Today I stumbled across a couple of quotes from a talk I saw on March 10. Simson Garfinkel provided some insight to usable security.
"We can never make a system completely secure... but we can make the attacks more expensive and more difficult."
How true, isn't that the whole idea behind computer security? An arms race?
He went on to explain that all of computer security boils down to secure, authentic messaging.
He concluded his talk about digital signatures (specifically a usability study he did with email) by mentioning that people should sign mail. The general paradigm about signing mail is successful with a decent interface, even if people are not "cryptographically aware." Unfortunately, digital signatures are not an effective countermeasure for phishing.
He also concluded that people who use webmail or other web applications will have trouble switching to an interface that is event driven -- or vice versa. This creates a dilemma in the design circuit. Do we design apps for web application users or for classic window-based GUI users?