Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/29/2017
10:30 AM
Tyler Shields
Tyler Shields
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security Depends on Usability -- and How to Achieve Both

Any initiative that reduces usability will have consequences that make security less effective.

Security and usability are a zero-sum game. Effective security has to come at the expense of usability, and vice versa. That's the way it always has been, and so it always will be. Right?

Well, not necessarily — in fact, not at all. In the real world, any security initiative that degrades usability will lead to unintended consequences — user workarounds, rejection by the business — that make it less effective. The highest levels of security can be achieved only with an equally high level of usability.

Rapidly improving technologies and methods are making it more feasible than ever to achieve the best of both worlds: effective security with a better user experience. The first step is to reframe your objectives. "Perfect" security isn't perfect if it makes the product or solution unusable. Instead, your goal should be to satisfy your security requirements while maximizing usability — and thus ensure that your methods will deliver effective protection as intended. Here's how.

The Department of Yes
Security is rightly seen as a mission-critical requirement — something that must be built into your products and your business. Traditionally, this has led to security teams operating as the Department of No. Developers submit their code to the application security team and get back a list of no-no's to be cleaned up. Business users seeking access to cloud services, new software, and third-party integrations are told "No — it's not secure." The message is clear: security is a constraint, not an enabler. If you want to get something done, the last thing you want to do is ask permission. The result is shadow IT, where users (and developers) do whatever they want without working through official channels, and without the scrutiny of the Department of No.

It's easy to see how this leads to a much less secure state of affairs. Operating with the default stance of "no" creates a scenario where users, operators, and developers actively avoid the help and influence of those who best understand security requirements. 

Customers and Users Care about Features — not Security
The past is littered with examples of developers and businesses that placed a premium on security without considering usability and ended up with failure. For example, look no further than the ubiquitous login and password.

Login-based security has been around for decades and has been the target of hackers for nearly as long. Its familiarity makes it easy to overlook its poor design, but in reality, it's one of the worst authentication methods currently available. Even before the advent of mobile devices, users routinely weakened the passwords they used in order to be able to type them quickly or remember them easily. They chose simple-to-guess words or strings (which were equally simple to brute-force), and reused them everywhere.

With the introduction of mobile keyboards, typing speed has dropped drastically. On a full-size laptop keyboard, the average person types approximately 38 to 40 words per minute (WPM). On an iPad, that number drops, and on an iPhone, the average probably drops further, to 20 WPM. It's getting harder to enter text as passwords, making it even more tempting to use the shortest, simplest password possible.

Fortunately, we're finally seeing better alternatives for user authentication. But how many hacks on logins have been executed in the meantime?

The Goal: Security Controls That Enhance the User Experience
Layering in usability as a principle of security design helps ensure that controls aren't bypassed, ignored, or dumbed down in trade for convenience, increasing the level of effective security. One way to connect security controls with usability is by leveraging data and context. Again using authentication as an example, there has been significant innovation where contextual data such as location, device fingerprint, retina, eye-tracking, fingerprint, and even heartbeat enable more user-friendly authentication.

The goal of any security control should be the best security that can be implemented while enhancing the user experience for the technology being secured. Many times, this will come in the form of security invisibility, but sometimes it's simply a matter of lessening the interface burden on the user. People may balk at memorizing an endless number of long, complex passwords, but a quick biometric input, complemented behind the scenes with device, time, and location analytics, can be accepted painlessly without a second thought.

Minimum Viable Security
To help product designers, developers, and business owners create secure solutions while focusing on usability, I propose a concept I call "Minimum Viable Security." 

Source: Signal Sciences
Source: Signal Sciences

Let's look at security as a continuum from "no security" to "perfect security" and overlay that with two circles. In one circle, we have levels of security that people will accept in their products before this degrades the usability to an unacceptable degree. In the second circle, we have the levels of security deemed acceptable by security stakeholders. The overlap between these two represents the point where customers and users will accept the solution, and security team members will be satisfied that it meets their requirements. This is the target we're aiming for: the point of minimum viable security, where the solution provides both viable security and maximum usability.

By embracing this concept, businesses can build solutions, applications, and products that provide effective security while maximizing value and utility for customers and users. Security teams can respond more meaningfully to requests for new technologies and services; instead of simply saying no, they can provide guidance for meeting security requirements without impairing usability. When the focus shifts from perfect security to viable security, and usability is treated as an equally vital design priority, organizations can meet the needs of users and the business.

Perhaps most importantly, this more nuanced approach can help reaffirm the credibility of the security team within the organization. Developers and users become more willing to work through proper channels, increasing visibility and control for security teams by reducing the drivers of shadow IT. The security strategy becomes fully operational, not aspirational — and the business gets the protection it needs. 

Related Content:

Tyler Shields is Vice President of Portfolio Strategy at CA Technologies. Prior to joining CA, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrester Research. Before Forrester, he managed mobile solutions at Veracode, where he ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2017 | 8:38:06 PM
Uber
That desire for features and usability over security works the other way too. Just look at Uber. Uber riders are still riding; Uber drivers are still driving. securitynow.com/author.asp?section_id=613&doc_id=738433&
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...