A widely cited publication in usable security research is Simson L. Garfinkel’s thesis: “Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable”. In Chapter 10 he describes six principles and about twenty patterns which can be followed in order to align security and usability in system design.
We’ve been referring to these patterns throughout the webinos project when designing the system and security architecture. However, it’s interesting to note that the web (and web applications) actually directly contradict many of them. Does this make the web insecure? Or does it suggest that the patterns and principles are inadequate? Either way, in this blog post I’m going to explore the relationship between some of these principles and the web.