The Principle of Psychological acceptability

Jerome Saltzer and Michael Schroeder in “The Protection of Information in Computer Systems”:

“[...] Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors. [..]“

Any question?

Holistic System Security an cyber-security research priority

In the Report to the President on Cyber Security: A Crisis of Prioritization (February 2005) was published the cyber security priorities, theses were:

1. Authentication Technologies
2. Secure Fundamental Protocols
3. Secure software Engineering and Software Assurance
4. Holistic System Security
5. Monitoring and Detection
6. Mitigation and Recovery Methodologies
7. Cyber Forensics: Catching Criminals and Deterring Criminals activities
8. Modeling and Testbeds for New Technologies
9. Metrics, Benchmarks, and Best Practices … and
10. Non-Technology Issues than can Compromise Cyber security

Well, everything sounds known, but what does Holistic System Security mean?.
The report answers perfectly and explains why it is a priority:

4. Holistic System Security

Effective security in a complex, many-layered, global infrastructure such as the Internet and its nodes requires more than the security of its component parts. Establishing sound methods for authentication, secure protocols for basic Web operations, and improved software engineering will undoubtedly become
part of an evolving solution to this problem. But most importantly, researchers must recognize from the outset that an end-to-end architectural approach to the security of the whole necessarily transcends the security of the individual parts.For example, customers assume that their online banking transactions, based on secure socket layer (SSL), are indeed secure. But by spoofing the associated underlying protocols or end-user software, a malicious party can make a user’s transaction appear secured by SSL while allowing the theft of confidential data. It is also possible to compromise the security of the end computing systems, obtaining the data even though it was secure in transit.

Software usability itself is a legitimate and important research topic in cyber security. Incorrectly used software or hostile or confusing user interfaces can lead to user frustration and unauthorized workarounds that can compromise even the most robust security schemes. Research is also needed on how to make large and complex systems, where components can interact in unexpected ways, secure as a whole. Ultimately, fundamental research should address the development of entirely new, holistic security architectures including hardware, operating systems, networks, and applications. Research subtopics include:

• Building secure systems from trusted and untrusted components, and integrating new systems with legacy components
• Proactively reducing vulnerabilities
• Securing a system that is co-operated and/or co-owned by an adversary
• Comprehensively addressing the growing problem of insider threats
• Modeling and analyzing emergent failures in complex systems
• Human factors engineering, such as interfaces that promote security and user awareness of its importance
• Supporting privacy in conjunction with improved security

(more…)

Systems Thinking, Holism, Trust, Security and Usability .. my first post

Yes, it is my first post and i hope that it will not be last one. So far I published my thoughts in Spanish and in a static web page, and it was boring.. now, i should be more funny for reaching a wider audience.

Well, here are going to publish some thoughts such as Quality, Systems Thinking, Holism, Trust, Security, Usability and different things without relation.. apparently.

Regards!