can't use one that's secure, they'll use one that isn't. Unfortunately, unsecured systems aren't usable for long, either. They get hacked, compromised, and otherwise rendered useless.
There is increasing agreement that we need to design secure systems that people can actually use, but less agreement about how to reach this goal. Security & Usability is the first book-length work describing the current state of the art in this emerging field. Edited by security experts Dr. Lorrie Faith Cranor and Dr. Simson Garfinkel, and authored by cutting-edge security and human-computer interaction (HCI) researchers world-wide, this volume is expected to become both a classic reference and an inspiration for future research.
Security & Usability groups 34 essays into six parts:
1. Realigning Usability and Security---with careful attention to user-centered design principles, security and usability can be synergistic.
2. Authentication Mechanisms -- techniques for identifying and authenticating computer users.
3. Secure Systems--how system software can deliver or destroy a secure user experience.
4. Privacy and Anonymity Systems--methods for allowing people to control the release of personal information.
5. Commercializing Usability: The Vendor Perspective --specific experiences of security and software vendors (e.g., IBM, Microsoft, Lotus, Firefox, and Zone Labs) in addressing usability.
6. The Classics --groundbreaking papers that sparked the field of security and usability.
This book is expected to start an avalanche of discussion, new ideas, and further advances in this important field.
But there is a growing recognition that today's security problems can be solved only by addressing issues of usability and human factors. Increasingly, well-publicized security breaches are attributed to human errors that might have been prevented through more usable software. Indeed, the world's future cyber-security depends upon the deployment of security technology that can be broadly used by untrained computer users.
Still, many people believe there is an inherent tradeoff between computer security and usability. It's true that a computer without passwords is usable, but not very secure. A computer that makes you authenticate every five minutes with a password and a fresh drop of blood might be very secure, but nobody would use it. Clearly, people need computers, and if they can't use one that's secure, they'll use one that isn't. Unfortunately, unsecured systems aren't usable for long, either. They get hacked, compromised, and otherwise rendered useless.
There is increasing agreement that we need to design secure systems that people can actually use, but less agreement about how to reach this goal. Security & Usability is the first book-length work describing the current state of the art in this emerging field. Edited by security experts Dr. Lorrie Faith Cranor and Dr. Simson Garfinkel, and authored by cutting-edge security and human-computer interaction (HCI) researchers world-wide, this volume is expected to become both a classic reference and an inspiration for future research.
Security & Usability groups 34 essays into six parts:
1. Realigning Usability and Security---with careful attention to user-centered design principles, security and usability can be synergistic.
2. Authentication Mechanisms -- techniques for identifying and authenticating computer users.
3. Secure Systems--how system software can deliver or destroy a secure user experience.
4. Privacy and Anonymity Systems--methods for allowing people to control the release of personal information.
5. Commercializing Usability: The Vendor Perspective --specific experiences of security and software vendors (e.g., IBM, Microsoft, Lotus, Firefox, and Zone Labs) in addressing usability.
6. The Classics --groundbreaking papers that sparked the field of security and usability.
This book is expected to start an avalanche of discussion, new ideas, and further advances in this important field.
- GenresSoftwareNonfiction
738 pages, Paperback
First published January 1, 2005
34 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
November 4, 2014
i like this book ! the contents are simple and easy to understand !
March 17, 2015
This is a fascinating, and in general very readable, collection of papers which has aged gracefully by Computer Science standards.
I am particularly interested in how different kinds of requirements interact and impact software design, so a collection of papers dealing with the relationship between non-functional requirements such as usability and security was bound to grab my attention. The book did not disappoint me, even though I read it ten years after it was published.
Due to my bias, it is hardly suprising that I found Part One of the book, Realigning Usability and Security, one of its most interesting part. It includes five papers:
Part Two, Authentication Mechanisms includes seven articles which constitute an interesting survey which will help the newcomer to the field of security become more aware of the possibilites, problems and challenges of password design, the use of challenge questions, graphical passwords, usable biometrics and the more esoteric and, to me at least, rather unconvincing use of typing patterns as authentication mechanisms. I would strongly urge any reader who is struck by any of these schemes to look for updates -a lot has happened in fields such as biometrics in recent years. I would strongly recommend the following articles:
Finally Part VI, purports to include three classic papers on security and usability:
I am particularly interested in how different kinds of requirements interact and impact software design, so a collection of papers dealing with the relationship between non-functional requirements such as usability and security was bound to grab my attention. The book did not disappoint me, even though I read it ten years after it was published.
