Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Secure Reads: Security and Usability

Read a review of the book Security and Usability.

This article can also be found in the Premium Editorial Download: Information Security magazine: How to stop data leakage

Security and Usability
Edited by Lorrie Faith Cranor and Simson Garfinkel
O'Reilly, 714 pages, $44.95


Security and Usability
@exe It has become fashionable for information security professionals to blame poorly designed user interfaces as the root cause of many security failures. But until now, little has been available outside of academic literature to support these allegations. Security and Usability could create a paradigm shift in its field. Its editors--Lorrie Faith Cranor and Simson Garfinkel, both academically trained computer scientists--have produced a text that explains one of the most important security concepts: Usability issues are inextricably linked to the information system security.

Usability and Security introduces infosecurity pros to several new security fields: human-computer interaction, usability design and data privacy. As we move beyond the Stone Age of our profession, only the inflexible or indolent can choose to remain ignorant of these new ways to approach security issues. "The user is the enemy" has now become a cliché of times past.

Much of what Usability and Security teaches is far from intuitive. For example, training users to lock their computer when leaving it unattended flies in the face of what sociologists understand about the way trust relationships develop in workplaces, and implies that the user does not trust his nearby coworkers (or that he has something to hide). Both implications are negative, and, as a result, users will typically ignore these security requirements. The book comprises 34 self-contained essays, each its own chapter, which are organized into six sections: aligning usability and security, authentication, security, privacy, commercial applications, and what are deemed "The Classics." While such a collection risks becoming a disjointed hodgepodge, the editors have skillfully harmonized the chapters. The assumed level of theoretical computer science background is low, but the reader is expected to bring at least a moderate understanding of information security threats and countermeasures--not unreasonable expectations considering the audience.

Any required reading list for information security professionals should include Usability and Security. For those driven to improve the state of the art of the profession, this book is a keystone. It cannot alone provide answers to the subtle and only partially understood interplay of usability and security; however, it illuminates the issues, providing the practitioner with research references and arming the reader with humility to contract a usability specialist when designing a security system.

--Patrick Mueller

Top Shelf
Visit SearchSecurity.com's Information Security Bookshelf for chapter downloads from these books and more.

Penetration Testing and Network Defense
By Andrew Whitaker and Daniel Newman
Cisco Press

The Chief Information Security Officer's Toolkit: Governance Guidebook
By Fred Cohen
Fred Cohen & Associates

A Business Guide to Information Security
By Alan Calder
Kogan Page

Extrusion Detection: Security Monitoring for Internal Intrusions
By Richard Bejtlich
Addison-Wesley Professional

Web Security, Privacy & Commerce, Second Edition
By Simson Garfinkel with Gene Spafford

Web Feedback
Tell us what you think of our book reviews or the titles on our online bookshelf. Send your comments to feedback@infosecuritymag.com or enter your thoughts on SearchSecurity.com's Sound Off.

"If you need to learn about the principles of intrusion prevention, [Regarding Intrusion Detection] is a great tutorial."
--Emmanuel Vlastakis, Defense Information Systems Agency
For a sample chapter of Ed Amoroso's Regarding Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, visit searchsecurity.com/bookshelf.

This was last published in January 2006

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.