There has been and will continue to be a significant tension between security and user convenience. Everyone wants their systems to be more secure. I have never heard anyone say they want their systems to be less secure. But what tradeoffs will they make to provide that security. When it comes to decision time the concern over user convenience / usability and security comes to the forefront, and security frequently ends up on the short end of the stick. Why?
The answer is simple. Security is provided to keep people off of a system, specifically those people who are not authorized to access them. But on the other side of the coin the systems were put into service, at significant effort and expense, to help a business grow. Whether we are talking about back end management and support systems or front end customer facing ecommerce systems, they do not serve their purpose if it is too difficult for users to access them. Therefore, in the majority of cases user convenience trumps security, as usability and access to systems and services is of primary importance. As a well known CEO said, “I do not want to trade $1 of fraud for $1 of customer support.”
"Where Do Security Policies Come From?" by Dinei Florencio and Cormac Herley touches on this issue. The study sought to examine whether the strength of password policies was directly related to the security requirements of a site (size of site, number of users, value of assets protected, frequency of attacks) . They conclude:
"Our analysis suggests that strong-policy sites do not have greater security needs. Rather, it appears that they are better insulated from the consequences of imposing poor usability decisions on their users. For commercial retailers like Amazon, and advertising supported sites like Facebook, every login event is a revenue opportunity. Anything that interferes with usability affects the business directly. At government sites and universities every login event is, at best, neutral, or, at worst, a cost. The consequences of poor usability decisions are less direct. That simple difference in incentives turns out to be a better predictor of password policy than any security requirement. This in turn suggests that some of stronger policies are needlessly complex: they cause considerable inconvenience for negligible security improvement."
Florencio and Herley clearly articulate the need for understanding the tradeoff between security and convenience in their conclusion. However, they also note that it is difficult to determine if you have the security - convenience tradeoff correct, or if decisionmakers are "imposing considerable inconvenience for marginal benefit."