REVIEW: "Security and Usability", Lorrie Faith Cranor/Simson Garfinkel

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKSECUSA.RVW   20090727

"Security and Usability", Lorrie Faith Cranor/Simson Garfinkel, 2005,
0-596-00827-9, U$44.95/C$62.95
%E   Lorrie Faith Cranor
%E   Simson Garfinkel
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00827-9
%I   O'Reilly & Associates, Inc.
%O   U$44.95/C$62.95 800-998-9938 fax: 707-829-0104
%O  ( product link shortened)
  ( product link shortened)
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   714 p.
%T   "Security and Usability"

The editors state that they intended this collection of essays more to
address the academic, than the practical, side of the security field.
Thus, the papers are chosen to reflect theory and principle, rather
than specific practice.  A prudent choice, since theory dates less
quickly than specific procedure.

The thirty-four compositions in this work are divided into six
sections.  Part one states that security and usability are not
antithetical, part two addresses authentication mechanisms and
techniques, part three examines how system software can contribute to
security, part four deals with privacy controls, part five examines
the vendor perspective of provision of security, while part six
finishes off the book with a few papers considered to be of lasting

The papers contain interesting points, but sometimes both theoretical
and practical utility are lacking.  For example the first paper,
entitled "Psychological Acceptability Revisited," challenges the idea
that security mechanisms must be complex and difficult to use in order
to be effective.  Unfortunately, while the author clearly demonstrates
that a system can be both insecure and useless, he does not prove the
opposite, which is the condition we want.  A good many papers simply
state that human factors should be considered, and that security
provisions should be usable: these points are true, but not helpful.
With one exception (a good paper on password choice) all the pieces on
authentication present research having nothing to do with usability.
Most of the papers in the book describe security research that is
interesting, and which frequently has relations with human factors,
but the relevance to the provision of systems that are both usable and
secure is not often clear.

Even as a compilation of security bedtime reading, the essays
collected in this volume are somewhat lacking.  In terms of both
principles and practice, any volume of the "Information Security
Management Handbook" (cf. BKINSCMH.RVW) has superior selection, and
better structure, as well.

copyright Robert M. Slade, 2009    BKSECUSA.RVW   20090727

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline