Security Usability Triangle

The Security, Functionality and Usability Triangle is a foundational aspect of security. Like the CIA triad, this concept underpins any system, network, or device. The security triangle works in the following manner. First, let’s look at how this is most commonly diagrammed.

Security, Usability, Functionality Triangle

This part of security is a rather simple concept, and as such this won’t be that long of a post. First, we need to understand what each part of the triangle means.

  • Functionality: The features provided by the information system.
  • Usability: How easy the system is to use.
  • Security: The restrictions imposed on accessing the various components of the system.

Now, why is this in the shape of a triangle? Simply put, imagine putting a dot directly in the middle of the triangle. This would be an equal amount of security, functionality, and usability. All three components of the triangle suffer because we are trying to achieve a balance between the three.

Now imagine we take the dot, and move it towards security. Now we have an extremely secure system, that is neither functional nor usable. If we take that dot and move it to functionality, we now have a system that is neither secure nor usable.

The further you move towards one of the three elements, the more the other two elements suffer. This is the perfect balancing game that will always be changing. Furthermore, you might think “why not just leave it in the middle all the time? We’d have a system that is equal in all three regards.”

Simply put, this isn’t ideal in all situations. Imagine you work for the U.S. Department of Defense. The system you are in charge of will be used by commanders in a war zone, and this particular system shows the command real-time location data on each of the units they are in charge of.

Which would you want to balance the system towards? Surely it should be usable, but so usable that the security of the system suffers, resulting in an easier target for enemy forces? Surely it should have immense functionality to give the commander as much information as possible. But so functional that an enemy force can easily hack into the system and gain all of the same information?

In this scenario, you’ll almost certainly want to have a more secure system, at the loss of some usability and functionality. I’d rather the commander lose some functionality and some usability, but protect the lives of the soldiers in the battle itself.

Cody Dostal

Cody Dostal