Thinking about security and usability

IT security (and for that matter, other security concerns too) are often seen as conflicting with usability. There is something to that. If you take any given technology and turn up the level of security it provides, you will almost always decrease the usability of the system.

Consider passwords. If people are allowed to choose their own passwords, they will typically choose something very usable for them. They’ll pick their dog’s name, their wife’s name, their userid, etc. These passwords don’t provide much security. To compensate, we often turn up the security knob and require “stronger” passwords, e.g., minimum of six characters with no dictionary words and multiple “character classes.”

security-usability.pngAdjusting the password strength knob is reasonable to an extent. I’ve recently heard security officers consider requiring fifteen character passwords with multiple character classes. Such a password is unusable. Any system that requires that level of security should not be protected by user chosen passwords and possibly not by passwords at all. To maintain usability, while increasing security, you have to use a new technology.

Consider the graph to the right (click for a larger view). The graph illustrates this principle. The blue line represents a given security technology. As you increase the security, you decrease the usability. In such a security-usability graph, we really want to be in the upper right corner of the graph. But our blue line can’t get us there. When we make the passwords more complicated (secure), they become less usable. To get further up in the graph, we need to change the technology and shift the security curve to the right (the green line). For example, we might allow weaker passwords but require two factor authentication with a smart card.

Unfortunately, many proposed security technologies might even shift the graph to the left (the red line). These technologies provide less security for the same degree of usability.  Think of the prohibition on liquids while flying.  This provides no increase in security, while greatly decreasing the usability (or at least the enjoyability) of flying

security-usability2.pngIf we’re lucky, our security curves don’t look like the graph above and instead look more like the one to the left (click for a larger view). The advantage to a curve like this one is that there’s a fairly natural optimal point. We can increase the security while barely affecting the usability – at least up to a point.

I don’t know what the security curves for most technologies look like. But security technologists need to consider this and determine both the level of security and the level of usability needed in a given system. If you can’t achieve both, then you might need to think about a different approach or a different security technology. Trying to achieve a desired level of security without considering usability will result in the users ignoring or bypassing security in the future.

Just some thoughts.

Comments are closed.