Security and Usability - O'Reilly's Latest Release

For Immediate Release
For more information, a review copy, cover art, or an interview with
the authors, contact:
Kathryn Barrett (707) 827-7094 or kathrynb@oreilly.com

Designing Secure Systems that People Can Use
O'Reilly Releases "Security and Usability"

Sebastopol, CA--Conventional wisdom dictates that there must be a tradeoff
between security and usability.  To illustrate the point, Lorrie Faith
Cranor, DSc, and Simson Garfinkel, Ph.D., contrast a computer with no
passwords with one "that makes you authenticate every five minutes with
your password and a fresh drop of blood." The former is usable, but not
secure, while the latter is secure but holds little appeal for most users.
In their new book, "Security and Usability" (O'Reilly, US $44.95), Cranor
and Garfinkel contend that security and usability are not inherently at
odds; in fact, tomorrow's computers won't be secure unless researchers,
designers, and programmers can invent new ways to make security systems
easier to use.

"As the world around us makes clear every day, if people are unable to use
secure computers, they will use computers that are not secure," Cranor and
Garfinkel remark in the preface to their book. Although theoretically
secure, computers that aren't usable do little to improve the security of
their users because these machines push users to less secure platforms.
"As it turns out, the converse is also true: systems that are usable but
not secure are, in the end, not very usable either," they note. This is
because these systems don't last: they get hacked, compromised, and
otherwise rendered useless.

"Having each worked in the area of security for the better part of two
decades, it has become increasingly clear to us that the question of
usability is among the most important in determining the overall security
of a system, yet it is also one of the issues that is most frequently
ignored," observes Garfinkel. "Although it has long been recognized that
security systems need to be usable, there has been astonishingly little
work done in this area to date. Indeed, some scientists have gone so far
as to say that usability and security are inherently at odds, and in
building secure systems it is necessary to figure out just how much
usability needs to be given up.

"We don't believe this," Garfinkel continues. "We believe that it is
possible, through the use of good research and practice, to build systems
that are both secure and usable. This book is a guide to practitioners on
how to do that, as well as a guide to researchers regarding which
directions are likely to bring more fruitful results."

In the first book to be focused entirely on the subject of usability and
security, Cranor and Garfinkel present thirty-four groundbreaking essays
from leading security, usability, and human-computer interaction (HCI)
researchers around the world. Balancing theory and fundamental principles
with practical advice, they examine this important issue in detail.

"In order to build systems that are both secure and usable, it is
important to have some understanding of both the computer security field
and the human-computer interaction field. Most researchers and
practitioners have been trained in only one of these fields. Our hope is
that this book can help bridge the gaps for them and fill in some of the
important background they need to work in this interdisciplinary area,"
says Cranor.

"Security and Usability" offers a window into the future of computer
security where usable design and secure systems are no longer at odds.
Topics include:

-Realigning usability and security: psychological acceptability, designing
 for actual (not theoretical) security, tools for usability evaluation, and
 trust designs and models

-Authentication mechanisms: password memorability, challenge questions,
 graphical passwords, biometrics, keystroke dynamics, smart cards, and USB
 tokens

-Secure systems: secure interaction design, anti-phishing, sanitization
 and usability, usable PKI, compartmentalized security, and ethnographic
 analysis

-Privacy and anonymity systems: privacy design pitfalls, the Privacy Space
 Framework, the Platform for Privacy Preferences (P3P), web bugs, informed
 consent on the Internet, social approaches to security, and anonymizing
 technologies

-Commercializing usability: vendor experiences in addressing usability
 issues at Microsoft, IBM/Lotus, Firefox, Zone Labs, and Groove Networks

"Security and Usability" brings together research findings, actual
implementation experiences, practical advice, and recommendations for
constructing next-generation operating systems. This volume is sure to
become a classic reference and an inspiration for further research.

Additional Resources:

Chapter 23, "Privacy Analysis for the Casual User with Bugnosis," is
available online at:
http://www.oreilly.com/catalog/securityusability/chapter/...

For more information about the book, including table of contents, index,
author bios, and samples, see:
http://www.oreilly.com/catalog/securityusability/

For a cover graphic in JPEG format, go to:
ftp://ftp.ora.com/pub/graphics/book_covers/hi-res/0596008...

Security and Usability
Edited by Lorrie Faith Cranor and Simson Garfinkel
ISBN: 0-596-00827-9, 714 pages, $44.95 US, $62.95 CA
order@oreilly.com
1-800-998-9938
1-707-827-7000
http://www.oreilly.com
1005 Gravenstein Highway North
Sebastopol, CA 95472

About O'Reilly
O'Reilly Media, Inc. is the premier information source for leading-edge
computer technologies. The company's books, conferences, and web sites
bring to light the knowledge of technology innovators. O'Reilly books,
known for the animals on their covers, occupy a treasured place on the
shelves of the developers building the next generation of software.
O'Reilly conferences and summits bring alpha geeks and forward-thinking
business leaders together to shape the revolutionary ideas that spark new
industries. From the Internet to XML, open source, .NET, Java, and web
services, O'Reilly puts technologies on the map. For more information:
http://www.oreilly.com

# # #

O'Reilly is a registered trademark of O'Reilly Media, Inc. All other
trademarks are property of their respective owners.