Are Usability and Security Two Opposite
Directions in Computer Systems?
Konstantin Rozinov
krozinov@gmail.com
Department of Computer and Information Science
Polytechnic University
Brooklyn, NY 11201
Abstract
Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words,
the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases
where both computer security and computer usability went hand in hand with each other and actually improved together.
In the last few years security has been the biggest buzzword in computer systems and as such has become part of our
computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also
do it securely. Can the two continue growing together? We believe they can, as evident by the most recent Indian
Assembly Election.
1. Introduction
The question of whether usability and security are two opposite directions in computer systems is not a trivial question
to try to answer. It requires a careful analysis, instead of simple reflexive yes or no answer. This question has been around
since the beginning of computing, and can even be said to date back to biblical times.1
In this essay we will analyze and try to answer this question by clearly defining usability and security in Section 2,
giving clear examples of where the two have complemented each other in Section 3, and where they have been at odds with
each other in Section 4. In Section 5, we will present our conclusions.
2. Background Information
In order to begin to try to answer this question, it is important to first define the terms computer security and computer
usability so we know exactly what each refers to and there’s no ambiguity. It will also make it easier to recognize when the
two ideas are at odds with each other or when they supplement each other.
What is computer security? This seemingly simple question is extremely difficult to answer in a concise and allencompassing manner. Depending on who you ask, you’ll get different answers. If you ask one end-user, you may hear
something like “computer security is me being able to buy books on Amazon.com without worrying that my credit card
numbers will be stolen.” If you ask another end-user, you may hear “computer security is me being able read my email
without getting a virus.”
If you ask a developer, you may hear something like “computer security revolves around
developing robust applications from the ground up, with no bugs (buffer overflows, of-by-one errors, format string attacks,
etc.) and a well-tested and safe design.” And if you ask a system administrator, you may hear something like “computer
security is having only the necessary services running, the system patches being up-to-date, and file permissions set up
correctly.” And if you ask a network administrator, you may hear something else, such as “computer security starts at the
perimeter of the network, with the firewalls, proxies, and routers being properly configured to allow only certain things in.”
This list can go on and on.
As you can see the term “computer security” has vastly different meanings depending on who you ask. But for the
purpose of this essay we can succinctly define computer security as the following:
Computer security is defined as technological and managerial procedures applied to computer systems
to ensure the availability, integrity and confidentiality of information managed by the computer system.2
Matt Bishop, a well-respected Computer Science professor at UC-Davis, agrees, stating that “computer security rests
upon confidentiality, integrity, and availability.” He goes on to define confidentiality as “the concealment of information or
resources,” integrity as the “trustworthiness of data or resources,” and availability as “the ability to use the information or
resource desired.”3
Now that we’ve defined computer security, let’s define computer usability. Most people know when something is userfriendly and thus easy to use and when something is not. This can range from an easy to use graphical user interface (GUI)
to an ergonomically-shaped mouse and keyboard. It can also mean easy and quick access to relevant information (i.e. an
old e-mail) or just a simple interface with a small learning curve (i.e. a simple PDA interface). All these are part of
computer usability. However, for the purpose of this essay, let’s formally define computer usability as the following:
Usability is the measure of the quality of a user's experience when interacting with a product or
system - whether a Web site, a software application, mobile technology, or any user-operated device.
Usability is a combination of factors that affect the user's experience with the product or system,
including ease of learning, efficiency of use, memorability, error frequency and severity, and subjective
satisfaction.4
A highly usable system is one that is easy to learn, easy to use, easy to remember how to use, where it’s easy to recover
from errors, and one that is liked by its users.
At this point we have a clear understanding of what computer security and computer usability is.
3. Examples of How Security and Usability Are Inversely Proportional
It has often been said that “security and usability are often inversely proportional.”5 In other words, the more security
you add to a system, the less usable it becomes, and vice versa. Let’s take a look at several examples of this.
First, let’s look at P2P networks and search engines. The advent of peer-to-peer (P2P) networks has improved usability,
specifically in terms of how people share and acquire various data and how easily it can be done (simply connect and type
in what you’re looking for). But at the same time, the (lack of) security of these applications has made the security of the
computer system virtually non-existent. For example, most users of P2P networks don’t know that they are most likely
sharing their entire drive and thus a lot of private personal information with the rest of the world.
For example, everything
from credit card numbers and family photos to bank records and personal letters can be and has been unintentionally shared
through P2P networks.6 You can say goodbye to the confidentiality of your data if you incorrectly use your P2P software.
Similarly with Google (and other search engines), even supposedly “hidden” private and personal sites and files on the web,
are gobbled up by these spiders and cached for easy reference. For example, simply typing the search term "# FrontPage-" inurl:service.pwd7 into Google returns many password files. Unless the user proactively tries to
protect (via passwords or a robots.txt file) his/her data, no data can be assumed safe and “hidden” from a search engine.
Now let’s take a look at the basic UNIX file permissions. Say we have an Apache web server running on a UNIX box.
Typically Apache runs as the user nobody and as group nobody and thus has limited access to various files. Now,
suppose you have a web form being served up by this Apache web server that stores the user’s input in a file. In this
particular case, the rules stipulate that all the data in this file must be kept confidential and pristine from everyone except
the intended parties. This means that security must be in place to offer the confidentiality and integrity of this data. One
simple way to achieve this is via UNIX file permissions. First we can make this file owned by the user nobody (so that
Apache can read and write to this file). Then we can change the permissions of this file to be only readable and writable by
the user nobody, as such:
-rw-------
1 nobody
nobody
1242 Aug 14 01:56 data.txt
So, the confidentiality and integrity of the file are enforced and only root and Apache can access this (typically normal
users do not have the same ID as the user nobody). However, how does this effect usability? Well in this case, if a
webmaster (user: webmaster) needs to read this file or modify it, he/she simply can’t. The webmaster would first have to
elevate his/her privileges to root or nobody (which would require a password and possibly membership in the wheel
group) and only then would he/she be able to read and write to this file. This poses an inconvenience and thus makes the
system harder to use and harder to remember how to use. In addition, when the webmaster tries to elevate his/her
privileges, the password may be “sniffed” if a clear-text protocol such as telnet is being used to connect to the system. So
this also poses a security threat.
This leads us into our next example, the use of telnet. Typically most UNIX and Windows systems today come with
telnet pre-installed. This adds to the convenience and usability factor because now the administrator or user can remotely
access other systems. But it throws security out the window. Telnet is a clear-text protocol, meaning that a sniffer such as
Snort or tcpdump can easily look at and understand all the traffic being passed between two systems. So any information
including user logins and passwords can be intercepted and viewed. Thus, all aspects of computer security (confidentiality,
integrity, and availability) are not enforced in this case. If the login information is known, then all of the user’s files can be
viewed, modified or deleted, thus effecting confidentiality, integrity and availability.
To counter this threat, many
administrators and users now use SSH which is similar to telnet but encrypts all the information being sent between the two
systems. However, to use SSH, you must first download it, install it, configure it, learn how to use it, and remember to use
it (the hardest part for most users). This detracts immensely from the usability factor of the system and product, but at the
same time adds security to the system.
Another example is macros in Microsoft Office documents. Macros are typically small programs that are embedded
inside documents and are used to automate frequent tasks. Ideally, they can be used to enhance the user experience and
provide better computer usability. In the past, macros often ran automatically when a document was opened and initially
this proved to be a very convenient and usable feature. However, with time, macro viruses began to appear in the wild.
These were nothing more than macros that spread automatically and/or did something malicious. Since macros could
execute automatically when a document was opened, these viruses spread quickly and caused a lot of damage. In order to
mitigate this threat, Microsoft updated its software to present a dialogue box prompting the user whether he/she wanted to
enable or disable macros for a particular document. Most of these users had no idea what macros were and did not
understand the possible ramifications of executing them. They would get confused and discouraged by these prompts, or
worse, make incorrect decisions, and subsequently productivity would go down. The complexity of this security measure
implemented by Microsoft reduced the usability of the product.
Our next example deals with passwords. Wouldn’t it be nice to not have to remember passwords but still be assured of
the security of the system and the data on it? That would definitely improve usability, since users would never have to
remember their passwords. Well that’s why developers started working on Passfaces or Visual Passwords. Instead of
remembering letters, numbers, and special characters, users would have to remember faces or other images (since it seems
people remember faces and images better than words like #$Fl0r^d@). The goal was for security to stay the same (or
even improve), but for usability to go up. However, a study done by the Computer Science Department of University
College London found the opposite to be true:
On the computer facilities regularly chosen by participants to log in, Passfaces took a long time to
execute. Participants consequently started their work later when using Passfaces than when using
passwords, and logged into the system less often. The results emphasize the importance of evaluating the
usability of security mechanisms in field trials.8
4. Examples of How Security and Usability Go Hand In Hand
To see how computer security and computer usability can complement each other in a system, let’s take a look at the
Microsoft’s Xbox gaming system and Xbox Live online service. Xbox is nothing more than a computer system with
special video and network enhancements to make it more game-friendly. Xbox Live is Microsoft’s online service that
allows Xbox gamers to play against each other. Recently, the Xbox Live team discovered that due to security breaches,
modified Xbox consoles were connecting to the service and allowing players to cheat. It is best to quote Major Nelson,
Director of Programming for Xbox, on this discovery:
The Xbox Live team has noticed and received reports from the Xbox Live community about users
connecting to the Xbox Live service using modified Xbox consoles. In most cases, these users have used
the modifications to gain an unfair advantage over other players, such as racing modified, faster cars in
Project Gotham Racing 2. By doing this, users are breaking the Terms of Use that must be agreed to when
a gamertag is created. The Xbox Live team will not tolerate this unfair activity and have taken steps to
protect our community from this cheating.
