Friday, May 8

If the UI fails, the application fails

A blog posting by Luther Martin at Voltage reminded me of something I said a long time ago when I was developing Web applications:
If the UI fails, the application fails.
I probably wasn't the first or only person to have ever said that, but I think it rings true today and is especially applicable to information security practices.

Luther is specifically talking about cryptography and uses an analogy of mechanical clocks. If people had to understand how the clock worked in order to read the time, the clock would no doubt have failed to reach widespread adoption.

But, we have no trouble assuming that end users should understand that they need the HTTPS and should verify certificate authorities because obviously without proper SSL, the information they pass to their bank is exposed to snooping attacks and they are susceptible to phishing attacks. What?!? That statement contained five terms that most people off the street wouldn't even be able to define -- never mind understand well enough to use the technology properly to safeguard against relevant threats.

Security needs to be built-in. And the User Interface needs to be easy-to-use and simple to understand. Otherwise, as we've seen, the security mechanisms will fail.

1 comment:

Matt Flynn said...

More on how NetVision applies this strategy to remove the hoops that people have to jump through to get to Access Rights reports.