1.3 Trade-offs Between Usability and Security in Computing Systems | Computer Systems | Computer Science 12

In computing, usability and security are two essential but often competing goals. Designing a system that is both highly secure and easy to use is one of the central challenges in computer science and Human-Computer Interaction (HCI).

The Core Trade-off

The fundamental tension is simple:

More security → more barriers, more steps, more friction → lower usability
More usability → fewer barriers, simpler access → lower security

This relationship is often called the Security-Usability Seesaw: pushing one side up forces the other side down. The goal of good system design is to find the optimal balance point.

Example: Requiring a 20-character password with symbols, numbers, and uppercase letters is highly secure but very difficult to remember — reducing usability. A simple 4-digit PIN is easy to use but easy to guess — reducing security.

Real-World Examples of the Trade-off

Security Measure	Security Level	Usability Impact
Complex password policy	High	Low — hard to remember, users write them down
Multi-Factor Authentication (MFA)	High	Medium — extra steps slow login
Biometric authentication (fingerprint)	High	High — fast and requires no memorisation
Single-factor PIN	Low	High — quick and simple
Auto-logout after 30 seconds	High	Low — constant re-authentication is frustrating
Password manager	High	High — auto-fills strong passwords

Consequences of Getting the Balance Wrong

Too Much Security, Too Little Usability

When security measures are too restrictive:

Users write passwords on sticky notes (defeating the purpose of strong passwords)
Users adopt Shadow IT — using unauthorized third-party tools to bypass restrictions, creating new, unmanaged security risks
Productivity drops and user frustration increases

Too Much Usability, Too Little Security

When ease of use is prioritised over security:

Systems become vulnerable to brute-force attacks, phishing, and unauthorized access
Sensitive data may be exposed
Compliance with data protection regulations may be violated

Recommending Cybersecurity Measures: Key Factors

When recommending a cybersecurity measure, the following factors must be considered:

1. Efficiency

Does the measure slow down users significantly? A good measure should protect the system without creating major bottlenecks.

Example: Password managers improve efficiency by auto-filling credentials while maintaining strong, unique passwords.

2. Cost

Is the measure affordable to implement and maintain? Expensive solutions may not be practical for all organisations.

Example: Hardware security keys (like YubiKey) are very secure but have a per-unit cost that may be prohibitive for large deployments.

3. Privacy

Does the measure collect or store sensitive personal data? Users have a right to know what data is collected and how it is used.

Example: Biometric systems store fingerprint or facial data — if this data is breached, it cannot be changed like a password.

4. Ethics

Does the measure treat all users fairly? Security measures must not discriminate or unfairly disadvantage certain groups.

Example: Biometric authentication may disadvantage users with certain disabilities. Facial recognition systems have shown bias against certain ethnic groups.

Finding the Optimal Balance

The best cybersecurity measures aim to be both secure and usable. Strategies include:

Biometric authentication — strong security with minimal user effort
Single Sign-On (SSO) — one secure login grants access to multiple systems, reducing password fatigue
Password managers — generate and store complex passwords automatically
Risk-based authentication — applies stricter checks only when unusual behaviour is detected (e.g., login from a new country)
User education — training users to follow security practices reduces the need for overly restrictive technical controls

Summary

Concept	Definition
Usability-Security Trade-off	The inverse relationship where increasing security often reduces ease of use
Security-Usability Seesaw	Metaphor for the balance designers must achieve
Shadow IT	Unauthorized tools used when official systems are too restrictive
Key factors	Efficiency, Cost, Privacy, Ethics

The Core Trade-off

The fundamental tension is simple:

More security → more barriers, more steps, more friction → lower usability
More usability → fewer barriers, simpler access → lower security

This relationship is often called the Security-Usability Seesaw: pushing one side up forces the other side down. The goal of good system design is to find the optimal balance point.

Real-World Examples of the Trade-off

Security Measure	Security Level	Usability Impact
Complex password policy	High	Low — hard to remember, users write them down
Multi-Factor Authentication (MFA)	High	Medium — extra steps slow login
Biometric authentication (fingerprint)	High	High — fast and requires no memorisation
Single-factor PIN	Low	High — quick and simple
Auto-logout after 30 seconds	High	Low — constant re-authentication is frustrating
Password manager	High	High — auto-fills strong passwords

Consequences of Getting the Balance Wrong

Too Much Security, Too Little Usability

When security measures are too restrictive:

Users write passwords on sticky notes (defeating the purpose of strong passwords)
Users adopt Shadow IT — using unauthorized third-party tools to bypass restrictions, creating new, unmanaged security risks
Productivity drops and user frustration increases

Too Much Usability, Too Little Security

When ease of use is prioritised over security:

Systems become vulnerable to brute-force attacks, phishing, and unauthorized access
Sensitive data may be exposed
Compliance with data protection regulations may be violated

Recommending Cybersecurity Measures: Key Factors

When recommending a cybersecurity measure, the following factors must be considered:

1. Efficiency

Does the measure slow down users significantly? A good measure should protect the system without creating major bottlenecks.

Example: Password managers improve efficiency by auto-filling credentials while maintaining strong, unique passwords.

2. Cost

Is the measure affordable to implement and maintain? Expensive solutions may not be practical for all organisations.

Example: Hardware security keys (like YubiKey) are very secure but have a per-unit cost that may be prohibitive for large deployments.

3. Privacy

Does the measure collect or store sensitive personal data? Users have a right to know what data is collected and how it is used.

Example: Biometric systems store fingerprint or facial data — if this data is breached, it cannot be changed like a password.

4. Ethics

Does the measure treat all users fairly? Security measures must not discriminate or unfairly disadvantage certain groups.

Example: Biometric authentication may disadvantage users with certain disabilities. Facial recognition systems have shown bias against certain ethnic groups.

Finding the Optimal Balance

The best cybersecurity measures aim to be both secure and usable. Strategies include:

Biometric authentication — strong security with minimal user effort
Single Sign-On (SSO) — one secure login grants access to multiple systems, reducing password fatigue
Password managers — generate and store complex passwords automatically
Risk-based authentication — applies stricter checks only when unusual behaviour is detected (e.g., login from a new country)
User education — training users to follow security practices reduces the need for overly restrictive technical controls

Summary

Concept	Definition
Usability-Security Trade-off	The inverse relationship where increasing security often reduces ease of use
Security-Usability Seesaw	Metaphor for the balance designers must achieve
Shadow IT	Unauthorized tools used when official systems are too restrictive
Key factors	Efficiency, Cost, Privacy, Ethics