Complexity - A Sure Way to Fail

Tuesday, January 11, 2011

Rafal Los


There has been a good deal of griping lately about what "us security people" are calling the "dumbing down" of products in whatever product space. 

By this of course I mean products that seemingly drop advanced features to make themselves "easy to use" by the general end-user.

While almost every single product's marketing page has "Ease of Use" as one of the checkbox features, it's rare that this actually manifests itself in the real products.  The end result of difficult to use security products is clear - security breaches are rampant. You don't have to take my word for it, do a search.

Even though simplicity isn't the end goal of product development teams, it's important that the end user's ability to do something meaningful in the product with as little confusion, keystrokes, mouse clicks or "RTFM" as possible be weighted just as heavily as the product's ability to perform it's advertised key functions.  In the end if the product has amazing features no one can figure out - they won't be used.

I have some experience with product teams, so I thought I would weigh in, and impart some of the things I've learned in my years with interacting directly with, and supporting product teams.

Dumbing Down Security?

First and foremost, I don't think that products that make themselves simple to use are necessarily "dumbing down security" in any way.  In fact, I would argue quite the opposite.  In a well-done product, simple to use features make security more accessible, more usable and therefore - more consumable by a wider range of people.  In the end, doesn't that benefit everyone?

If you want "dumbed down security" you can certainly find it throughout the products out there.  I won't argue that there aren't products that have become so "simple to use" that the added value to security is minimal, but I wouldn't blame that entirely on the simple to use principle.  

In fact, I would blame the product teams for not working hard enough to make those features that are required to make security potent better activated by all that simplicity.

Transparent, Simple

Ultimately, I've debated over and over that in order to have a meaningful impact, security must be transparent to the user, and as simple as possible.  Complexity doesn't enable the user, and we all know what happens when we give end-users too many knobs, buttons and switches... they either freeze like the deer in headlights and make no decisions - or make poor ones based on guesses... either way things go poorly.  

In the case of security administrators (or analysts) the more complex we make products the more we force people to specialize.  This specialization makes it almost certain that when a company needs to hire that 1 person who understands their firewalls, IPSs, DLP devices and everything else that they will be good at one product and have to read manuals for the rest.  That's not a very good sign...

I'm not saying we have to have interfaces for security devices designed for the 6th grader in all of us - but it would help if the many devices, and mechanisms out there didn't require a Master's degree and a vendor certification to operate properly.  "Out of the box" things should be usable... and if they're not we should ask why, rather than simply accept that we're too dumb to use them properly.

Transparent security is the pinnacle of the security mountain because it's a true test of simplicity and design power.  If your anti-malware widget on your laptop can install simply and give you warnings when "things are going amok" with an intelligent analysis that doesn't require you to be a PhD in security jargon - then it's a win because you'll know whether to hit the "block" or "accept" buttons... right?  

It's even better if those decisions are made for the end user without intervention, all while not interrupting legitimate work or play.  While I know we're not there (yet) and maybe we'll never be ... it's something to aspire to.

Striking a Balance

In the final analysis - it's really all about striking a balance.  Making products simple, transparent while making them powerful and giving them meaningful positive impact on security posture.  While it's cool to be a command-line ninja, let's face it - there aren't many of them out there... and enterprise as well as personal security shouldn't be directly proportional to one's ability to perform script-fu at the machine level.

Every security product should aspire to be the "Easy Button" but without losing too much capability to actually perform security tasks and do the things that need to be done to protect the user, the system or the enterprise from threats.  

How does that balance happen?  Careful research combined with extremely seasoned security products managers combined with a team that performs usability testing and provides frank and honest feedback to those products teams.

This balance also gets feedback from people that use these products everyday.

Remember, it's not OK to be told to go read the manual because you're too dumb to understand "product X"... if it's not readily evident (and not some super-advanced feature like teleportation) and the vendor can't tell you why it's not readily evident - then maybe they're doing it wrong.  Voice your opinion and tell them.

Simplicity and transparency in perfect harmony with capability - this is the secret recipe for the perfect security product... ensuring uptake (adoption rates), usage (end-user use), and ultimately a safer experience.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Software Security Strategy Vendor Management Development Network Security
Post Rating I Like this!
Susan V. James I find that a lot of security product vendors make narrow assumptions about the configuration of the environment that potential client is considering their product for. They put all of their eggs in one basket of expectations - "the client will just have to make some changes to get this to work." And then they back off from supporting the potential client through the POC process, or expect a "professional services" fee be ponied up just to see if their product works in the environment.

The product itself may indeed be fairly manageable once it is implemented, but the implementation is the killer. If I have to make significant changes to technology, staffing or operational processes and any of those changes result in an increased and ongoing expense or increased complexity in another area, I'm not buying the product.
Ovidiu Bucsa This post goes in the same line with a Computerworld article i've read today, about the increase of support calls during 2010, despite the common tendency of simplifying programs for end users.
Rafal Los For what its worth - I don't think that people are getting any less intelligent -although that point is slowly becoming debatable in certain circles, rather, I think that the problems are becoming so complex that the solutions are necessarily more complex - thus more confusing ... this is a tough pool to swim in.
Rafal Los By the way - thank you for reading, I encourage you to read the full blog, as there are other posts you may find interesting. Please see the link in the "Cross-Posted From" section.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.