Building Usable Security

One the most overlooked aspects of application security is usability. Users are often the weakest link in a software system. If security controls embedded in software systems hinder users’ ability to accomplish their tasks, users will ignore or try to bypass such controls, a common occurrence in today's systems. Building usable security functions is a significant component of building secure systems.

Security engineers generally lack experience in usability engineering. One of the main reasons why application security violations continue to rise, is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. Unless engineers start thinking more about how to make security more usable, progress in securing systems will be limited.

Many people believe that there is an inherent tradeoff between security and usability. However, that does not have to be the case.

Since today most security pop-ups are overlooked, most scan reminders are ignored and most updates are automated or not taken care of. In such a situation, it becomes important for the developers to come up with workable solutions. These could be by making security more understandable and usable through the following ways: •Invisibly strengthening security i.e working behind the scenes- Strengthening the spam filters and various algorithms used to scan attachments, emails and downloads i.e strengthening the anti-virus software algorithms and training them to work better. •Making security understandable- Various tools like Spoofguard and others may be helpful in making the user realize when he/she faces a threat. Security pop-ups when a malicious script is executed or the browser address bar turning red incase of an insecure website being accessed are some possible ways. •Training the user- Various web and mobile applications today aim to train the user to make them realize what an actual threat looks like and how to cope with it. A system generated phishing email could be sent to users who on clicking the link, reach a page which educates them about the consequences if the email had really been a phishing link is an example.