• List Price: CDN$ 64.82
  • You Save: CDN$ 15.47 (24%)
Temporarily out of stock.
Order now and we'll deliver when available. We'll e-mail you with an estimated delivery date as soon as we have more information. Your account will only be charged when we ship the item.
Ships from and sold by Amazon.ca. Gift-wrap available.
Security and Usability: D... has been added to your Cart
+ CDN$ 6.49 shipping
Used: Good | Details
Sold by Daily-Deal-
Condition: Used: Good
Comment: This Book is in Good Condition. Used Copy With Light Amount of Wear. 100% Guaranteed.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 3 images

Security and Usability: Designing Secure Systems that People Can Use Paperback – Sep 4 2005

See all 2 formats and editions Hide other formats and editions
Amazon Price
New from Used from
Kindle Edition
"Please retry"
"Please retry"
CDN$ 49.35
CDN$ 42.68 CDN$ 9.63

Harry Potter and the Cursed Child
click to open popover

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Product Details

  • Paperback: 740 pages
  • Publisher: O'Reilly Media; 1 edition (Sept. 4 2005)
  • Language: English
  • ISBN-10: 0596008279
  • ISBN-13: 978-0596008277
  • Product Dimensions: 17.8 x 3.3 x 23.3 cm
  • Shipping Weight: 1.1 Kg
  • Average Customer Review: Be the first to review this item
  • Amazon Bestsellers Rank: #238,702 in Books (See Top 100 in Books)
  •  Would you like to update product info, give feedback on images, or tell us about a lower price?

  • See Complete Table of Contents

Product Description


"It's good. Buy it for your team library." - Lindsay Marshall, news@UK, June 2006

About the Author

Dr. Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science at Carnegie Mellon University. She is a faculty member in the Institute for Software Research, International and in the Engineering and Public Policy department. She is director of the CMU Usable Privacy and Security Laboratory (CUPS).

Simson Garfinkel is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools.

Customer Reviews

There are no customer reviews yet on Amazon.ca
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: HASH(0x9a96be88) out of 5 stars 11 reviews
9 of 9 people found the following review helpful
HASH(0x9a790954) out of 5 stars Great overview with surprising amount of detailed coverage Sept. 20 2005
By Don R. Hanson II - Published on Amazon.com
Format: Paperback
Security and Usability; pick one at the expense of the other is the story we've all heard time and again. More secure systems are harder to use; for example longer secure passwords are harder to remember than shorter, more easily guessed ones.

In the real world it has been recently noticed that when security "gets in the way"; it is often circumvented by the users. For example, systems that "upgrade security" by requiring lengthy passwords often result in sticky notes appearing as people begin to write their passwords down. The book explores a number of topics from the perspective that improved usability can enhance the real world security of a system.

The chapters are written by different authors and grouped around related topics. It's hard to pull off these kinds of books well, but I believe this one succeeds. I put the chapters into three categories; talking points, patterns I can use, and presentations.

Talking point chapters help me explain to others how improving usability can improve security; examples include "Usable Security" and "Design for Usability". Patterns I can use chapters present a framework for evaluating different approaches to common security problems; such as evaluating authentication mechanisms. Presentation chapters discuss a particular topic presenting pros and cons, such as "Identifying Users from Their Type Patterns" or "Informed Consent by Design".

I enjoyed reading this book. If you're considering buying or designing a secure system I recommend checking it out.
8 of 8 people found the following review helpful
HASH(0x9a7909a8) out of 5 stars Security Should *NOT* Be About Inconvenience Oct. 26 2005
By Christopher Byrne - Published on Amazon.com
Format: Paperback
"Security is about inconvenience". This what the national Lotus Notes manager for a federal agency said to me last January at Lotusphere 2005. We were discussing their policy to block all incoming zip files at the gateway without telling users what formats would be acceptable as mail attachments. I disagreed with him then and I find that I am not alone. In "Security and Usability: Designing Secure Systems That People Can Use" (Lorrie Faith Cranor and Simon Garfinkel (Ed), 2005, 716 pages, ISBN 0596008279), O'Reilly has assembled a comprehensive and far-reaching set of 34 essays that challenges commonly held beliefs of the information security community and provides a solid basis to open new dialogues about the trade-offs between security and usability of systems. Without a doubt, it is now on my recommendation list of "must read" books for the information security, application development, system administration, and IT audit communities.

The book is broken down into six sections. In the first, "Realigning Usability and Security", the reader is presented with five essays which hammer home the point that if security of applications and systems are not made user friendly, the users can and will find ways to bypass them. This may range from doing whatever they can to bypass the controls put in place to not using the systems at all. The next section, "Authentication Mechanisms", covers topics that include the evaluation of authentication mechanisms, the problems of passwords, challenge questions, biometrics and more.

The third section, "Secure Systems", covers specific issues associated wit the use of PKI, the sanitizing of equipment being disposed, desktop security, and security administration tools/practices. From here, the fourth section, "Privacy and Anonymity Systems", deals with the challenging topic of privacy. The essays in this section focus on human-computer interaction, policies, analysis and more.

The fifth section, "Commercializing Usability: The Vendor Perspective", sealed the deal from me. Why? Because it allowed the book to grow beyond a purely academic discussion to a discussion of real world challenges faced and addressed by vendors. The vendors selected - ZoneAlarm, Firefox, Microsoft, IBM/Lotus, and the now 'defunct' Groove Networks - are important because each vendor addresses important issues in strong security and IT governance as collaboration becomes more important.

