8 of 8 people found the following review helpful
- Published on Amazon.com
"Security is about inconvenience". This what the national Lotus Notes manager for a federal agency said to me last January at Lotusphere 2005. We were discussing their policy to block all incoming zip files at the gateway without telling users what formats would be acceptable as mail attachments. I disagreed with him then and I find that I am not alone. In "Security and Usability: Designing Secure Systems That People Can Use" (Lorrie Faith Cranor and Simon Garfinkel (Ed), 2005, 716 pages, ISBN 0596008279), O'Reilly has assembled a comprehensive and far-reaching set of 34 essays that challenges commonly held beliefs of the information security community and provides a solid basis to open new dialogues about the trade-offs between security and usability of systems. Without a doubt, it is now on my recommendation list of "must read" books for the information security, application development, system administration, and IT audit communities.
The book is broken down into six sections. In the first, "Realigning Usability and Security", the reader is presented with five essays which hammer home the point that if security of applications and systems are not made user friendly, the users can and will find ways to bypass them. This may range from doing whatever they can to bypass the controls put in place to not using the systems at all. The next section, "Authentication Mechanisms", covers topics that include the evaluation of authentication mechanisms, the problems of passwords, challenge questions, biometrics and more.
The third section, "Secure Systems", covers specific issues associated wit the use of PKI, the sanitizing of equipment being disposed, desktop security, and security administration tools/practices. From here, the fourth section, "Privacy and Anonymity Systems", deals with the challenging topic of privacy. The essays in this section focus on human-computer interaction, policies, analysis and more.
The fifth section, "Commercializing Usability: The Vendor Perspective", sealed the deal from me. Why? Because it allowed the book to grow beyond a purely academic discussion to a discussion of real world challenges faced and addressed by vendors. The vendors selected - ZoneAlarm, Firefox, Microsoft, IBM/Lotus, and the now 'defunct' Groove Networks - are important because each vendor addresses important issues in strong security and IT governance as collaboration becomes more important.
The final section, "The Classics", provides 3 essays focusing on users not being the enemy, a study of KaZaA, and why people cannot encrypt.
Who Should Read This Book
The discussions presented in this book need to be discussed, even debated, if advances in the field are going to occur. And this debate should not be limited to the IT security community. This is because security is everyone's responsibility. As I said at the beginning of this review, I consider this book to be a "must read" for the information security, application development, system administration, and IT audit communities.
Eagle on a 600 yard Par 5 playing into a stiff wind