Xbox Live has recently initiated additional security measures to ensure that those connecting to Xbox
Live with modified hardware will be removed from the system. Modified consoles will be banned, and
information about those banned machines will be tracked to prevent them from connecting to the service
again.
It’s important to the Xbox Live team that we work to provide an environment that is free of cheating
and gives all players an opportunity to compete fairly online, and that's why I wanted to ensure that the
community knows this. Xbox Live constantly monitors for users attempting to bypass security measures
and gain unfair advantages over other players, and will take additional action as needed.9
So with newly-added security mechanisms and policies, the Xbox Live service has increased its usability by preventing
cheating and improving their service. Specifically, usability was improved because gamers were given a level playing field
and the trustworthiness of the service as well as user-satisfaction was increased.
The rapid growth of the personal firewall industry is proof that people are becoming more security-conscious and aware
of the threats. We believe personal firewalls have improved the usability of computer and software systems immensely.
Initially, there may be a small a learning curve in acquiring, installing, and configuring the personal firewall, but that is the
same with any new product. Today’s personal firewalls are very easy to use and have good manuals and tutorials on how
to correctly configure them, so their effectiveness is only growing. In addition, the default settings of most of these
products make sure that the firewall is started at boot time (and now with Service Pack 2 for Windows XP, the firewall is
installed and on by default). Prior to personal firewalls, users and administrators were never really sure if there were covert
network connections coming and going to and from the computer. And one would never be sure which applications
accessed the Internet without your permission. Security of the computer system was greatly diminished, as was its
usability.
Prior to personal firewalls, you could never really tell if there was a malicious program on your computer that was
sending your personal files to someone on the other side of the world. Thus, confidentiality could be compromised and you
would never know. Similarly, you could never be sure if a program was listening and waiting to upload something unto
your computer, thus violating the integrity of your system. Availability could have also been diminished since an attacker
could use your machine as a staging point for a DDoS (Distributed Denial of Service) attack other with a flood of packets,
thus effectively preventing legitimate connections. Now, a user has much greater control over which ports are opened,
which applications can access the network, which applications can accept connections from the network, and even which
users or hosts can access the network. In terms of usability the administrator is more satisfied that he/she has more control
over his/her system, worries less about unexpected connections, and doesn’t have to remember to use or activate the
firewall, since it’s always on. This directly improves the usability of various applications and computer systems and the
user feels more comfortable using it. At the same time, security has been improved because the user has much greater
control over his/her applications and systems.
Another example of where security and usability grew together is the adware/spyware and pop-up arena. Adware and
Pop-ups are advertisements that pop up in a small window when you visit (or leave) a website, when you boot up your
computer, or at random times. Spyware are applications that send back personal information (such as your surfing habits,
keystrokes, emails, documents, etc.) about you to various companies or individuals who can then use or sell this data for
monetary gains. They have affected computer security in all three aspects, confidentiality by allowing others to see your
private data, integrity by seeming to be innocuous programs that actually betray your trust and “spy” on you, and
availability by eating up memory and CPU resources and sometimes even crashing your system. We believe pop-up
blockers and anti-spyware applications are one of the most useful recent developments in computing. They have improved
usability countless times for countless users. Prior to them, it was very difficult if not impossible to surf the Internet with
tens of pop up ads popping up every time you visited a website or booted up your computer. They would consume memory
and CPU time and sometimes even crash the system, thus diminishing the usability factor considerably. You were never
sure if your keystrokes were being logged or if your personal data was being sent to someone else. Thus the user would
eventually lose trust in the system and would start to dislike using it. With the advent of pop-up blockers and spyware
detection and removal tools, security was improved as well as usability, as trust in the system would be retained.
Another example of a successful synergy between computer security and computer usability is role based access
controls, present in Security-Enhanced (SE) Linux, and Solaris 8. For system and network administrators, the use of roles
and domains has given them much greater flexibility in allocating permissions to do various things. For example, in
SELinux:
Each process has an associated role. This ensures that system processes and those used for system
administration can be separated from those of ordinary users. Each user role has an initial domain that is
associated with the user's login shell. As users execute programs, transitions to other domains may,
according to the policy configuration, automatically occur to support changes in privilege.
