The usability of software is usually defined in relation to the efficiency with which people can manipulate it. Is it time-saving, intuitive, likable? But often overlooked is how usability indirectly affects security, especially when dealing with enterprise software. The basic thesis is this: an application that's easier to use, easier to configure and manage both initially and over time, will also be more resilient than an application that's difficult or frustrating, even if the two have identical feature sets. This is because in practice, software is rarely, if ever, used in an ideal fashion.
How many times has a company purchased software based on functionality promises only to have it sit unused, or worse, misused, because they didn’t factor in the administrative overhead for IT or application administrators? For example, a network administrator who has a dozen tools for monitoring will show preference to tools that are more usable-- regardless of feature set. Whether it’s managing day to day workload or responding to an outage, people often don’t have time to pick through an archaic or confusing UI or reference hundreds of pages of documentation for a clunky API.
Poor usability also contributes to “leaving things default,” rather than customizing software configurations for the environment. This is especially common when software is feature rich, but user-unfriendly. Software companies tend to think of their products holistically, whereas in practice, most software is used for very specific purposes by people who have to use dozens of technologies for dozens of small tasks throughout the day. Often if the product is providing the small sliver of functionality a particular organization (or even employee) needs, the rest of the product is left alone, with the assumption that “if it’s doing what I need it to do, that’s all that matters.” Simple fixes, like obscuring server headers, are never done. This can leave whole facets of the product untouched, which leads to vulnerabilities over time, or even initial security problems if the software’s default configuration isn't hardened.
Accurately pricing cyber insurance is still in its infancy. Comparing the methods for assessing cyber risk to those used in property and casualty insurance points the way forward for better methodologies.
Other times, people will think they have the software configured correctly, but because of poor usability (such as needing to put the same information in two or more places, a lack of logging and errors, or undocumented commands,) the software is misconfigured. In the case of a personal application, this could mean someone thinks they're sharing a picture with friends, but are actually sharing it to the internet. For enterprise systems it could be much worse. The problems of default passwords have become well-known to most user communities, but default configurations can be just as bad. When these configurations require navigating through endless submenus, turning on hidden features, or byzantine logging processes, even someone trying to set it up “the right way” can make a mistake.
A software's usability either improves or erodes an organization's resilience. Larger institutions might be able to afford specialized application people who already have a deep knowledge of a particular product, but in general most shops rely on a small team with broad knowledge who have to learn and implement new technology as it's incorporated. Therefore, the learning curve and day-to-day use of software plays a major role in how well that software is implemented, managed, used and updated. Lack of true expertise in a product necessitates a conscientious implementation process where securing and configuring an application in total becomes as important as whatever specific use it has. Failure to do so will eventually (or immediately) result in security problems.
Fragility, Siloing and Automation
Usability also impacts a system’s fragility. Often, difficult to manoeuvre software will be left alone “as long as it’s working,” with critical patches or even major updates ignored because of stability concerns. The longer a piece of software is ignored, the less confidence administrators will have when making changes to it, and the more fragile it becomes when changes do need to be made. Obviously other factors play into a software’s fragility, but developers who try to address these issues within the user interface or process flow when possible allow multitasking admins to easily keep the software updated and patched and not leave them dreading it as something that can go terribly wrong.
Finally, less usable systems encourage knowledge siloing. If a company has or trains an expert in a piece of difficult to use software, that person becomes a single point of contact (and failure) because nobody else knows (or wants to know) how to use it. This can make it difficult to communicate about that software in a meaningful way or assess its status other than a binary working/not-working. As companies try to dismantle IT silos, application usability will play a large role ensuring entire teams can learn, understand and balance their duties. Furthermore, as automation replaces traditional snowflake server approaches, clear and precise protocols for managing software must be established. In this sense, the ability to be automated is just as much a criterion for usability as it is for security and reliability.
With the high cost of outages and data breaches, it’s going to be harder and harder to confuse usability with convenience, something that happens all too often now. More than just improving the user experience, usability determines, in part, how well-configured, well-monitored and well-managed the software will be. It can make the difference between a smooth upgrade and an unplanned outage, between a hacker finding an open port or not. The ideal image of any given application should be reality-checked by IT operations and application admins for how it will really fit into their business environment and administrative workload, something that depends heavily on its ease-of-use.
Making Your Organization Digitally Resilient to Natural Disasters What's In the Website Risk Grader? Understanding Risk in the 21st Century
There's no telling at the end of the day how digitally-dependent organizations will fare when catastrophic events of unprecedented proportions occur.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >