two key design issues: (1) the importance of users (and vendors) understanding the necessity for protection and (2) the reasonableness of the effort required.

Different groups are involved in ensuring the security of a computer system, each group requiring a different form of design assistance. System developers provide the underlying mechanisms, but the information technology (IT) administrators at the various sites determine just how those policies are to be enforced. The IT staff is under considerable pressure from its own administration to reduce security and privacy concerns, but to do so it must be well versed in technology, in the law, in the needs of the user community, and in the psychology of both the legitimate and the illegitimate users. What the community needs, Norman suggested, is a set of standardized scripts, templates, and system tools that allows them to implement best practices in ways that are both effective and efficient, standardizing interactions across systems in order to simplify the life of users but still tailoring the requirements to any special needs of the organization. These tools do not exist today.

In the absence of standard guidelines and adequate tools, different systems implement the same policies with very different philosophies and requirements, complicating life for people who must use multiple systems. Developers who lack an understanding of real human behavior tend to impose logical rules and requirements on a bewildered, overwhelmed audience. The users, either not understanding the rationale or simply disagreeing with the necessity for the procedures imposed on them, see these as impediments to accomplishing their jobs. Moreover, the system developers may lack understanding of the clever ruses and social engineering skills of the illegitimate users, who break into systems the easy way: by lying, stealing, and deceiving. The strongest locks in the world do not deter the clever social engineer.

Security and privacy are difficult problems. Norman suggested that a way to improve security is to design systems that are easy to use for their intended purposes or by the intended people, but difficult for non-authorized people or uses. For these purposes, Norman added, one needs to consider components not normally considered in simple product design: means of authenticating identities or authority, needs, and permissions.

It also means undertaking research to ensure that systems are accompanied by a clear and understandable conceptual model, Norman concluded. Individuals do appear willing to adapt to the inconvenience of locks that seem reasonable for protection, but not to those that just get in the way. If people understand why they are required to implement security protocols, they might be more willing to pay a reasonable penalty of inconvenience.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement