THERE’S AN OLD JOKE THAT COMPUTERS ARE ACTUALLY EASY MACHINES TO SECURE: just turn them off, lock them in a metal-lined room, and throw away the key. What you end up with is a machine that is very secure, just not very usable.
Of course, people need to use computers, not just think about them. So while this secure computer is safe in its metal can, people who need to get their jobs done will use other computers with significantly weaker security properties. They may have their passwords recorded by keystroke loggers and sent to bad guys in Russia. They may go to web banking sites that happen to be run by illegal cartels in South America. They may use portable laptops that are targeted and stolen at trade shows. And when they are done, they may format their hard drives and throw them away—unaware that their computer’s “format” command doesn’t delete any data at all.
Many people believe that there is an inherent tradeoff between security and usability. A computer without passwords is usable, but not very secure. On the other hand, a computer that makes you authenticate every five minutes with your password and a fresh drop of blood might be very secure, but nobody would want to use it.
But as the world around us makes clear every day, if people are unable to use secure computers, they will use computers that are not secure. At the end of the day, computers that are theoretically secure but not usable do little to improve the security of their users, because these machines push their users away to less secure platforms.
As it turns out, the converse is also true: systems that are usable but not secure are, in the end, not very usable either. That’s because these systems don’t last: they get hacked, compromised, and otherwise rendered useless. In November 2002, the Honeynet Project documented that unpatched Windows 2000 computers placed on the Internet were being compromised after just five minutes.[1] And this is not a problem that is confined to Microsoft operating systems: systems running Linux and other operating systems are also compromised with alarming frequency—just not quite so fast, because there are fewer worms running loose on the Internet that can infect these systems.
In 1975, Jerome Saltzer and Michael Schroeder[2] identified psychological acceptability as one of the eight key principles for building secure systems. In 1983, Donald Norman[3] noted that many user errors resulting in data loss are often the result, in part, of poor interface design. “People will make errors, so make the system insensitive to them,” he wrote. Instead of simply requiring confirmation of irreversible actions—confirmations that themselves become automatic—Norman argued that systems should be designed so that their actions are both visible and undoable.
While there is much agreement among security practitioners that we need to find ways of designing secure systems that people can use, there is less agreement about how to reach this goal. In this book, we have brought together chapters that discuss case studies of usable secure system design along with the latest thinking about how to approach this problem. While we can’t offer you a step-by-step foolproof approach to usable secure system design, we hope this book will inform future design efforts and give developers important insights that will lead to successful designs.
In creating the first book to be focused entirely on the subject of usability and security, we had a difficult decision to make. Did we want an academic book, one focusing on the growing amount of research in this burgeoning field, or did we want a book for practitioners, one with a heavy emphasis on practice and many recommendations for specific actions?
In the end, we decided to create a book that has both academic and professional leanings, but that stresses theory and fundamental principles whenever possible. Our reasoning is simple: this is such a young field that we did not think it would be in the interest of our readers for us to spend considerable time or space documenting the “best of the worst” practices, circa 2005. Instead, we chose to present readers with information that they could use to form their own understanding of how to improve the alignment of security and usability.
That’s not to say that we have shied away from practical advice: this book is filled with practical proscription on the use and evaluation of such technologies as biometrics and USB authentication tokens. We have provided step-by-step guidance to help in conducting usability studies. We have included specific recommendations for the construction of next-generation applications and operating systems that, we hope, will be both more secure and more usable.
Nevertheless, when faced with a choice, we have decided to include the results of experiments, academic references, and suggestions for future research. Our goal is to make this book useful first for researchers in the field of security and usability, then for students, and finally for professionals.
We have also taken a decidedly security-centric view in presenting this material. We view our audience as primarily security researchers and professionals who now realize the need for increased usability in their systems. We assume familiarity with security terminology, even as we pause to give step-by-step instructions on conducting user studies and the principles of user-centered design. The reason is simple: progress in the alignment of usability and security needs to come from security practitioners—the people who literally hold the keys to today’s operating systems. Until they truly believe that the usability of a system is of equal importance to its theoretical security properties, we will not see significant progress in this important field. We believe this book also offers something for members of the human-computer interaction and usability communities, who we hope will be increasingly working side by side with security professionals to develop secure systems that people can use.
