Core Principles for Making Security Technology Usable

Core Principles for Making Security Technology Usable

In the context of security, usability is crucial for ensuring that individuals can effectively engage with security practices that protect data, information, and technology. As emphasized by Sasse and Flechais in their 2005 book chapter “Usable Security: Why Do We Need It? How Do We Get It?” usability is not in competition with security but is essential for its effectiveness. They outline three key arenas where usability must be considered: product, process, and panorama.

1. Product: Security Mechanisms

• Usability of Security Mechanisms: The usability of security mechanisms, such as password management, two-factor authentication (2FA), and privacy settings, is critical. Sasse and Flechais argue that these mechanisms must be designed with the user’s perspective in mind, considering the physical and cognitive overhead required to use them effectively.
• User Journeys: Designers should account for the various ways users interact with the software, known as user journeys, and ensure that the security mechanisms are aligned with these journeys.
• Social and Cultural Acceptance: Even if a security mechanism is usable, it must also be socially and culturally acceptable. For instance, in some cultures, sharing passwords or devices is common, which may conflict with security practices that require individual password protection.
• Affordability: The cost of implementing security measures must be considered to ensure that they are accessible and usable by a broad audience. If a security control is too expensive, it may not be usable for all intended users.

2. Process: Decision-Making in Security

• Inclusive Decision-Making: Usability also extends to the processes involved in implementing security controls. Sasse and Flechais emphasize the importance of representation in decision-making, ensuring that all stakeholders, particularly those who will be using the controls, have a voice in the process.
• Setting Requirements: The decision-making process should consider the needs of all stakeholders when setting requirements for security controls. This approach ensures that the controls are practical, effective, and aligned with the users’ abilities and needs.

3. Panorama: The Wider Context

• Positive Security Culture: A positive security culture is necessary for motivating individuals to adopt effective security behaviors. Sasse and Flechais define this culture as one where the protection of data, information, and technology is prioritized, and there is an appreciation of potential threats and the importance of countering them.
• Training and Education: To sustain a positive security culture, ongoing security training and education are essential. These efforts help individuals understand the importance of security practices and how to implement them effectively.
• Considering Constraints: The design of security controls must also consider the broader economic, social, and political constraints. Engaging with these constraints ensures that the security measures are realistic and can be effectively implemented in different contexts.

Conclusion

Sasse and Flechais argue that when individuals fail to exhibit desirable security behaviors, it is often because the behaviors are either too difficult to perform or they do not see the value in performing them. Usable security creates an environment where individuals are more likely to adopt and maintain the required behaviors by fostering a positive security culture, involving all stakeholders in the decision-making process, and designing security controls that are aligned with the goals of the organization and its users.

Book Reference

For further reading on these concepts, the following reference is recommended:

Sasse, M.A., & Flechais, I. (2005). Usable Security: Why Do We Need It? How Do We Get It? In L.F. Cranor & S. Garfinkel (Eds.), Security and Usability: Designing Secure Systems That People Can Use (pp. 13–30). Sebastopol, CA: O’Reilly Media.

This chapter provides foundational insights into the importance of usability in security design and offers practical guidelines for making security controls more user-friendly and effective.