Secure Interaction Design

Recently Brian was commenting on User Interface Guidelines and provided some useful links to the guidelines for different platforms. With the recent iTunes now available in Windows, it was funny to see Apple guidelines applied to a Windows platform.

What interested me was not in the guidelines themselves, but how void they were in discussing security aspects with respect to the UI. Now before you jump down my throat and quote Microsoft's own Steve Lipner and say "Usability, flexibility, security are a set of trade-offs", I would like to alter your thinking and dispute that by saying that "usability and security aren't contrary goals; we shouldn't assume that we must sacrifice one for the sake of the other".

In fact, a system that's hard to understand and use will almost certainly have security problems in practice. And a more secure system is a more reliable, more effective system: hence, a more usable system. Here's a definition from Garfinkel and Spafford's book, Practical UNIX and Internet Security:

"A computer is secure if you can depend on it and its software to behave as you expect."

Doesn't that look like it would be good for usability, too?

Now, I wish I could take credit for this thinking. But I cannot. The last paragraph is actually a quote from Ka-Ping Yee, who has devoted time to develop a site in relation to Secure Interaction Design. In it, he points to various papers that support his argument, and comes to suggest a list of ten principles for secure interaction design:

1. Path of Least Resistance. The most natural way to do any task should also be the most secure way.
   
2. Appropriate Boundaries. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
   
3. Explicit Authorization. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
   
4. Visibility. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
   
5. Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
   
6. Expected Ability. The interface must not give the user the impression that it is possible to do something that cannot actually be done.
   
7. Trusted Path. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
   
8. Identifiability. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
   
9. Expressiveness. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.
   
10. Clarity. The effect of any security-relevant action must be clearly apparent to the user before the action is taken.
    

Further to this, he has created an excellent poster that now hangs on my wall which reflects these principles. It looks something like this:

If you are interested in usability in software, while at the same time achieving your security goals, consider browsing this site on Secure Interaction Design. Its well worth the effort.