This book is divided into 6 parts consisting of 34 chapters.
Part I, Realigning Usability and Security
In this part of the book, we state our premise: that security and usability can be synergistic. The chapters in this part argue that, with careful attention to user-centered design principles, significant progress can be made toward this goal:
Chapter One, Psychological Acceptability Revisited, by Matt Bishop, takes a new look at the question of how to align security and usability: although the need to consider usability in the design of security systems is recognized more now than it was in the past, designers still need to create systems that are easy to install, provide adequate protection mechanisms, and are unobtrustive to use. This is a solvable problem, and there is much work to do.
Chapter Two, Usable Security, by M. Angela Sasse and Ivan Flechais, lays the groundwork for our volume. It argues that the actual security provided by a computer system is the product of human factors, policies, and security mechanisms. Ignore any one of them, and security suffers.
Chapter Three, Design for Usability, by Bruce Tognazzini, states a truism that is ignored all too frequently: the goal of computer security professionals must be to build systems that are actually secure, rather than to build systems that are theoretically secure. Many security “compromises” in the interest of usability aren’t compromises at all—they are frequently improvements, because the systems that are “theoretically secure” are so hard to use that people avoid or sabotage them in practice.
Chapter Four, Usability Design and Evaluation for Privacy and Security Solutions, by Clare-Marie Karat, Carolyn Brodie, and John Karat, introduces tools for performing usability evaluations and shows how they can integrate into the product development life cycle. The chapter then describes how these tools were applied to two different security products at IBM.
Chapter Five, Designing Systems That People Will Trust, by Andrew S. Patrick, Pamela Briggs, and Stephen Marsh, examines the issue of trust for security and privacy systems. The interface with which the end user interacts plays a central role in building or breaking that trust. It is the interface—whether it is a computer screen, a web site, a standalone kiosk, or a telephone system—that must convey all the features and limitations of the underlying service to the user. The authors show how successful trust designs can have a positive impact on both products and services.
Part II, Authentication Mechanisms
The chapters in this part of the book take an in-depth look at techniques for identifying and authenticating computer users to systems that are both local and remote:
Chapter Six, Evaluating Authentication Mechanisms, by Karen Renaud, considers the range of authentication systems that are currently available and presents a framework for evaluating their strengths and weaknesses.
Chapter Seven, The Memorability and Security of Passwords, by Jeff Yan, Alan Blackwell, Ross Anderson, and Alasdair Grant, presents the results of a study of password usage among university students. The study finds that some conventional wisdom given in the choice and maintenance of passwords is correct, and other advice is “bunk.”
Chapter Eight, Designing Authentication Systems with Challenge Questions, by Mike Just, considers the role of questions like “what is your mother’s maiden name” and “who was your favorite teacher” for authenticating users. Challenge questions can be used very effectively for self-service password resetting and as an additional identifier—especially on systems that are rarely used. On the other hand, a poorly implemented challenge system can compromise security while simultaneously decreasing usability. Once again, careful design and analysis are required for favorable outcomes.
Chapter Nine, Graphical Passwords, by Fabian Monrose and Michael K. Reiter, considers systems that use password substitutes such as passfaces or other systems for graphical authentication. Although these systems are not popular today, their use might skyrocket in coming years as security managers struggle to find a solution to the problem of forgotten passwords. Monrose and Reiter evaluate the wisdom of such proposals.
Chapter Ten, Usable Biometrics, by Lynne Coventry, evaluates the applicability of biometrics for user identification and authentication. Although Coventry is interested primarily in the appropriateness of biometrics for automatic teller machines (ATMs), her findings are generally applicable.
Chapter Eleven, Identifying Users from Their Typing Patterns, by Alen Peacock, Xian Ke, and Matt Wilkerson, evaluates keystroke dynamics as a potential biometric. This is an exciting biometric because it can be measured by practically every desktop and laptop computer on the planet; keystroke dynamics can also be measured passively by the operating system—or even covertly. Although this biometrics is relatively unused today, it has the potential to become widely adopted.
