In this series of blog entries I’ve been discussing human factors engineering in information security, why it is so important, and the kinds of usability engineering flaws that can be found in so many information security tools. I’d like to shift gears a bit, so to speak, and talk about some usability issues related to passwords. Before I go any farther, I need to apologize for bringing up the topic of passwords, which I believe are (because of the many inherent exposures associated with them) little more than a dead end from a security point of view. But for various reasons, unfortunately, passwords are likely to continue to be used in authentication for the foreseeable future, whether we like it or not. Read more…
Network Security
I’m constantly amazed by the claims many security product vendors make about how user friendly their products are. In my estimation some of them have acceptable usability levels, but many do not. I frequently notice usability design flaws such as highly cluttered graphic displays, unnecessarily complicated interaction steps, long lists of items in tables without any indication whatsoever of the status or meaning of each item other than the name, the need to frequently change from one input device to another, and difficult-to-read display output. Yet as I have said before, usability is hugely important in information security-related tasks.
One area of usability engineering that security product vendors need much more attention to is accommodating different levels of users’ skills and knowledge. Too often a product accommodates only naïve users or only sophisticated users, but not both. Ideally, vendor products should have two parallel interfaces, one that is “pick and click” in its nature, and another that accommodates power users. As far as accommodating naïve users goes, the user interface should be so transparent to them that hardly any training whatsoever should be necessary. Power users usually like command languages that allow them to accomplish sophisticated actions with only a few keystrokes. The command language must nevertheless be very intuitive and consistent in its syntax. Read more…
Network Security
Human factors engineering, often also called usability engineering, focuses on optimizing the interaction between humans and the tasks they perform. Starting in 1999, several information security professionals, myself included, have argued that much greater attention to usability considerations in information security is needed. Two of the first such individuals were Whitten and Tygar, who in 1999 published results of a usability analysis of and user testing on version 5.0 of PGP (Pretty Good Privacy), a program used to encrypt and digitally sign e-mail messages. Only users who were inexperienced in using cryptography were allowed to participate in this study. They were told to use PGP to encrypt, digitally sign, and send e-mail messages. An evaluation of users’ attempts to use this tool in this manner uncovered user interface design flaws that greatly increased the likelihood of user errors in interaction steps. When given 90 minutes to sign and encrypt an email message using PGP 5.0, most users could not successfully complete this assignment. Whitten and Tygar concluded that even though PGP 5.0 has an attractive graphical user interface and superficially appears to be user friendly, for most users this tool is not sufficiently usable to be effective from an information security perspective. Read more…
Network Security
If you have been reading my blog entries for a while, you know that I very much value certain information security-related certifications, particularly the CISM, CISSP and GSEC certifications. When I first entered the information security arena, these certifications were not available. I wish that they had been, as the information a person who is studying for a certification test must learn is extremely helpful in the real-life practice of information security. I am confident that I would not have made quite a few of the mistakes and omissions I have made over the years had I been privy to such information. Additionally, of the “big three” certifications that I just mentioned, I have taught or currently teach two of the three preparation courses for them, and will soon be teaching the prep course for the third. I must confess that although I think that my teaching these courses helps those who attend learn some very valuable principles and facts, teaching these courses has also helped me immensely. How? It has filled in missing details in my understanding of certain principles and also my knowledge in certain technical areas. Principles in the CISM examination preparation course have, for example, taught me how to “make the sale” of information security to senior management, something that I really did not know before I started teaching this course. Read more…
Network Security
Several University of Michigan security researchers conducted a study in which the on-line Web sites of over 200 banks were analyzed. The researchers reported that 76 percent of these sites have faulty security practices that leave their customers at elevated risk of fraud and information theft. Some of these practices include requiring customers to use email addresses or Social Security numbers as login names, redirecting customers’ connections without informing them, displaying icons that indicate to customers that connections are secure when they are in fact not secure, and so on. The names of the banks were not disclosed. Read more…
Network Security
In IT security many known and reasonably proven security control solutions (network traffic filtering, encryption, access control lists, and much more) exist. Strangely, one very powerful solution, IT standardization, too often get overlooked when people consider various control solution options. A good example is chapter three in the CISM examination preparation manual, much of which covers IT security technology. This chapter mentions many security technology options, but, strangely enough, does not mention IT standardization as a viable security control measure. In this respect, this manual (which, by the way, I very much like overall) is by no means unique. IT standardization is a proven way to cut down IT costs, but as a security control this measure too often gets too little notice. Read more…
Network Security
Many of my friends (as well as myself) are chief information security officers (CISOs). Whenever we talk, the topic of resources for information security (or, more precisely, the lack of resources) seems to come up. CISOs who have served in this position for a while get a kind of gut feeling concerning the level of resources needed to reduce information security risk to an acceptable level. Inevitably, the amount they request never matches the amount needed. Information security professionals are constantly struggling to obtain a sufficient amount of resources. Read more…
Network Security
A recent news item described a store about Virgin Media sending warning letters to roughly 800 of its customers, cautioning them to avoid downloading illegally copied materials. Virgin Media’s effort is in connection with the British Phonographic Industry’s (BPI’s) campaign to identity illegal file sharers and then report them to Virgin Media, which has agreed to send out warning letters such as the ones it recently sent.
I am very sympathetic with the current plight of both the recording and movie industries, both of which lose huge amounts of money due to piracy. Despite legislation designed to protect both of these industries by punishing individuals who illegally copy and share music and movies, the situation has, if anything, gotten worse. It is easy, therefore, to understand the desperation of the BPI, Recording Industry Association of America (RIAA), and Motion Picture Industry Association (MPIA). Read more…
Network Security
