The Enterprise Systems Design Challenge: Security vs. Usability
Security expert Bruce Schneier pulls out an interesting excerpt from an essay “When Security Gets in the Way” that is sparking great discussion on his Schneier on Security blog. The essay, from Don Norman’s jnd site, debates security vs. usability, and addresses design considerations for enterprise security systems. This article captures important concerns often discussed in security circles on how to make security stronger without disrupting user behavior. It’s a delicate balance – we often say the most secure computer is the one in a locked room not powered up but that would hardly be usable. At Imprivata we have always believed that usability and security don’t need to be mutually exclusive.
As a case in point, the essay highlights password management as an example of the tension between the employee’s desire for ease-of-use and security’s desire for complexity. The unintended result of course is the secondary costs around increased helpdesk calls and escalating problem of users having to know and enter dozens if not hundreds of passwords each day.
The essay concludes with some prescriptive design measures to consider when designing security systems. One of the ones I particularly like is the following:
Both security and privacy are difficult problems. We need systems that are easy to use for their intended purposes or by the intended people, but difficult for non-authorized people or uses. For these purposes we need components not normally considered in simple product design: means of authenticating identities or authority, needs and permissions. Some of this will require physical tokens, biometric identifiers, and privately known information. Some of this requires rules and policies, sometimes editable by the user of the system, sometimes only editable by authorized administrators, sometimes buried in the code and unchangeable without significant development costs.
The essay is a fascinating read and captures a lot of the behind-the-scenes discussions and thinking we at Imprivata go through as we build products that pull through the best of security and usability. Check it out.
Also if you’re really interested in this topic, there is great in-depth discussion going on in the comments section of Schneier’s security vs. usability blog entry.