Chapter Twelve, The Usability of Security Devices, by Ugo Piazzalunga, Paolo Salvaneschi, and Paolo Coffetti, compares the usability of smart cards, USB tokens, and multifunction USB tokens that include both memory and features for using private keys. The authors find that multifunction tokens address many of the usability problems experienced with smart cards in the past.
Part III, Secure Systems
The chapters in this part of the book examine how system software can deliver or destroy a secure user experience:
Chapter Thirteen, Guidelines and Strategies for Secure Interaction Design, by Ka-Ping Yee, explores specific principles and techniques that can be used for aligning security and usability in the user interfaces of desktop operating systems.
Chapter Fourteen, Fighting Phishing at the User Interface, by Robert C. Miller and Min Wu, explores systems that have been proposed for web browsers and email systems to help users resist so-called “phishing” attacks.
Chapter Fifteen, Sanitization and Usability, by Simson Garfinkel, looks at a problem that is present in practically every computer on the planet: when users instruct their computer to “delete” information, the information isn’t deleted—it’s simply made invisible. Garfinkel tracks the history of this problem, discusses the results of a research project that demonstrates the problem’s seriousness, and then presents a concrete solution.
Chapter Sixteen, Making the Impossible Easy: Usable PKI, by Dirk Balfanz, Glenn Durfee, and D.K. Smetters, shows that many of the perceived difficulties in deploying systems based on public key infrastructure (PKI) technology can be simplified by scaling back expectations. Instead of using PKI to identify people, use it to identify computers. Instead of trying to come up with iron-clad techniques for making sure that certificates are uniquely validated, use physical locality as a proxy for trust, and give a certificate to any laptop that is present inside a secure room. Instead of trying to teach people how to use an overly complex interface, create a one-click installer that simplifies the interface under consideration. The result is that people will have a system that mostly works—a significant improvement over many of today’s PKI deployments, which mostly don’t work.
Chapter Seventeen, Simple Desktop Security with Chameleon, by A. Chris Long and Courtney Moskowitz, reports on an experimental system that applies the principles of compartmentalized workstations of the 1990s to 21st century desktop computing. By understanding user goals and typical roles, the authors have created a system that allows users to move from task to task, and protection level to protection level, with considerable fluidity.
Chapter Eighteen, Security Administration Tools and Practices, by Eser Kandogan and Eben M. Haber, applies ethnographic tools to the study of system administration and comes up with a surprising conclusion: despite the fact that there has been considerable work in the past 20 years on system administration tools, most administration work is painfully manual work based on the line-by-line analysis of voluminous log files. The best system administrators are programmers, cooking up quick scripts and programs to solve the problem of the minute. Is there hope? The authors think that there is. Based on their analysis of administrators’ tasks, they make concrete proposals for future tool development.
Part IV, Privacy and Anonymity Systems
This part of the book is devoted to systems that allow people to control the release of their personal information, enabling them to use the Internet in relative anonymity if they so desire:
Chapter Ninteen, Privacy Issues and Human-Computer Interaction, by Mark S. Ackerman and Scott D. Mainwaring, provides an overview of what human-computer interaction offers to those designing and studying privacy mechanisms.
Chapter Twenty, A User-Centric Privacy Space Framework, by Benjamin Brunk, reports on Brunk’s examination of 134 privacy-enhancing tools, systems, and services. He creates a definition of what is meant by the term privacy solution and maps out the space of features provided by different systems. As a result of this taxonomy, it’s possible to compare different solutions in terms of what the competing approaches offer.
Chapter Twenty One, Five Pitfalls in the Design for Privacy, by Scott Lederer, Jason I. Hong, Anind K. Dey, and James A. Landay, evaluates a difficult-to-use interface that the authors have created for controlling one’s privacy, and draws lessons from the project’s mistakes.
