So Long, And No Thanks: Why User Education FailsSo Long, And No Thanks: Why User Education Fails
In "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users," Cormac Herley of Microsoft Research tries to answer why users don't respond to security advice.
March 18, 2010
In "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users," Cormac Herley of Microsoft Research tries to answer why users don't respond to security advice.Herley's paper examines common security advice in a pragmatic way, looking at its perceived cost and whether it's worth the effort.
In his paper, he says:
"It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificate errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort." "...the decision has been unambiguous: users have decided that the cost is far too great for the benefit offered. If we want a different outcome we have to offer a better tradeoff. We examine next how we got things so wrong, and look at ways to make things better. He argues that current efforts are not getting users' cooperation: "Given a choice between dancing pigs and security, users will pick dancing pigs every time." While amusing, this is unfair: users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security." And to sum it up, he adds: "We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right. Security is not something users are offered and turn down. What they are ooffered and do turn down is crushingly complex security advice that promises little and delivers less." Most in our industry agree that user education is critical; users are our biggest liability. However, most of us also recognize that it is not very efficient. I hope more research of this nature will be performed and that we will be able to construct better user education programs, such as this one regarding anti-phishing.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron.
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Get the Gartner Report: SOC Model Guide
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report