How Can We Balance Security With Usability?
Tesla Autopilot Fatal Crash Raises Safety Questions [Source: https://www.youtube.com/watch?v=mA9zuN_pfG8]
I read with sadness a report about the first documented highway death of a 'driver' in a self-driving car. The investigation into the recent fatal crash is still in its early stages. But we know a few facts: First, 94 percent of all traffic accidents involve some kind of human error. Second, there is no turning back from automation and self-driving technology. Said one expert about the recent crash: "The path to mobility is paved with tragedy."
The incident got me to wondering: My car has a top speed of 137 miles per hour (220 kmph). While driving on the highway I often cross the 75 miles-per-hour mark (120 kmph). I often wonder if I should speed up and push the vehicle closer to its full-scale capabilities (and get to my destination much faster). Most of the time I choose not to do so, and there are many reasons for my decision to stay within the official speed limits. For one, I cannot be sure that someone driving erratically will be in a parallel lane up ahead. I also cannot accurately predict the condition of the road in front of me. There also could be an abrupt mechanical flaw in my own vehicle because of general wear and tear (or a manufacturing glitch). While I drive my vehicle within the stated security limits, there are always times I need to accelerate. When I do, I proceed with a more calculated risk.
It's the same case when it comes to security and information technology. Imagine that you want to read emails coming from a specific individual even without entering your ID and password of email outbox. This would be highly convenient (high degree of usability), but it would have a very low degree of security. You're almost taking a calculated risk on this because IDs and passwords can be compromised. The only way out, if you think about it, is to obtain a one-time password via a secondary channel to access emails each time. This method, although has a high degree of security, the usability is very low.
With many organizations adopting the smartphone, there is the inevitable tussle between the CIO and Chief Security Officer (CSO). In a so-called 'bring-your-own-device' (BYOD) environment, the CIO would probably tout the benefits of user satisfaction, increased productivity, and reduced total cost of ownership. The CSO, on the other hand, would seek to control the devices stringently or avoid the BYOD environment altogether. We all know that while leaving the house we properly lock it and close all the windows from the inside. When we return we need some kind of authentication process to enter our houses (having the right key!). The same is true in the case of BYOD in order to prevent the enterprise data leak.
Security protocols are designed to prevent unauthorized access to information within a system and to ensure that the system is available for authorized access. Ideally, security protects a user's IT infrastructure and the information stored on it. A company-provided laptop might have its own built-in hard drive encryption. An employee could opt to use the BitLocker drive-encryption tool in Windows so that they can have use the same username and password to gain access to the drive with which they access both the computer and the network.
Using a single-sign-on tool for various apps and services can also reduce the burden on users while maintaining the desired security posture. Centrify, Okta, Ping Identity, and many other firms offer Cloud-based identity management tools to pool user log-ins. If the user is 'VPNing' into the network, one might consider looking into modern options in Microsoft servers like Direct Access, which replaces VPN connectivity and allows for an always-on connection based on certificates rather than tokens or passwords.
Why do we routinely ignore security advice, particularly given by cyber security professionals about the need for strong passwords that are changed frequently? It seems there is a significant disparity about what we do and what we want. Do we prefer security or usability? Or does one have to exist entirely and independently of the other? Well, I predict that in the near-future, the security/usability trade-off will no longer exist. Systems with a proper balance of security and usability will emerge so that to a large extent they will go hand in hand. As consumers we won't be forced to trade one for the other.