The type enforcement component defines an extensible set of domains and types. Each process has an
associated domain, and each object has an associated type. The configuration files specify how domains
are allowed to access types and to interact with other domains. They also specify automatic transitions
between domains when programs of certain types are executed. Such transitions ensure that system
processes and certain programs are placed into their own separate domains automatically when executed.
10
Security and usability is improved simultaneously. Security is improved because it greatly enhances the “all or
nothing” access controls of traditional UNIX security policies (you’re either root or a non-root user) by creating various
roles and domains that give finely-grained control to the administrator. Usability is improved because, for example, now a
webmaster does not have to know the root password and su into root to read that data file that the Apache web server uses
(see Section 3). The webmaster user can simply be part of a role that is allowed access to all files in the web server
documents directory and is allowed to reconfigure and restart the web server.11
Another example of how computer usability can grow with computer security is the new anti-virus products on the
market. The new ones, like Symantec’s Norton Anti-Virus 2004, provide real-time protection that is both fast and almost
unnoticeable by the user. In other words, it integrates wonderfully with the current user environment. “Auto-Protect,” as
it’s known in Norton Anti-Virus, is described as follows:
Auto-Protect loads when you start your computer to guard against viruses, Trojan horses, worms, and
other malicious threats. It checks programs for viruses as they are run and monitors your computer and
removable media for any activity that might indicate the presence of a virus. When a virus or virus-like
activity is detected, Auto-Protect alerts you.12
Security is enhanced for obvious reasons, but usability is also enhanced because it allows the user to use the computer
system in a more worry-free fashion. The user can be assured that the majority of viruses from emails and web sites will be
caught and deleted automatically before they can do damage. In addition the user interface of this particular product is very
simple and easy to navigate and use, so the learning curve will be very small.
5. Conclusions
Although in the past it has usually been the case that computer security and computer usability have been inversely
proportional, we believe this trend is starting to change. Security has been the most important issue in the computing
industry for the last couple of years. Prior to that computer systems were designed to do things as fast as possible and as
easily as possible (to reduce costs). Now computer systems and all of their components (software, hardware, networks,
etc.) have to do it securely as well (once again to reduce threats and possible costs). You can see this trend in all aspects of
computer systems, from system and network administration to personal desktop users installing and using personal
firewalls, pop-up blockers, and anti-virus solutions. The vendors see this trend and consequently provide easy-to-learn and
easy-to-use user interfaces that still provide effective computer security.
We believe this trend of combining secure computing and ease of use, speed, and quality will not go away, but instead
will grow in the next few years. Perhaps, this is most evident in the most recent Indian Assembly Election, which took
place this past May.13 This was a clear example of how security and usability can co-exist. The election was fully
conducted using Electronic Voting machines, which were simple, fast, and easy to use for the hundreds of millions of
voters that participated. At the same time, their simplicity added to their security by doing a few simple things really well,
instead of a lot of different things poorly. The usability of this system was extremely good, as only about 100 polling sites
(out of the tens of thousands) had to conduct the election again. This shows that the error-frequency of the system was very
low. Now if only Diebold could learn something from our Indian friends.
References
1
F. Avolio. Internet Security and Usability: Who's Winning? http://www.avolio.com, 2001.
2
Texas State Library and Archives Commission. http://www.tsl.state.tx.us/, 2001.
3
M. A. Bishop. Computer Security: Art and Science. Addison-Wesley, 2002.
4
U.S. Department of Health and Human Services: Usability. http://www.usability.gov, 2004.
5
Security Axioms. http://www.avolio.com/papers/axioms.html, 2004.
6
See What You Share on P2P. http://www.seewhatyoushare.com, 2004.
7
“I’m Johnny. I hack stuff.” http://johnny.ihackstuff.com, 2004.
8
S. Brostoff & A. Sasse. Are Passfaces more usable than passwords? A field trial investigation. In McDonald S. et al (Eds)
‘People and Computers XIV - Usability or Else’, Proceedings of HCI 2000, Sunderland, UK, pp 405-424, 2000.
9
Major Nelson’s Random Thoughts: Xbox Live Security. http://www.majornelson.com/blog/2004/10/xbox-livesecurity.html, 2004.
10
SELinux: Security Policy Abstractions. http://www.nsa.gov/selinux/info/policy.cfm, 2004.
11
This is clearly exemplified in the following two articles:
• K. Rozinov. SUMMARY: RBAC on Solaris. http://www.sunmanagers.org/pipermail/sunmanagers/2000December/000589.html, 2000.
• P. B. Galvin. Role-Based Access Control. Sys Admin Magazine, 2001.
12
Symantec Help Center. Auto-Protect Description. 2004.
13
Techaos. Indian EVM compared with Diebold. http://techaos.blogspot.com, 2004