Book Review: Security and Usability
"Security is about inconvenience".
This what the national Lotus Notes manager for a federal agency said to
me last January at Lotusphere 2005. We were discussing their policy to
block all incoming zip files at the gateway without telling users what
formats would be acceptable as mail attachments. I disagreed with him then
and I find that I am not alone. In Security
and Usability: Designing Secure Systems That People Can Use
(Lorrie Faith Cranor and Simon Garfinkel (Ed), 2005, 716 pages, ISBN 0596008279),
O'Reilly has assembled a comprehensive and far-reaching set of 34 essays
that challenges commonly held beliefs of the information security community
and provides a solid basis to open new dialogues about the trade-offs between
security and usability of systems. Without a doubt, it is now on my recommendation
list of "must read" books for the information security, application
development, system administration, and IT audit communities.
.
The book is broken down into six sections.
In the first, "Realigning
Usability and Security",
the reader is presented with five essays which hammer home the point that
if security of applications and systems are not made user friendly, the
users can and will find ways to bypass them. This may range from doing
whatever they can to bypass the controls put in place to not using the
systems at all. The next section, "Authentication Mechanisms",
covers topics that include the evaluation of authentication mechanisms,
the problems of passwords, challenge questions, biometrics and more.
The third section, "Secure
Systems", covers specific
issues associated wit the use of PKI, the sanitizing of equipment being
disposed, desktop security, and security administration tools/practices.
From here, the fourth section, "Privacy
and Anonymity Systems",
deals with the challenging topic of privacy. The essays in this section
focus on human-computer interaction, policies, analysis and more.
The fifth section, "Commercializing
Usability: The Vendor Perspective",
sealed the deal from me. Why? Because it allowed the book to grow beyond
a purely academic discussion to a discussion of real world challenges faced
and addressed by vendors. The vendors selected - ZoneAlarm, Firefox, Microsoft,
IBM/Lotus, and the now 'defunct' Groove Networks - are important because
each vendor addresses important issues in strong security and IT governance
as collaboration becomes more important.
The final section, "The
Classics", provides 3 essays
focusing on users not being the enemy, a study of KaZaA, and why
people cannot encrypt.
Who Should Read This Book
The discussions presented in this book
need to be discussed, even debated, if advances in the field are going
to occur. And this debate should not be limited to the IT security community.
This is because security is everyone's responsibility. As I said at the
beginning of this review, I consider this book to be a "must read"
for the information security, application development, system administration,
and IT audit communities.
The Business Controls Caddy Scorecard
Eagle on a 600 yard Par 5 playing into
a stiff wind
Amazon Link