Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/18/2010
04:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

End Users Buck Security Advice For Economic Reasons

Without proof that strong passwords and Website certificates actually keep them safe, it's no wonder end users ignore security advice, says Microsoft Research expert, others

End users routinely reject security advice and recommendations for strong passwords and for heeding dangerous Website warnings -- and that behavior makes perfect sense from an economic and psychological perspective, security experts say.

For a deeper discussion of why users don't follow security policy, register for Dark Reading's upcoming virtual event on endpoint security.

Cormac Herley, a researcher in the Microsoft Research organization, says end users are understandably noncompliant because there just isn't explicit proof that creating a strong password, for example, makes them less likely to have their accounts hacked. "Security people are trained to look for the worst-case analysis, but users don't think that way," says Herley, who emphasizes his opinions are his own and not that of Microsoft. "For example, users are told not to reuse passwords across accounts because if an attacker gets one, [he] might be able to get into their other accounts. But we don't know how often that does happen."

Most security training and advice aren't compelling enough for users to accept them, he says. The approach is telling them to reduce the risk, but "it's an unknown risk," Herley says. "That doesn't seem to be compelling to people."

Bruce Schneier, who also has written about this phenomenon of users relying on their intuition to gauge their risks, concurs. Schneier, chief security technology officer at BT, says users weigh the security trade-offs of productivity and risk. "None of this is irrational," Schneier says. "A lot of these threats aren't salient."

Security experts mean well, but are guilty of assuming they understand the real risks better than the end user, Herley says. "We don't understand this better than users do," he says. "If we truly believe in the importance of choosing password of eight characters, we need to make a better effort at gathering the data to make that case.

"When we tell people they should not get into a car and drive after six beers, we have data on this."

And while security advice promises to protect users from the cost of an attack, it instead costs them time-wise and productivity-wise. Actual victimization is relatively rare, he argues in his paper (PDF), and incurs a one-time cost whereas security advice is an ongoing one that costs more in the end.

Herley uses an example of an exploit that affects 1 percent of users per year and takes 10 hours of clean-up time per user. So implementing any security advice, he argues, should incur only 0.98 seconds per user per day to actually reduce the time involved. But it eats up much more time than that, which demonstrates that security advice provides a poor cost-benefit trade=off to users, he argues.

Herley says he and other Microsoft Research staffers are currently working on how to better measure the actual harm to users who don't follow security advice. "I'm actively engaged in trying to better measure this," he says. "We are using data sets we have at Microsoft."

And if end users are then provided hard numbers on the harmful effects of not recognizing phishing URL cues or using and reusing weak passwords, Herley wants to determine whether this would change their behavior. "Does it change things if we give them better reasons [to follow security guidelines]?" he asks. That would mean giving them information on how a strong password reduces their risk by this specific amount, for example, he says.

Schneier says it all depends on incentive: If there's no specific consequence to a user for breaking a security policy, then he isn't likely to change his ways. "Their bonus is not based on security, but whether they get their job done. You get the behaviors you [reward]," he says.

It's all about prioritizing advice, Microsoft's Herley says. "Each piece of security advice we try to cram into a user's brain has a cost," he says. "And nobody bought a PC so they could follow all the security advice. They want to do email, Facebook, etc. We give them dozens of tips on how to choose strong passwords and read URLs [for phishing attacks]. But even if they are super-religious about it, does that mean they are secure? No."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-8087
PUBLISHED: 2019-10-22
Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
CVE-2019-10079
PUBLISHED: 2019-10-22
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
CVE-2019-12147
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
CVE-2019-12148
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
CVE-2019-12290
PUBLISHED: 2019-10-22
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...