The final section, "The Classics", provides 3 essays focusing on users not being the enemy, a study of KaZaA, and why people cannot encrypt.

Who Should Read This Book

The discussions presented in this book need to be discussed, even debated, if advances in the field are going to occur. And this debate should not be limited to the IT security community. This is because security is everyone's responsibility. As I said at the beginning of this review, I consider this book to be a "must read" for the information security, application development, system administration, and IT audit communities.

The Scorecard

Eagle on a 600 yard Par 5 playing into a stiff wind
8 of 8 people found the following review helpful
HASH(0x9a790de0) out of 5 stars Users Are Not the Enemy Oct. 8 2005
By Brett Merkey - Published on Amazon.com
Format: Paperback
I make Web applications for a living. Our team strives to make them usable. I have always preferred to leave security to the security professional. Maybe that's not working. I suspect there are a lot of other GUI designers, usability folk, project managers, business analysts, and product managers out there arriving at the same conclusion.

Have you felt the frustration of working through client interviews, screen reviews, team discussions and iterations of tests to make the most usable possible application -- only to learn that users stumble time and again even getting to your product? User authentication and authorization complaints rank right at the top in most help staff logs. This book may provide some alternatives to passive acceptance of things as they are.

It is hard to summarize a 750 page book with over 60 contributors. There is a lot here for a broad range of interests. Yes, some chapters have a load of mind-numbing jargon, but as a whole, this material is very approachable by the professions I mentioned above. Many of the contributors are from the ranks of the same professions. Stats are mixed with anecdotes in an interesting way.

Bruce Tognazzini's "Design for Usability" was a personal favorite -- and so was the chapter on designing the interface to ZoneAlarm, a product familiar to most.

If there is one theme that unites all the contributions, it is expressed in the title of Ch. 32: "Users Are Not the Enemy." Amen to that.
3 of 3 people found the following review helpful
HASH(0x9a7921bc) out of 5 stars Making a Secure and Usable World Oct. 17 2005
By Dan McKinnon - Published on Amazon.com
Format: Paperback
Security has been a problem ever since the early days of computers. No matter how many steps are taken, the bad guys are always out to make user's world an uncomfortable one. At times it feels like it's a battle that can never be won. While a frustrating issue that never seems to go away, engineers and academics continue to create new methods for dealing with the problems that the scourge of the binary world continue to push through like the plague.

In the exciting new book 'Security and Usability' by O'Reilly, 34 papers are published all in one text that examine this issue in a thorough and interesting manner.

The topics are broken up into the following parts:

Realigning Usability and Security

Authentication Mechanisms

Secure Systems

Privacy and Anonymity Systems

Commercializing Usability: The Vendor Perspective

The Classics

With so many different papers it's nearly impossible to discuss the book as a whole, better leaving each paper/analysis to speak for itself. If for nothing else, the "Classics" section featuring the following 3 papers are probably the highlight of this book:

Users Are Not the Enemy by Anne Adams and M. Angela Sasse

Usability and Privacy: A Study of KaZaA P2P File Sharing by Nathaniel S. Good and Aaron Krekelberg

Why Johnny Can't Encrypt by Alma Whitten and J.D. Tygar

For any engineer or user that finds the topic of how to make a system/application that is very secure and very usable (a need for nearly anything used on the computer in this day and age), this is an important text that brings the topic together in one place. This is a book that will probably be required reading for any college course in security concerns, and it's well worth the read.

2 of 2 people found the following review helpful
HASH(0x9a7922a0) out of 5 stars Great for both camps Aug. 24 2006
By jose_monkey_org - Published on Amazon.com
Format: Paperback
This isn't a typical O'Reilly book, and it's definitely not an "animal" book. I think that's something that's thrown a lot of people for a loop the first time they see this book. That change is good, however, because what O'Reilly has delivered is a book whose contents will stand up much longer and be more useful than most of the books out there on any technical subject, from any publisher. By having various viewpoints in information rich, managable pieces so well organized, the book itself is usable both as a read through from cover to cover and as a reference.

Security and Usability (S&U) is targeted at two main camps. The usability camp who doesn't quite understand what a security system is. They think in terms of making the user's experience with the software better, and often that means making the design more accomodating. That's great, and very valuable, but sometimes that's been known to compromise the system's security.

The other camp this book targets is a security application or a security system designer. Often this camp doesn't have a great grasp on usability. We (I think I fall into this category) tend to be power users and build systems that work for power users. When regular users (read: "everyone else") encounter such a system they're usually stuck, and understandably so. S&U introduces many usability concepts and paradigms to the software or system designer and provide a springboard for better results.

Make no mistake, this book wont make you an expert in either field, but it will give you a deeper understanding and a strong foothold at improving both scenarios. If nothing else, it gives both camps the vocabulary to start talking and working together.

One of my favorite chapters in the book outlines how ZoneAlarm was designed and implemented, along with some of its issues along the way. This is a remarkably successful application that achieves both good security design and utility while being usable by a large portion of the population. Such a study - and the book has many similar studies to back up viewpoints - is an invaluable aid in getting the message across.

If you write security software, design security systems, or work with a team that does, by all means look at this book. It will improve your product.