Usable Security

Usable Security
Lately I have been hearing a lot about 'usable security'. As its name implies, usable security deals with making sure that security products and processes are usable by those who need them (in this case almost everyone with a computer).

ISO 9241-11 defines usability as the "extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use." Many would argue that if only security were more usable, then users would not (or at least not as much) fall for phishing scams, become infected with malware, or have their machines turned in to zombies. Of course, even the very well protected still fall victim to hackers, fraudsters, and the like but the argument is that if good security practices and products were easy to use and understand, then the volume of Internet fraud, botnets, malware, etc., would be significantly less. If you believe that achieving a goal of usable security would be a huge step in the right direction then keep reading; as computer/network security becomes more of an integral business requirement than an 'add-on' technology, the need for usable security also arises.

Personally, I believe that usable security is accurately defined by industry experts as being difficult and perhaps impossible in some applications. A lot of the challenge does lay in the current complexity of the field. I say "current complexity" with the possibility that this complexity will begin to disappear as users become more technologically savvy. Currently we have a society where understanding computers and security is still limited to an elite group. However, as the demand for knowledge workers continues to rise and the expected computer knowledge and skill of the average user increases, the user's ability to apply security in an effective way should begin to rise. This change, and it will not necessarily be an easy one, will occur through technology continuing to provide effective security solutions, and user education of security and its effective application. In addition, there will have to be some sort of demand that forces users to learn and apply security. How exactly this will happen or look I do not know but I expect a time where businesses and governments will say, "if you want to work for or do business with us, you must have at least some minimal (what exactly minimal means in this area is yet to be determined but I speculate below) knowledge and skill in the computer security field." This type of incentive will be necessary to effect change.

Some still maintain that usable security is an impossibility because of complexity. However, let's consider an incomplete metaphor where society has successfully overcome complexity: driving. Driving is complex. It involves operating the car (turning it on, using headlights/turn signals, controlling speed/direction, etc.), interacting with other drivers (merging, changing lanes, negotiating intersections, etc.), obeying traffic laws, and maintaining the car. To someone completely unfamiliar with motorized transportation, driving can be considered not only restrictively complex, but dangerous. Yet, billions of people have learned to drive and it is a viable and (in many societies) integral part of life. Of course, we live in an imperfect world and there are still car accidents and traffic incidents but today, people consider driving easy and safe. How did this happen? Well, to address the safety issue, car manufacturers have adopted measures such as seat belts and airbags to make cars safer. Similarly in the security area, programmer and application developers can and will make efforts (e.g. better, more secure code) to make their products safer from attack.

In America drivers have to pass a test to get their license and they usually go through a one year 'permit' period before they get their license where they learn to drive by driving with an experienced driver. In addition there are penalties for unsafe (insecure) driving and entities that enforce these penalties. All this has created an infrastructure such that if a person wants to be able to drive, he must participate in user education, training, and subject himself to consequences if he misuses his driving privilege. If this were to be mapped over to the security arena, this would mean mandatory training (probably mentoring as well) and testing before permission to enter cyberspace is allowed. It also would mean cybercops and laws (that carry deterrent penalties) that they enforce. One can also imagine (security) cyber-ed for offenders, just like drivers-ed.

While most would agree with a need for usable security, no one has a good solution to that need, let alone a good, clear definition of what is required. Surely it is complex but there are things in today's society that are complex but considered easy. While I do not believe that there will eventually be a cyber equivalent of getting your driver's license (nor do I think this is the best solution to pursue), I do believe that achieving a goal of usable security will take a lot of work, require the overcoming initial opposition, and involve both technical and (perhaps more so) human components.
Back to all Blogs

Additional Resources


See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.