Chapter Twenty Two, Privacy Policies and Privacy Preferences, by Lorrie Faith Cranor, discusses the World Wide Web Consortium’s Platform for Privacy Preferences (P3P) system and several prototype P3P user agents designed to warn users if their privacy desires are not in line with the privacy practices of the web site that they are visiting. One of Cranor’s most important discoveries is that most people have little experience articulating their privacy preferences—most people have never been asked to do so before. And because most people’s privacy preferences are often complex and nuanced, people tend to make different decisions when the questions are posted in isolation versus when they are proposed in context.
Chapter Twenty Three, Privacy Analysis for the Casual User with Bugnosis, by David Martin, discusses a plug-in for Microsoft’s Internet Explorer that allows users to see and hear web bugs—those otherwise silent and invisible tracking devices that are pervasive on the Internet today. As Martin makes clear, his audience for Bugnosis was not the casual user: it was journalists. By making web bugs salient for them, Martin hoped that Bugnosis would help promote the cause of public education on this Internet surveillance system.
Chapter Twenty Four, Informed Consent by Design, by Batya Friedman, Peyina Lin, and Jessica K. Miller, discusses how the underlying technologies of the Internet do and do not promote the principle of informed consent.
Chapter Twenty Five, Social Approaches to End-User Privacy Management, by Jeremy Goecks and Elizabeth D. Mynatt, discusses Acumen, a browser plug-in that lets Internet users share information about how their friends, associates, and trusted opinion leaders view the privacy practices of various web sites. Instead of sharing reports or postings, Acumen does this by allowing users to learn how other users have decided to handle cookies. One of the delicious tensions in this project is the way that Acumen allows information that is inherently private to be shared in a manner that is, more or less, public.
Chapter Twenty Six, Anonymity Loves Company: Usability and the Network Effect, by Roger Dingledine and Nick Mathewson, explores similar tensions in the design and deployment of anonymity technology—systems that allow users to browse the Web and communicate anonymously with one another.
Part V, Commercializing Usability: The Vendor Perspective
The chapters in this part of the book look at specific experiences of security and software vendors in addressing the issue of usability:
Chapter Twenty Seven, ZoneAlarm: Creating Usable Security Products for Consumers, by Jordy Berson, a senior product manager at Zone Labs, relates his experiences with ZoneAlarm in producing a firewall that is used by tens of millions of naïve users on a daily basis.
Chapter Twenty Eight, Firefox and the Worry-Free Web, by Blake Ross, a lead developer on the Firefox project, discusses the specific decisions that have been made to make a web browser that works with users to create a secure online experience—instead of tempting users into compromising their security.
Chapter Twenty Nine, Users and Trust: A Microsoft Case Study, by Chris Nodder, discusses similar usability and security decisions that went into the creation of Microsoft Internet Explorer—and specifically the modifications to Explorer that were made as part of the work on Windows XP Service Pack 2.
Chapter Thirty, IBM Lotus Notes/Domino: Embedding Security in Collaborative Applications, by Mary Ellen Zurko, a longtime member of the Notes development team, discusses several specific security features in IBM Lotus Notes and Domino, a secure messaging system that has more than 100 million users, but yet whose security features are relatively hidden.
Chapter Thirty One, Achieving Usable Security in Groove Virtual Office, by George Moromisato, Paul Boyd, and Nimisha Asthagiri, shows how security properties similar to those offered by Notes/Domino can be achieved in a peer-to-peer environment where users are largely responsible for their own security.
Part VI, The Classics
This part of the book is our collection of classic papers on security and usability that everybody should read!
Chapter Thirty Two, Users Are Not the Enemy, by Anne Adams and M. Angela Sasse, and previously published in Communications of the ACM, discusses the results of a user study measuring password compliance at a major corporation in the 1990s. Adams and Sasse found that even though users may be the weakest link in the chain, they don’t want to be the weakest link in the chain. Organizations must work to give users the information and the tools necessary so that they can be part of the solution.
Chapter Thirty Three, Usability and Privacy: A Study of KaZaA P2P File Sharing, by Nathaniel S. Good and Aaron Krekelberg, and previously published at the prestigious ACM CHI Conference on Human Factors in Computing Systems, discusses the results of a study in which users of the popular KaZaA file-trading program were astonished to discover just how much information the program actually makes available to others on the Internet.
