|For a deeper discussion of why users don't follow security policy, register for Dark Reading's upcoming virtual event on endpoint security.|
Cormac Herley, a researcher in the Microsoft Research organization, says end users are understandably noncompliant because there just isn't explicit proof that creating a strong password, for example, makes them less likely to have their accounts hacked. "Security people are trained to look for the worst-case analysis, but users don't think that way," says Herley, who emphasizes his opinions are his own and not that of Microsoft. "For example, users are told not to reuse passwords across accounts because if an attacker gets one, [he] might be able to get into their other accounts. But we don't know how often that does happen."
Most security training and advice aren't compelling enough for users to accept them, he says. The approach is telling them to reduce the risk, but "it's an unknown risk," Herley says. "That doesn't seem to be compelling to people."
Bruce Schneier, who also has written about this phenomenon of users relying on their intuition to gauge their risks, concurs. Schneier, chief security technology officer at BT, says users weigh the security trade-offs of productivity and risk. "None of this is irrational," Schneier says. "A lot of these threats aren't salient."
Security experts mean well, but are guilty of assuming they understand the real risks better than the end user, Herley says. "We don't understand this better than users do," he says. "If we truly believe in the importance of choosing password of eight characters, we need to make a better effort at gathering the data to make that case.
"When we tell people they should not get into a car and drive after six beers, we have data on this."
And while security advice promises to protect users from the cost of an attack, it instead costs them time-wise and productivity-wise. Actual victimization is relatively rare, he argues in his paper (PDF), and incurs a one-time cost whereas security advice is an ongoing one that costs more in the end.
Herley uses an example of an exploit that affects 1 percent of users per year and takes 10 hours of clean-up time per user. So implementing any security advice, he argues, should incur only 0.98 seconds per user per day to actually reduce the time involved. But it eats up much more time than that, which demonstrates that security advice provides a poor cost-benefit trade=off to users, he argues.
Herley says he and other Microsoft Research staffers are currently working on how to better measure the actual harm to users who don't follow security advice. "I'm actively engaged in trying to better measure this," he says. "We are using data sets we have at Microsoft."
And if end users are then provided hard numbers on the harmful effects of not recognizing phishing URL cues or using and reusing weak passwords, Herley wants to determine whether this would change their behavior. "Does it change things if we give them better reasons [to follow security guidelines]?" he asks. That would mean giving them information on how a strong password reduces their risk by this specific amount, for example, he says.
Schneier says it all depends on incentive: If there's no specific consequence to a user for breaking a security policy, then he isn't likely to change his ways. "Their bonus is not based on security, but whether they get their job done. You get the behaviors you [reward]," he says.
It's all about prioritizing advice, Microsoft's Herley says. "Each piece of security advice we try to cram into a user's brain has a cost," he says. "And nobody bought a PC so they could follow all the security advice. They want to do email, Facebook, etc. We give them dozens of tips on how to choose strong passwords and read URLs [for phishing attacks]. But even if they are super-religious about it, does that mean they are secure? No."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.