|Prof Angela Saase|
Like the previous one of these lectures I attended, this was entertaining, informative, and thought provoking. In a nutshell: there is a lot known about how to get good computer security; most developers and their companies ignore it, and are ignorant of it.
Take passwords. We all know that a long strong password, frequently changed, makes for good password security, right? Wrong! What is actually needed is a password that the user can remember, changed only when suspicious activity has been spotted, and protected via technological defence in depth.
Unusable security, including multiple long complex changing passwords, is bad security. If your product is unusable, users will go elsewhere. If they can’t go elsewhere (you are the only provider, or, more likely, everywhere else is just as bad), they will circumvent the process, thereby making the system less secure overall. If they can’t circumvent, their productivity will simply plummet.
As Saase puts it: Users are Not the Enemy. Usability is not a luxury, to be grudgingly added in when the call centres are groaning under the weight of frustrated callers. Apparently a major company had a call centre of 100 people doing nothing but reset passwords, and it is not alone. Talk about productivity plummeting!
The most eye-opening part of the talk was when Saase described a study of three major companies, who had volunteered to be studied because they had good processes. In summary, they actually had: no criteria for usability; no user involvement; no usability testing; little or no security testing; no understanding of the impact of the design on productivity or sales; internal security policies violated by their own developers; …
It’s not that usability insights are new. In 1883, Auguste Kerckhoffs published six principles for secure cryptography; three are about usability!
The solution? Don’t push the risks onto the users. Engage with them. Use technology to provide defence in depth. Implement only provably effective security policies. And most of all, convince the developers and their managers that usability is not a luxury: it is an essential security requirement!
Oh, and this post title? Well, one of the talks at the Hopper Colloquium was about the relationship between post titles and click-throughs. The result: more click-throughs when the title includes famous people (these two, whoever they may be, were given as examples), and include a negative. Let’s see how it works.
Okay, okay. Click-bait. I won’t do it again!