Human factors and usability issues have traditionally played a limited role in security research and secure systems development. Security experts have largely ignored usability issues--both because they often failed to recognize the importance of human factors and because they lacked the expertise to address them.

But there is a growing recognition that today's security problems can be solved only by addressing issues of usability and human factors. Increasingly, well-publicized security breaches are attributed to human errors that might have been prevented through more usable software. Indeed, the world's future cyber-security depends upon the deployment of security technology that can be broadly used by untrained computer users.

Still, many people believe there is an inherent tradeoff between computer security and usability. It's true that a computer without passwords is usable, but not very secure. A computer that makes you authenticate every five minutes with a password and a fresh drop of blood might be very secure, but nobody would use it. Clearly, people need computers, and if they can't use one that's secure, they'll use one that isn't. Unfortunately, unsecured systems aren't usable for long, either. They get hacked, compromised, and otherwise rendered useless.

There is increasing agreement that we need to design secure systems that people can actually use, but less agreement about how to reach this goal. Security & Usability is the first book-length work describing the current state of the art in this emerging field. Edited by security experts Dr. Lorrie Faith Cranor and Dr. Simson Garfinkel, and authored by cutting-edge security and human-computer interaction (HCI) researchers world-wide, this volume is expected to become both a classic reference and an inspiration for future research.

Security & Usability groups 34 essays into six parts:

• Realigning Usability and Security---with careful attention to user-centered design principles, security and usability can be synergistic.

• Authentication Mechanisms-- techniques for identifying and authenticating computer users.

• Secure Systems--how system software can deliver or destroy a secure user experience.

• Privacy and Anonymity Systems--methods for allowing people to control the release of personal information.

• Commercializing Usability: The Vendor Perspective--specific experiences of security and software vendors (e.g., IBM, Microsoft, Lotus, Firefox, and Zone Labs) in addressing usability.

• The Classics--groundbreaking papers that sparked the field of security and usability.

This book is expected to start an avalanche of discussion, new ideas, and further advances in this important field.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 10 Ratings

Great for both camps - 2006-08-25
Reviewer Rating:
This isn't a typical O'Reilly book, and it's definitely not an "animal" book. I think that's something that's thrown a lot of people for a loop the first time they see this book. That change is good, however, because what O'Reilly has delivered is a book whose contents will stand up much longer and be more useful than most of the books out there on any technical subject, from any publisher. By having various viewpoints in information rich, managable pieces so well organized, the book itself is usable both as a read through from cover to cover and as a reference.

Security and Usability (S&U) is targeted at two main camps. The usability camp who doesn't quite understand what a security system is. They think in terms of making the user's experience with the software better, and often that means making the design more accomodating. That's great, and very valuable, but sometimes that's been known to compromise the system's security.

The other camp this book targets is a security application or a security system designer. Often this camp doesn't have a great grasp on usability. We (I think I fall into this category) tend to be power users and build systems that work for power users. When regular users (read: "everyone else") encounter such a system they're usually stuck, and understandably so. S&U introduces many usability concepts and paradigms to the software or system designer and provide a springboard for better results.

Make no mistake, this book wont make you an expert in either field, but it will give you a deeper understanding and a strong foothold at improving both scenarios. If nothing else, it gives both camps the vocabulary to start talking and working together.

One of my favorite chapters in the book outlines how ZoneAlarm was designed and implemented, along with some of its issues along the way. This is a remarkably successful application that achieves both good security design and utility while being usable by a large portion of the population. Such a study - and the book has many similar studies to back up viewpoints - is an invaluable aid in getting the message across.

If you write security software, design security systems, or work with a team that does, by all means look at this book. It will improve your product.

Great collection! - 2006-03-15
Reviewer Rating:
I was really hesitant when I got this because I tend to hate collections of academic papers. They're often hard to read, heavily redundant, and jargon filled. This book isn't, and my copy is already dog-eared, and filled with turned-down pages. It is chock full of useful advice, interesting stories, great references, and useful lessons learned. If you build security software, or software with security implications, you should buy this book.

Once you've bought it, it may help to skim the first few chapters, which set the scene, and do contain a fair bit of redundancy, probably unavoidably. If you get bogged down, skip forward, there's lots of great stuff.

[Disclosure: I got a review copy from the authors, but have since bought a copy for someone else.]

VERY VERY HIGHLY RECOMMENDED!! - 2006-06-13
Reviewer Rating:
Are you a security researcher or professional? If you are, then this book is for you! Editors Lorrie Faith Cranor and Simson Garfinkel, have done an outstanding job of writing a practical book that will help you realize the need for increased security usability in your systems.

Cranor and Garfinkel, begin by stating their premise: that security and usability can be synergistic. Then, the editors take an in-depth look at techniques for identifying and authenticating computer users to systems that are both local and remote. They continue by examining how system software can deliver or destroy a secure user experience. Then, the editors explain how this book is devoted to systems that allow people to control the release of their personal information, enabling them to use the Internet in relative anonymity if they so desire. Then, they look at specific experiences of security and software vendors in addressing the issue of usability. Finally, the editors discuss their collection of classic papers on security and usability that everybody should read.

This most excellent book discusses case studies of usable secure system design, along with the latest thinking about how to approach this problem. More importantly, the content of this book will give developers important insights that will lead to successful designs.

Privacy issues affect security design choices - 2006-04-13
Reviewer Rating:
Lorraine Faith Cranor & Simson Garfinkel's SECURITY AND USABILITY: DESIGNING SECURE SYSTEMS THAT PEOPLE CAN USE examines the future of computer security with an eye to consider not only the factors which make a system secure, but how privacy design pitfalls, web bugs, and other issues can affect security choices and effectiveness. Most security titles advocate complex systems which are hard to use, but the authors maintain this belief to be wrong, and provide insights into the future of security which presents over thirty essays from leading security experts around the world.

Thought-provoking - 2007-04-11
Reviewer Rating:
Excellent book. I work in the security space and ended up talking with folks in our Human Factors department about trying to do some work in this area. Other priorities prevented things from going forward. Now they have been re-organized to another department. Does anyone have any hints on how to "sell" this type of program to folks? This book spurred me to action.

Browse Similar Topics

Top Level Categories:
Business
Enterprise Computing
Internet/Online
Security
Software Engineering

Sub-Categories:
Business > Project Management
Enterprise Computing > Security
Internet/Online > Usability
Security > Software Engineering
Software Engineering > Security and Cryptography
Software Engineering > Security and Cryptography