But where does one draw the line between designing something user-friendly but also secure?

A prime example of this is the User Account Control (UAC) feature that was implemented in Windows Vista. I’m sure the reasoning Microsoft had was to try and educate, as well as warn users, when potentially harmful activity was occurring. This feature would literally pester the user – constantly. While I skipped the Vista flavor of Windows (I recently moved from XP to Windows 7 and love it), I can recall countless times that users would turn off the function – or simply click Ok without a seconds hesitation. Truly convenience of getting on with whatever the user was trying to do outweighed the warning. (Granted – Windows implementation of this feature wasn’t the greatest…I’m just using it to prove a point. )

Passwords are another point of concern on this topic. I believe it was one of the temps from “The Office” that indicated the only thing she learned was that half the employees used “password” as their password. While this is just a TV show – it’s probably more true than not in the actual workplace. A secure password could be defined as one that is changed every 30-45 days, does not contain family names or words found in a dictionary. It also contains uppercase, lowercase, symbols, numbers, and should range from 8 characters to 16 characters. This seems to be a daunting task for any user – let alone your average Joe.

Recently some changes have been made to the wireless on BYU campus. A secure SSID that implemented WPA or WPA2 and required the user to pass a scanning process that ensured the user was up-to-date with Windows patches and had installed a up-to-date antivirus program. While this added 10-20 seconds more time (after the initial setup) from the previous process – the end result was far more secure than the previous implementation (no security, no scanning). According to the network security team, the amount of viruses, attacks, and malicious activity on the network dropped to rates not before seen. So in reality – not only was the network more secure, but performed better. So a win for the user? No – a number of users were annoyed at the extra time this “inconvenience” caused. I even heard complaints that it was an invasion of privacy – that the network team had no right to know what was on a users computer. Sometimes you just have to sigh.

I think this will continue to be a struggle – until users have a deep enough understanding as to why administrators seem to cause so much “inconvenience.”

Until then…I’m not even sure.