Security vs. usability: No one's winning
Experts say wretched usability is scaring crypto newbies away
Computerworld Australia - Usability of security software is partly to blame for low protection levels in many computers, according to international security experts.
In a panel session at this year's Australian Unix Users Group (AUUG) conference in Melbourne yesterday, software security developers gave reasons why the IT industry is still at the mercy of so many problems.
University of Auckland computer scientist Peter Gutmann said many security standards were written 10 years ago and have mostly just been tweaked since then.
"A lot of the security stuff is designed by crypto geeks [and] because of a lack of usability, people can't apply them correctly," Gutmann said, adding usability is just as important as "having a bunch of crypto and let people figure it out from there".
Gutmann said the protocols were designed without usability and even if a user-friendly GUI could be put over it, it is unlikely the original developers would accept it.
"They would rather have 100 percent perfect software that's unusable than 99 percent perfect software that is usable," he said.
OpenBSD developer Ryan McBride, who works on packet filter and IPSec code, lashed out at intrusion detection systems, saying the technique has no way of detecting whether a virus is attacking a network.
"I do IDS work in a Fortune 50 company and it's a case of 'oh look, another box has a virus - go turn it off'," McBride said. "It's very hard to automate turning things off in security."
McBride said IDS isn't the place to solve the problem, but inside the software is.
University of NSW School of IT senior lecturer Dr. Lawrie Brown said when looking at modern software, part of the problem is the enormous body of unsafe software that people continue to use, which propagates vulnerabilites.
Brown said there is also a mindset within the general population that computers are relatively new and people are unaccustomed to the importance of information security.
German network security Ph.D student Tobias Eggendorfer seconded this by saying end users are not educated to deal with security threats.
"It will take 20 to 30 years to educate people about computer security," he said. "You wouldn't give your house key to someone, so why do the same with your password?"
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.