Chapter Thirty Four, Why Johnny Can’t Encrypt, by Alma Whitten and J. D. Tygar, and previously published at the USENIX Security Conference, shows that even highly acclaimed security programs with allegedly easy-to-use interfaces can nevertheless have profound usability problems because of inherent properties in security software.
The following typographical conventions are used in this book:
- Italic
Used for URLs, file and directory names, emphasis, and the first occurrence of terms
Constant widthUsed for code examples and literals
When you see a Safari® Enabled icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.
Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top technical books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.
Please address comments and questions concerning this book to the publisher:
| O’Reilly Media, Inc. |
| 1005 Gravenstein Highway North |
| Sebastopol, CA 95472 |
| (800) 998-9938 (in the United States and Canada) |
| (707) 829-0515 (international/local) |
| (707) 829-0104 (fax) |
There is a web page for this book, which lists errata and any additional information. You can access this page at:
| http://www.oreilly.com/catalog/securityusability/ |
To comment or ask technical questions about this book, send email to:
| bookquestions@oreilly.com |
For more information about books, conferences, software, Resource Centers, and the O’Reilly Network, see the O’Reilly web site at:
| http://www.oreilly.com |
In fall of 2003, we discovered that we were both thinking about editing a book on usability and security. We were in the middle of other projects at the time, but several months later we talked about it again and decided to work together on a proposal and shop it around to publishers. Our original plan was to spend about two years recruiting and editing chapters. However, when Deborah Russell at O’Reilly saw our proposal, she asked us if we could finish the book in less than a year. We agreed, and in May 2004, we began recruiting chapters.
That May we were completely engaged in the topic of usability and security. Together, we were in the process of editing a special issue of IEEE Security & Privacy on this topic, Lorrie was organizing a Workshop on Usable Privacy and Security Software, and Simson was finishing up a Ph.D. thesis in the area. As a result, we had a good idea of who was doing work in the domain. Most of the prospective authors we approached agreed to participate, and by September we started receiving first drafts of chapters.
We are indebted to the 62 authors who contributed the 32 chapters not written by us. Without their efforts this book would not have been possible. Unlike many edited volumes in which most chapters are slightly edited versions of conference papers, this book contains many completely original chapters that were written specifically for this book. In addition, with the exception of the classic papers in the final part of this book, the chapters that did begin as conference papers have been substantially reworked to reflect the style and emphasis of this book. We appreciate the authors’ efforts to accommodate our many requests to refocus their chapters and highlight practical advice. In addition to writing and revising their own chapters, the authors also helped to review each other’s chapters. As a result, every chapter in this book has benefited from the feedback of at least three reviewers.
We would like to thank the members of the CMU Usable Privacy and Security Laboratory who reviewed draft chapters, especially Rob Reeder, Cynthia Kuo, Chris Long, Jason Hong, Serge Egelman, and Matthew Geiger. We would also like to thank Robert Miller, Min Wu, and Ariel Rideout at MIT for their comments.
We are grateful to Beth Rosenberg for helping us edit several of the most difficult and demanding chapters.
Lorrie would like to thank her husband, Chuck, and her children, Shane and Maya, for all their love and support while she worked on this book. Simson would like to thank his wife, Beth, and his children, Sonia, Jared, and Draken, who barely saw their father for nearly eight months while he worked on this book, another book, and his dissertation.
We would like to thank Deborah Russell, our wonderful editor at O’Reilly, for her great editing job and for helping to keep us (mostly) on schedule. And thanks as well to the entire O’Reilly production team, including Mary Brady, the production editor; Audrey Doyle, the copyeditor; Rob Romano, the illustrator; and Nancy Crumpton, the indexer.
In addition, many of the chapters provide individual acknowledgments.
[1] The Honeynet Project, “Forensics” (Jan. 29, 2003); http://honeynet.overt.org/index.php/Forensics.
[2] J. Saltzer and M. Schroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE 63:9 (1975), 1278–1308.
[3] Donald A. Norman, “Design Rules Based on Analyses of Human Error,” Communications of the ACM 26:4, 254–258.
Get Security and Usability now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