Due to my bias, it is hardly suprising that I found Part One of the book, Realigning Usability and Security, one of its most interesting part. It includes five papers:
1. Psychological Acceptability Revisited (Matt Bishop)The main lesson the articles try to promote is that it makes no sense to pit security features against usability; if a system´s users find its security features difficult to understand and hard to use, they will not be used or, at the very least, they will not be used correctly, defeating their purpose.
2. Usable Security (M. Angela Sasse, Ivan Flechais)
3. Design for Usability (Bruce Tognazzini)
4. Usability Design and Evaluation for Privacy and Security Solutions (Clare-Marie Karat, Carolyn Brodie, John Karat)
5. Designing Systems that People will Trust (Andrew S. Patrick, Pamela Briggs, Stephen Marsh)
Part Two, Authentication Mechanisms includes seven articles which constitute an interesting survey which will help the newcomer to the field of security become more aware of the possibilites, problems and challenges of password design, the use of challenge questions, graphical passwords, usable biometrics and the more esoteric and, to me at least, rather unconvincing use of typing patterns as authentication mechanisms. I would strongly urge any reader who is struck by any of these schemes to look for updates -a lot has happened in fields such as biometrics in recent years. I would strongly recommend the following articles:
6. Evaluating Authentication Mechanisms (Karen Renaud)Part Three is a rather mixed bag of six articles ranging from proposed schemes to fight phishing, to usable PKI to security administration tools to the problem of dealing with deleting mechanism that do not really delete stuff. I would recommend:
7. The Memorability and Security of Passwords (Jeff Yan, Alan Blackwell, Ross Anderson, Alasdair Grant)
8. Designing Authentication Systems with Challenge Questions (Mike Just)
9. Graphical Passwords (Fabian Monrose, Michael K. Reiter)
10. Usable Biometrics (Lynne Coventry)
13. Guidelines and Strategies for Secure Interaction Design (Ka-Ping Yee)A book like this would not be complete without touching on Privacy and Anonymity Systems. Part IV includes eight articles on this important topic. In this part of the book, a key weakness of the collection emerges: the tendency to study important issues in the context of particular and sometimes, experimental systems which have completely disappeared by now. Privacy is also an area of concern which has exploded in the last decade, which may contribute to my feeling this section of the book to be the one which most falls short. Thus, I would only recommend (and with reservations) the following articles:
14. Fighting Phishing at the User Interface (Robert Miller, Min Wu)
15. (A must read for anyone interested in computer forensics!) Sanitization and Usability (Simon Garfinkel)
18. Security Administration Tools and Practices (Eser Kandogan, Eben M. Haber)
22. Privacy Policies and Privacy Preferences (Lorrie Faith Cranor)I found the five article Part V on Commercializing Usability: The Vendor Perspective, the weakest, least interesting and most dated part of the book. Of course there is certain historical interest in reading about the irruption of Firefox;
24. Informed Consent by Design (Batya Friedman, Peyina Lin, Jessica K. Miller)
26. Anonymity Loves Company: Usability and the Network Effect (Roger Dingledine, Nick Mathewson)
28. Firefox and the Worry-Free Web (Blake Frost)and Microsoft´s rather tepid micro-reply;
29. Users and Trust: A Microsoft Case Study (Chris Nodder)but, I confess that I found the article on IBM Lotus Notes confusing and singularly unhelpful, and the articles on ZoneAlarm and Groove (an interesting idea which probably peaked in 2005 just as Microsoft acquired it) only mildly interesting, perhaps because one feels, perhaps unjustly, that they are vendor biased and the book fails to provide enough context against which to evaluate them.
Finally Part VI, purports to include three classic papers on security and usability:
32. Users are not the enemy (Anne Adams, M. Angela Sasse)
33. Usability and Privacy: A Study of KaZaA P2P File Sharing (Nathaniel S. Good, Aaron Krekelberg)
34. Why Johnny can´t Encrypt (Alma Whitten, J. D. Tygar) - a must read...
The editors and the publisher would be well advised to put together an updated version of this book -the world-wide explosion in security-related incidents and the outcry for more secure systems imply that security and its relation to usability is at the very least as topical and crucial now as it was ten years ago.
October 28, 2021
There have been some interesting developments, when it comes to physical security, since I last looked. Especially when it comes to biometrics.
Displaying 1 - 3 of 3 reviews