Vviewpoints
DOI: 10.1145/1592761.1592773
Privacy and security
usable security:
how to get it
Why does your computer bother you so much about security, but still isn’t secure? It’s
because users don’t have a model for security, or a simple way to keep important things safe.

CoMPu Ter seCuri TY TodaY is in bad shape: people worry about it a lot and spend a good deal of money on it, but most systems are insecure.

Security is not about perfection. In principle we can make secure software and set it up correctly, but in practice we can’t, for two reasons:

Bugs ˲ : Secure systems are complicated, hence imperfect. Of course software always has bugs, but even worse, security must be set up: user accounts and passwords, access control on resources, and trust relationships between organizations. In a world of legacy systems, networked computers, mobile code, and changing relationships between organizations, setup is error-prone.

PhotograPh by ian LLoyD

Conflicts ˲ : Even more important, security gets in the way of other things you want. In the words of General B. W. Chidlaw, “If you want security, you must be prepared for inconvenience.”a For users and administrators, security

 

a Chidlaw, B. Dec. 12, 1954. Quoted by the International Spy Museum, Washington D.C.

adds hassle and blocks progress. For software developers, it interferes with features and with time to market.

To make things worse, security is fractal: Each part is as complex as the whole, and there are always more things to worry about. Security experts always have a plausible scenario that demands a new option, and a plausible threat that

demands a new defense. There’s no resting place on the road to perfection.

Security is really about risk management: balancing the loss from breaches against the costs of security. Unfortunately, both are difficult to measure. Loss is the chance of security breaches times the expense of dealing with them. Cost is partly in dollars budgeted for firewalls, software, and help desks but mostly in the time users spend typing and resetting passwords, responding to warnings, finding work-arounds so they can do their jobs, and so forth. Usually all of these factors are unknown, and people seldom even try to estimate them.

More broadly, security is about economics. 2 Users, administrators, organizations, and vendors respond to the incentives they perceive. Users just want to get their work done; they don’t have good reasons to value security, and view it as a burden. If it’s hard or opaque, they will ignore it or work around it; given today’s poor usability they are probably doing the right thing. If you force them, less useful work will get done. 1 Tight security