Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/18/2010
04:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

End Users Buck Security Advice For Economic Reasons

Without proof that strong passwords and Website certificates actually keep them safe, it's no wonder end users ignore security advice, says Microsoft Research expert, others

End users routinely reject security advice and recommendations for strong passwords and for heeding dangerous Website warnings -- and that behavior makes perfect sense from an economic and psychological perspective, security experts say.

For a deeper discussion of why users don't follow security policy, register for Dark Reading's upcoming virtual event on endpoint security.

Cormac Herley, a researcher in the Microsoft Research organization, says end users are understandably noncompliant because there just isn't explicit proof that creating a strong password, for example, makes them less likely to have their accounts hacked. "Security people are trained to look for the worst-case analysis, but users don't think that way," says Herley, who emphasizes his opinions are his own and not that of Microsoft. "For example, users are told not to reuse passwords across accounts because if an attacker gets one, [he] might be able to get into their other accounts. But we don't know how often that does happen."

Most security training and advice aren't compelling enough for users to accept them, he says. The approach is telling them to reduce the risk, but "it's an unknown risk," Herley says. "That doesn't seem to be compelling to people."

Bruce Schneier, who also has written about this phenomenon of users relying on their intuition to gauge their risks, concurs. Schneier, chief security technology officer at BT, says users weigh the security trade-offs of productivity and risk. "None of this is irrational," Schneier says. "A lot of these threats aren't salient."

Security experts mean well, but are guilty of assuming they understand the real risks better than the end user, Herley says. "We don't understand this better than users do," he says. "If we truly believe in the importance of choosing password of eight characters, we need to make a better effort at gathering the data to make that case.

"When we tell people they should not get into a car and drive after six beers, we have data on this."

And while security advice promises to protect users from the cost of an attack, it instead costs them time-wise and productivity-wise. Actual victimization is relatively rare, he argues in his paper (PDF), and incurs a one-time cost whereas security advice is an ongoing one that costs more in the end.

Herley uses an example of an exploit that affects 1 percent of users per year and takes 10 hours of clean-up time per user. So implementing any security advice, he argues, should incur only 0.98 seconds per user per day to actually reduce the time involved. But it eats up much more time than that, which demonstrates that security advice provides a poor cost-benefit trade=off to users, he argues.

Herley says he and other Microsoft Research staffers are currently working on how to better measure the actual harm to users who don't follow security advice. "I'm actively engaged in trying to better measure this," he says. "We are using data sets we have at Microsoft."

And if end users are then provided hard numbers on the harmful effects of not recognizing phishing URL cues or using and reusing weak passwords, Herley wants to determine whether this would change their behavior. "Does it change things if we give them better reasons [to follow security guidelines]?" he asks. That would mean giving them information on how a strong password reduces their risk by this specific amount, for example, he says.

Schneier says it all depends on incentive: If there's no specific consequence to a user for breaking a security policy, then he isn't likely to change his ways. "Their bonus is not based on security, but whether they get their job done. You get the behaviors you [reward]," he says.

It's all about prioritizing advice, Microsoft's Herley says. "Each piece of security advice we try to cram into a user's brain has a cost," he says. "And nobody bought a PC so they could follow all the security advice. They want to do email, Facebook, etc. We give them dozens of tips on how to choose strong passwords and read URLs [for phishing attacks]. But even if they are super-religious about it, does that mean they are secure? No."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.