Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and jargon filled. This book isn’t, and my copy is already dog-eared, and filled with turned-down pages. It is chock full of useful advice, interesting stories, great references, and useful lessons learned. If you build security software, or software with security implications, you should buy this book.
Once you’ve bought it, it may help to skim the first few chapters, which set the scene, and do contain a fair bit of redundancy, probably unavoidably. If you get bogged down, skip forward, there’s lots of great stuff.
I think this is my favorite excerpt:
We studied eight subjects’ experiences enrolling in the wireless PKI. Our subjects were sophisticated computer users, typically holding Ph.D.s in Computer Science. Despite using the GUI-based interface for enrollment and configuration of their machines, the process involved a total of 38 distinct steps.
Each of these presented an opportunity for end users to make frustrating mistakes. The average time that it took them to request and retrieve their certificate and then configure their system was 140 minutes. Almost all of the subjects printed the instructions, and even those determined to understand what they were doing soon began following the instructions mechanically. In the end, many test subjects described enrollment as the most difficult computer task that PARC had ever asked them to do. All subjects had little idea of precisely what they had done to their computers. Several commented that if something were to go wrong, they could not perform even basic troubleshooting. For several subjects, this was the first time that they had ever experienced the inability to administer their own machines. Ironically, while PKI technology may have secured their machines for wireless use, it simultaneously reduced these end users’ ability to configure and maintain their own machines. (From chapter 16, “Making the Impossible Easy: Usable PKI,” by Dirk Balfanz, Glenn Durfee, and D.K. Smetters.)