//
you're reading...
Information Security, IT & TECHNOLOGY

System Usability, Security, and Privacy: A Beautiful Union


ISACA-Logo

In this socio-technological age, the digital revolution in our midst now bears counterbalancing concerns for security and privacy. User utility is no longer just thought of as the overall experience and benefit of IT products and services. System protection is now a primary consideration; however, employing security and privacy safeguards without disrupting usability can be a serious challenge.

Human-computer interaction and security (HCISec) is the computer science study that explores the interrelationship between usability and security and privacy. Many believe that usability is the inverse of security and privacy; the easier a system is to use, the less protected it is. HCISec proposes that the three concepts can be made synergistic, if certain principles and methodologies are carried through the development life cycle. A security and privacy framework is intended to make undesirable actions and incidents more difficult, and usability aims to make desirable actions and incidents easier for the user. So, it may be true to say that improving one can also improve the other. Usability and system fluidity should minimize unintentional and involuntary actions. Secured, privatized systems should prevent and mitigate undesirable use. To deliver on this duality, innovators, developers, security personnel and privacy counsel must lock arms and embrace security and privacy from design to implementation.

Security by Design
System development, as in conventional architecture, must carefully take into account the environment in which systems will be built and used. Security blueprinting should start in the concept phase and controls should be employed based on the risk environment. System protection mechanisms are too often ineffective or seem cumbersome because they have been bolted on towards the end of the development life cycle and fail to respect associated risks. Controls ought to be tailored like user experience and interaction features based on study and analysis. Identify what a user’s required aptitude, attention, vigilance and motivation must be, and consider how memorable and repetitive the controls are. Recognize the social context.

Privacy by Design
Like security, privacy must be on the docket at the start of system development as well to successfully promote accountability and transparency. A privacy control framework should be developed to address both potential and actual risks by default. Effectively educating users and providing assurance through multi-layered notice, intuitive consent options, adequate disclosures, and rightful data collection, use, and retention practices will reduce user apprehension—ultimately contributing to a better overall feeling of usability.

Symbiosis between usability, security and privacy truly depends on prioritization and first understanding that these concepts can complement each other, if approached properly. It really is a matter of culture, if your organization can accept that development may require more research, planning, collaboration, and man hours to ultimately build a better product or service. The question is: can your organization fairly measure usability, security and privacy as they truly must be weighed?

Zach Schmitt, BrightLine CPAs & Associates Senior Associate, CISA, CIPP/US
United States of America


Lyle, John, Ivan Fléchais, Andrew Simpson, and Shamal Faily. Usability and Security by Design: A Case Study in Research and Development. EU FP7 / University of Oxford / Bournemouth University, n.d. Web.
http://eprints.bournemouth.ac.uk/22053/1/flfs15.pdf

Cavoukian, Ann, and Marc Chanliau. “Privacy and Security by Design: A Convergence of Paradigms.” (2013): 1-22. Privacy by Design. Office of the Information and Privacy Commissioner / Oracle. Web.
https://www.privacybydesign.ca/content/uploads/2014/01/PbDBook-From-Rhetoric-to-Reality-ch8.pdf

Garfinkel, Simson. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. Massachusetts Institute of Technology, 2005. Web.
http://simson.net/thesis/

Malenkovich, Serge. “Usability and Security: The Endless Pursuit of Perfection.” Web log post. Kaspersky Lab Daily. N.p., 26 Oct. 2012. Web.
https://blog.kaspersky.com/usability-and-security-the-endless-pursuit-of-perfection/493/

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 113,167 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,953 other followers

Twitter Updates

Archives

December 2015
M T W T F S S
« Nov   Jan »
 123456
78910111213
14151617181920
21222324252627
28293031  
%d bloggers like this: