Usable Security
Usable security remains a largely unaddressed area in computer science. Although we are familiar with security and usability on different levels, usable security has earned little practical popularity. Recently, organizations have started to focus on usable security. This article explains usable security and gauges its impact on the economy in terms of cyber crimes and breaches in security.
Figure 1: if security is not usable, users may not use security functions as intended.
Computer or network security aims at protecting sensitive information from unauthorized use while still making it available for intended users. Traditional use of security involves use of hard to understand design, architecture and encryption. In times of increased proliferation of the Internet, security is one of the prime concerns of any network. However, maintaining security can be hard for users with technical knowledge let alone casual internet users. Usability aims at making complex software and hardware applications easy to use for casual users. However, usability and security largely remain two separate disciplines. Usable security requires a new approach of system design that simultaneously ensures security and usability. This way, users will be able to perform security functions in a usable manner.
Reasons to shift to usable security from the traditional methods of hard to use security are many. Firstly, usable security reduces the cost of operations for organizations. Helpdesks lose money every time that a user calls them to reset his or her password. Secondly, usable security is more effective since the user has increased control over security. Thirdly, usability of security reduces Internet crimes like Phishing. It can cause significant financial losses. Phishers steal passwords and use them to log into your account and steal credit card information. Sophisticated attacks were made on AOL in its primitive phase. Recently, several US tax payers were fooled into revealing vital personal information. Phishers generated genuine looking fraud emails claiming to be from the Internal Revenue Service (IRS) asking for income tax details of the target. We feel that usable security is required to prevent such cyber crimes.
Now that you know the meaning and need of usable security, it is time to find out how to actually incorporate usable security. Traditionally, online systems use passwords for user authentication. Social networking websites like FaceBook have several breaches in their usable security with the most significant one being use of relatively insecure passwords. Users set the same easy to guess password on several different accounts. This way, if a user's account is compromised, all accounts are at risk.
In an attempt to solve the usability problems of text passwords, Bill Gates has proposed a complete elimination of passwords. Microsoft's usable security solution is a technology called InfoCard which enables the user to manage diverse authentication information from a single place. Instead of passwords, passphrases which allow uppercase, lowercase, numbers and symbols are used. Apart from this, graphical passwords like Passfaces allow for greater levels of security with ease of usability. At the time of registration, users select a number of faces from a given set of faces. When the users login they have to identify the same faces for them to be successfully authenticated. Similarly, in biometric systems a person's biological characteristics like voice, iris or fingerprint are used for easy and secure authentication.
Any security problems, though generated by user error, cannot be blamed on users alone because security is effective only if it can be used easily. Traditionally, engineers believed that the only way of making security usable for common people is to make it completely invisible. However this approach may not be appropriate as users may behave in ways different from the expection of engineers thus compromising security. For better usable security, user interfaces should be carefully designed considering user behavior and security problems arising from it.
