Usability and Networks

One of the areas that I've always been interested in with computing is usability. That is, quantifying and improving how easy something is to work with.

This area has been quite a popular one for a while in the realms of application design (www.asktog.com, www.joelonsoftware.com) and of course web design (www.webpagesthatsuck.com and www.useit.com) but I've been wondering how many of us who manage a network have applied the same principles to our network designs?

Visual cues

When someone sits at a computer on your network, how easy is it for them to find their applications and data? Do you provide a way for them to have shortcuts for their most frequently used applications and files on the desktop or another easy to reach place? Do all your machines behave in a consistent manner for each user? If you only offer a service on a few computers in a room (for example, expensive colour laser printing in a classroom) is it easy to see which computers offer this by just walking into the classroom? Or do your users have to walk around logging onto each machine until they can find one that does what they want?

Security through annoying people

We all know that our data needs to be secure. In fact, I've written some stuff about that on this web site. But do users really need to have to enter a 15 character long password that isn't allowed to be made up from real words, which changes every week and can't be re-used? Do they really need to have to do this with different passwords for the teaching network, the admin network, the MIS system, e-mail, getting onto the Internet, reserving books in the library? Don't you think it's likely that they'll either give up on using computers or write the passwords down on a post-it note and tape it to the monitor? Either way, are you sure that's what you want?

Case sensitive? User Insensitive!

Just to pick a trivial example that pretty much sums up the whole problem lets look at an example of good security design, but bad network usability: The Password. Not the overdose of passwords I already mentioned but lets just look at what can go wrong with one password. I'm going to assume that everyone who managed to log onto the Internet to read this knows what a password is because its hard to log onto a network or Internet connected computer these days without supplying one at some point.

Most network operating systems, Linux, Windows 2000, etc support "Case Sensitive" passwords; upper and lower case letters are counted as different passwords, not the same one - so the password ROBERT is not the same as the password Robert or even just plain robert. Now the security manuals teach us this is a good thing because it increases the combination of things an attacker has to try in order to guess a password. And from the narrow viewpoint the security manuals are using that is a reasonable point of view. The passwords I use at work to secure access to high security network administration resources use an even more elaborate scheme than this, and for such things I would say its mandatory.

Looking at the bigger picture though we can see a few problems with the usability of applying these schemes to end users. What happens when a user goes on holiday for a month and comes back unable to remember if their password was 'Robert' or just plain old 'Robert'. Worse still, what happens when a really strict network administrator decides that all users on their network have to use the really strict password rules that require a mixture of upper and lower case words in their ordinary network password, and possibly a few numbers as well (this is actually a very common secure password rule). Once you start telling the CEO's secretary that her password is "Football but you have to type it Capital 'F', two zeros instead of the two letter 'O's, Lower case 't', upper case 'B', lower case 'all'" then one of three things will happen:

• You'll get fired when the secretary tells her boss why she can't type his important correspondence or check his diary for him.
• You'll get told off by the CEO and told to change the password to something sensible like "cat", because she told him about this without waiting for something bad to happen.
• She'll write your instructions down on a post-it note and stick it on her monitor (You wanted these passwords to keep stuff secret right?).

Yes it really does matter (aka No, I'm not making this up!)

Those of us who make a living working with computers on a day to day basis are often staggered that "ordinary users" don't understand computers in the way we do. There are plenty of joke web sites about "tech support nightmares" around to make the point that we all think our users are dumb. Now I'm just as bad as everyone else at feeling this way at times,and in fact I can say that I have seen users do some very dumb things, but that doesn't mean they actually are dumb people. How would you feel if you found your doctor writing about how stupid you were on the "doctor and nurse nightmares" joke web site because you had the temerity to ask them to translate "compound fracture of the fibula" into English?

What we have to remember is that most people who use our networks are not interested in networks for their own sake but rather are interested in how information on our network can help them do their job better. Every time we rub a hard to use interface or a complex password, or an unreliable connection in their faces we are stopping them doing their jobs. That can't be good for the "vibe" at your workplace, and it definitely isn't good for your business.

Top