Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/29/2017
10:30 AM
Tyler Shields
Tyler Shields
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security Depends on Usability -- and How to Achieve Both

Any initiative that reduces usability will have consequences that make security less effective.

Security and usability are a zero-sum game. Effective security has to come at the expense of usability, and vice versa. That's the way it always has been, and so it always will be. Right?

Well, not necessarily — in fact, not at all. In the real world, any security initiative that degrades usability will lead to unintended consequences — user workarounds, rejection by the business — that make it less effective. The highest levels of security can be achieved only with an equally high level of usability.

Rapidly improving technologies and methods are making it more feasible than ever to achieve the best of both worlds: effective security with a better user experience. The first step is to reframe your objectives. "Perfect" security isn't perfect if it makes the product or solution unusable. Instead, your goal should be to satisfy your security requirements while maximizing usability — and thus ensure that your methods will deliver effective protection as intended. Here's how.

The Department of Yes
Security is rightly seen as a mission-critical requirement — something that must be built into your products and your business. Traditionally, this has led to security teams operating as the Department of No. Developers submit their code to the application security team and get back a list of no-no's to be cleaned up. Business users seeking access to cloud services, new software, and third-party integrations are told "No — it's not secure." The message is clear: security is a constraint, not an enabler. If you want to get something done, the last thing you want to do is ask permission. The result is shadow IT, where users (and developers) do whatever they want without working through official channels, and without the scrutiny of the Department of No.

It's easy to see how this leads to a much less secure state of affairs. Operating with the default stance of "no" creates a scenario where users, operators, and developers actively avoid the help and influence of those who best understand security requirements. 

Customers and Users Care about Features — not Security
The past is littered with examples of developers and businesses that placed a premium on security without considering usability and ended up with failure. For example, look no further than the ubiquitous login and password.

Login-based security has been around for decades and has been the target of hackers for nearly as long. Its familiarity makes it easy to overlook its poor design, but in reality, it's one of the worst authentication methods currently available. Even before the advent of mobile devices, users routinely weakened the passwords they used in order to be able to type them quickly or remember them easily. They chose simple-to-guess words or strings (which were equally simple to brute-force), and reused them everywhere.

With the introduction of mobile keyboards, typing speed has dropped drastically. On a full-size laptop keyboard, the average person types approximately 38 to 40 words per minute (WPM). On an iPad, that number drops, and on an iPhone, the average probably drops further, to 20 WPM. It's getting harder to enter text as passwords, making it even more tempting to use the shortest, simplest password possible.

Fortunately, we're finally seeing better alternatives for user authentication. But how many hacks on logins have been executed in the meantime?

The Goal: Security Controls That Enhance the User Experience
Layering in usability as a principle of security design helps ensure that controls aren't bypassed, ignored, or dumbed down in trade for convenience, increasing the level of effective security. One way to connect security controls with usability is by leveraging data and context. Again using authentication as an example, there has been significant innovation where contextual data such as location, device fingerprint, retina, eye-tracking, fingerprint, and even heartbeat enable more user-friendly authentication.

The goal of any security control should be the best security that can be implemented while enhancing the user experience for the technology being secured. Many times, this will come in the form of security invisibility, but sometimes it's simply a matter of lessening the interface burden on the user. People may balk at memorizing an endless number of long, complex passwords, but a quick biometric input, complemented behind the scenes with device, time, and location analytics, can be accepted painlessly without a second thought.

Minimum Viable Security
To help product designers, developers, and business owners create secure solutions while focusing on usability, I propose a concept I call "Minimum Viable Security." 

Let's look at security as a continuum from "no security" to "perfect security" and overlay that with two circles. In one circle, we have levels of security that people will accept in their products before this degrades the usability to an unacceptable degree. In the second circle, we have the levels of security deemed acceptable by security stakeholders. The overlap between these two represents the point where customers and users will accept the solution, and security team members will be satisfied that it meets their requirements. This is the target we're aiming for: the point of minimum viable security, where the solution provides both viable security and maximum usability.

By embracing this concept, businesses can build solutions, applications, and products that provide effective security while maximizing value and utility for customers and users. Security teams can respond more meaningfully to requests for new technologies and services; instead of simply saying no, they can provide guidance for meeting security requirements without impairing usability. When the focus shifts from perfect security to viable security, and usability is treated as an equally vital design priority, organizations can meet the needs of users and the business.

Perhaps most importantly, this more nuanced approach can help reaffirm the credibility of the security team within the organization. Developers and users become more willing to work through proper channels, increasing visibility and control for security teams by reducing the drivers of shadow IT. The security strategy becomes fully operational, not aspirational — and the business gets the protection it needs. 

Related Content:

Tyler Shields is Vice President of Portfolio Strategy at CA Technologies. Prior to joining CA, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrester Research. Before Forrester, he managed mobile solutions at Veracode, where he ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2017 | 8:38:06 PM
Uber
That desire for features and usability over security works the other way too. Just look at Uber. Uber riders are still riding; Uber drivers are still driving. securitynow.com/author.asp?section_id=613&doc_id=738433&
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...
CVE-2020-8905
PUBLISHED: 2020-08-12
A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The 'enc_untrusted_recvfrom' function generates a return value which is deserialized by 'MessageReader', and copied into three different 'extents'. The length of ...
CVE-2020-12106
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
CVE-2020-12107
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System.
CVE-2020-7374
PUBLISHED: 2020-08-12
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user ...