« RSA book signings | Main | Identity 3.0 »

Law 1: Sufficient Information

As readers of this blog will know, over the past few months I have been considering the issue of economics of protocol deployment and the issue of security usability. (see Part 1 Part 2.

If we are going to improve the state of security usability we need to get into the product design loop so that usabile security is an upfront design consideration, not an afterthought. To do that we need to establish clear failure criteria that unambiguously identify a design that cannot possibly be considered usable under any circumstances. Earning a pass on such criteria must be considered a necessary but not a sufficient condition to achieve usability.

One such failure criteria is sufficient information. In many cases the user simply does not have enough information to determine how to do their task safely. For example:

  • When a user receives an email that purports to be from her bank there is no reliable means for them to know if the message is genuine or a forgery.
  • When accessing a WiFi access point at a coffee shop, the user has no way to tell if their computer has connected to the genuine access point or an 'evil twin'.
  • My watercooled desktop computer recently developed an overheating fault. Diagnosis of the problem took days longer than necessary because the machine does not keep a log of the reason for the emergency shutdown.

Note that failing to give the user the necessary information at all is a distinct problem from giving the information in a form that the user can use. The traditional SSL padlock icon display does make it possible for a cryptographic expert to determine the security state of a connection. This is an even more fundamental problem: the user does not get the information at all.

Some of these cases are due to poor application design but the WiFi case is due to poor design of the standard. There is simply no way that a company can deliver an acceptable security user experience using the tools provided in the WiFi standard.

Next: how to determine whether the user has sufficient information or not.

Posted by Phillip Hallam-Baker on March 25, 2008 7:01 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)