Human-computer interaction and security (HCISec) is the computer science study that explores the interrelationship between usability and security and privacy. Many believe that usability is the inverse of security and privacy; the easier a system is to use, the less protected it is. HCISec proposes that the three concepts can be made synergistic, if certain principles and methodologies are carried through the development life cycle. A security and privacy framework is intended to make undesirable actions and incidents more difficult, and usability aims to make desirable actions and incidents easier for the user. So, it may be true to say that improving one can also improve the other. Usability and system fluidity should minimize unintentional and involuntary actions. Secured, privatized systems should prevent and mitigate undesirable use. To deliver on this duality, innovators, developers, security personnel and privacy counsel must lock arms and embrace security and privacy from design to implementation.
Security by Design
System development, as in conventional architecture, must carefully take into account the environment in which systems will be built and used. Security blueprinting should start in the concept phase and controls should be employed based on the risk environment. System protection mechanisms are too often ineffective or seem cumbersome because they have been bolted on towards the end of the development life cycle and fail to respect associated risks. Controls ought to be tailored like user experience and interaction features based on study and analysis. Identify what a user’s required aptitude, attention, vigilance and motivation must be, and consider how memorable and repetitive the controls are. Recognize the social context.
Privacy by Design
Like security, privacy must be on the docket at the start of system development as well to successfully promote accountability and transparency. A privacy control framework should be developed to address both potential and actual risks by default. Effectively educating users and providing assurance through multi-layered notice, intuitive consent options, adequate disclosures, and rightful data collection, use, and retention practices will reduce user apprehension—ultimately contributing to a better overall feeling of usability.
Symbiosis between usability, security and privacy truly depends on prioritization and first understanding that these concepts can complement each other, if approached properly. It really is a matter of culture, if your organization can accept that development may require more research, planning, collaboration, and man hours to ultimately build a better product or service. The question is: can your organization fairly measure usability, security and privacy as they truly must be weighed?
Zach Schmitt, BrightLine CPAs & Associates Senior Associate, CISA, CIPP/US
United States of America
Lyle, John, Ivan Fléchais, Andrew Simpson, and Shamal Faily. Usability and Security by Design: A Case Study in Research and Development. EU FP7 / University of Oxford / Bournemouth University, n.d. Web.
http://eprints.bournemouth.ac.uk/22053/1/flfs15.pdf
Cavoukian, Ann, and Marc Chanliau. “Privacy and Security by Design: A Convergence of Paradigms.” (2013): 1-22. Privacy by Design. Office of the Information and Privacy Commissioner / Oracle. Web.
https://www.privacybydesign.ca/content/uploads/2014/01/PbDBook-From-Rhetoric-to-Reality-ch8.pdf
Garfinkel, Simson. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. Massachusetts Institute of Technology, 2005. Web.
http://simson.net/thesis/
Malenkovich, Serge. “Usability and Security: The Endless Pursuit of Perfection.” Web log post. Kaspersky Lab Daily. N.p., 26 Oct. 2012. Web.
https://blog.kaspersky.com/usability-and-security-the-endless-pursuit-of-perfection/493/
[ISACA Now Blog]
