Skip to content Skip to footer
A- A+

A Holistic Approach to Security and Usability


 Unsettled Scales: Security vs. Usability

Just because balancing effective security with ease-of-use seems like an endless pursuit doesn't mean it's an unnecessary one. Both usability and security are important factors in a healthy workplace; finding a proper balance (that also takes cost into account) is a unique challenge of 21st century management.

Usability and security are so integral to IT that together, they make up a field of computer science study called Human-Computer Interaction & Security (HCISec). Some suggest that what makes this field so fascinating is that there is an inherent conflict between a system's owners and its users: users desire maximum ease-of-use while system owners desire comprehensive security.

It is not realistic to expect maximum usability and security. Well, unless you're willing to pay exorbitant amounts of money for world class, state-of-the-art security systems. If so, blending the two may be a little bit easier for you, but you should still read on to learn why security goes far beyond IT. With the goals of minimizing threats, maximizing accessibility of use, and maintaining moderate costs, there will always be trade-offs. When designing a system that includes elements, which, for the most part are mutually exclusive, choices must be made.

How to Make the Choice

Ask yourself: What do I need to protect and at what cost to my system's users? Risk assessment and protection differ depending on industry and enterprise. Some companies require new software or technology, some must implement a change in process, and some need to address behaviors and mindsets. The goal is to effectively protect data and assets without placing an unnecessary burden on operations, finance, and usability.

The truth is, you can't have it all. Increased security measures don't always result in increased security. A line must be drawn: where does securing the network begin to prevent productivity?

"[When security focuses] on assets and technical mechanisms,
not on the experience of users doing their work,
systems fail from day one and users immediately start working around
approved practices, which increases risk even further."
Tsion Gonen, Chief Strategy and Marketing Officer at SafeNet

The more software and processes you implement for security, the more difficult it is for legitimate users to do their work. Often, as a result, users find ways to bypass security measures. For example, having to memorize 10 impossible passwords is going to result in employees keeping written reminders in their desks or wallets. It's only a matter of time before a list of passwords gets found by the wrong person.

We recommend being selective and focusing on your most sacred data and the highest risk. And once you've taken the proper measures to protect that data against that risk, let your employees in on the knowledge.

Security Goes Beyond IT

Communication is the great leveler between these two seemingly incompatible concepts. We hope someday we will be able to tell you that we are able to help you get all the security you want and increase usability of all your IT systems. Unfortunately, we can't. But we can tell you that when people know and deeply understand why sometimes frustrating security measures are in place, they're going to be much more willing to take part.

Security is not solely a technical challenge; people are the heart and soul of it. People create the data you want to protect, people will behave in ways that protects data if you help them, and people- maliciously or not- will find ways to bypass security. Creating a security environment that writes people out of it will often have the negative effect of making people lazy and careless about security.

One solution, then, is to be intentional about creating the security environment you want, but to do it in a way that includes the people who will be engaging with it. Ease-of-use may decrease in some areas, but if people understand why and how to work through those challenges, it won't create as much frustration.

InfoWorld Media Group suggests five helpful dimensions of the new security model in their article, How to Rethink Security for the New World of IT:

  1. Narrow the information security focus to core, critical assets
  2. Protect key assets with multilayered defense systems
  3. Engage the people who use information to protect the assets they work with
  4. Team with business partners to boost their (and your) immune systems
  5. Make security a business problem- not just IT's problem

You can read more about each step in their Deep Dive PDF.

It may sound like we're trying to shift security off of our shoulders as an outsourcer of IT and onto yours as a CEO or manager. In reality, we want to help you decide which technical security measures are right for you and implement them. But we also want those measures to be successful in the long term, and that means being more than an IT provider. We want to be your partner, helping you integrate security measures into the culture of your company.

A few months ago, we shared these findings of Xerox's "Dreaming Discussion," and today we're reminded again of the third result: technology needs to be part of the company's DNA. "Whichever technology solution a company chooses, it will never succeed without full management buy-in and the right attitude among users." Heightened security typically decreases usability, but that doesn't have to be the end of the story.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Is BYOD Right For You?
Being a Tech Savvy Leader Could Save Your Company
BBM web link