Security and Usability. Designing Secure Systems That People Can Use.
by Cranor, Laurie Faith and Simson Garfinkel
O'Reilly 2005.
ISBN 0-596-00827-9. $44.95. 714 pages; index.
Reviewed by Bob Bruen 11/15/05
Among books in the security field, there are not many collections of academic papers. I only hedge my bet because I cannot recall one, but I may have missed it. Bruce Schneier's Privacy Papers does not count because the papers are of a different type. In other fields, these sort of collections are common for the simple reason they are of great value. While books by one author, or several, give us the benefit of that author's experience, knowledge and opinion, a collection of essays or research papers on a narrow topic gives us a broader base. We can see viewpoints that are in opposition or complimentary or supportive. We also get the benefit of each of the authors special contribution, especially of the editors have done their job well.
Faith and Garfinkel selected an important topic in security and usability. The question of much do you have to give up for security extends to privacy, convenience, money, usability and other areas. Freedom is not free, it comes with a price and we have to struggle daily to keep our liberties. I have always thought the cost would be in the struggle against those who would deny us, not in the struggle with those who would protect us. For many people, it seems a given that there is always a trade-off when security is applied or increased. Now we have a substantial amount of evidence that runs counter to the argument that usability must be sacrificed for security.
The editors have selected high quality papers for inclusion in their book. There are 34 papers distributed among six parts. The parts include privacy and systems, as well as a part with papers from vendors. I often feel as though vendors care very little about my personal experience, but these papers prove me wrong, at least in few cases. The paper on the thinking and responsiveness of Firefox's development was particularly instructive. Perhaps this is the explanation of its popularity. It is one thing to become popular because what folks were using had crossed the pain threshold, but it is another to sustain that popularity. The competitor has improved and Firefox has experienced problems, but the thinking behind Firefox's design has made the difference.
Some of the topics are controversial, such as the paper by Roger Dingledine and Nick Mathewson on anonymity. These two are principles in Tor and Mixminion, whose purposes are anonymity while using the Internet. The debate is about law enforcement's ability to track down criminal versus an individual's right to speak without fear. Most of us like the idea of being anonymous ourselves, but the other guy, well not so much. Citizens in some countries face death if they are discovered exercising a right we take for granted, such as criticizing the government. On the other hand, few of us want to see thieves and con men stealing money over the 'Net and then vanishing into the shadows. While this debate will not be settled here or even in this book, the topic needs well-done research.
Security and Usability is one of those few books that push the security field forward. As much as I enjoy books on hacking stuff, thoughtful work on the impact on society are extremely important. I highly recommend this book, which will become a foundation for others to build upon. The other 32 papers are as good as the two I highlighted. More than likely, any reader will find at least a few papers which will strike home.