Usable security for better cyber security
The only way to make any system 100% secure – for cyber security or otherwise – is to make it completely inaccessible. Even Fort Knox or the Crown Jewels in the Tower of London are accessible, so clearly a compromise must be reached for reasons of practicality. That compromise is called usable security.
Usable security is all about that compromise, and ensuring human factors considered and included as part of the design of cyber security and network security systems. This web-page is the one to give to your boss or anyone else who doesn’t have much time, but wants to know the basic usable security facts.
Definition of Usability
Usability is a quality attribute that assesses how easy user interfaces are to use. The word “usability” also refers to methods for improving ease-of-use during the design process. Usability is defined by 5 quality components:
- Learnability: How easy is it for users to accomplish basic tasks the first time they encounter the design?
- Efficiency: Once users have learned the design, how quickly can they perform tasks?
- Memorability: When users return to the design after a period of not using it, how easily can they reestablish proficiency?
- Errors: How many errors do users make, how severe are these errors, and how easily can they recover from the errors?
- Satisfaction: How pleasant is it to use the design?
There are many other important quality attributes, a key one being utility, which refers to the design’s functionality i.e. Does it do what users need?
Usability and utility are equally important and together determine whether something is useful: It matters little that something is easy if it’s not what you want. It’s also no good if the system can hypothetically do what you want, but you can’t make it happen because the user interface is too difficult. To study a design’s utility, you can use the same user research methods that improve usability, to inform usable security.
Usability & the Internet
Why Usability is Important on the Internet
Usability is a necessary condition for survival. If a website is difficult to use, people leave. If the homepage fails to clearly state what a company offers and what users can do on the site, people leave. If users get lost on a website, they leave. If a website’s information is hard to read or doesn’t answer users’ key questions, they leave.
Note a pattern here? There’s no such thing as a user reading a website manual or otherwise spending much time trying to figure out an interface. There are plenty of other websites available; leaving is the first line of defence when users encounter a difficulty. The first law of e-commerce is that if users cannot find the product, they cannot buy it either.
For internal IT systems, usability is a matter of employee productivity. Time users waste being lost on your IT systems or pondering difficult instructions is money you waste by paying them to be at work without getting work done.
How to Improve Usability
There are many methods for studying usability, but the most basic and useful is user testing, which has 3 components:
- Get hold of some representative users, such as customers for an e-commerce site or employees for an internal systems (in the latter case, they should work outside your department).
- Ask the users to perform representative tasks with the design.
- Observe what the users do, where they succeed, and where they have difficulties with the user interface.
Once you understand these 3 components, you can design usable security into you systems, thereby providing improved, practical cyber security and network security.