Slashdot Mirror
Users Rejecting Security Advice Considered Rational
WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.
Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.
Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.
I have a simpler conclusion... Most users are idiots!
If I were God, wouldn't I protect my churches from acts of me?
Why do Employees like Microsoft Windows?
Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.
Why do Managers like Windows?
Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away escaped from the island.
I agree with this assesment. I work at an IT company that supports many different companies and users of different size. We are a small operation (10 techs).
Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers. Smaller businesses and individual users will reject them due to the lack of perceived risk.
Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it. We said no problem and offered to setup a guest network and secure their internal wireless network. No problems with their Cisco SA. They still did not want to do it. Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data? we have nothing sensitive"
They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.
That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.
prevention is more expensive than repair/recovery/treatment
How? Any prevention effort requires some kind of cost, very often a continual and on-going cost.
Whereas the cost of recovery is only necessary once the negative effect occurs. And since it only happens to other people, that means that the cost of not preventing is 0. Clear win.
Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.); economics (victims of fraud, high-risk investors, etc.); software development practices ("Release NOW" rather than quality).
Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.
Or, as others in this thread have put it, people are idiots.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Of course it's economics. That's what every cost/benefit analysis is. Economics is just another word for the other "researcher's ideas", not any kind of challenge or refutation of them.
Are there no remarkable findings in the linked article worth reporting? Sure sounds like it to me.
I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics. How much does it cost to implement? How much do you stand to lose if your security is broken and your "stuff" stolen? At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.
And in this context, time, effort, and inconvenience all have a significant cost that must be counted.
The average idiot computer user is not always as dumb as you think they are.
As I said before, most users don't care because there are usually no consequences to ignoring security directives.
Most users figure that security is the corporation's problem. They just figure that whatever they do will be protected "by the firewall" and they go on with life. It's not their problem if things go wrong.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
How about this one... At least in businesses...
Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.
It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.
Ain't reality a bitch?
I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.
I understand the reasoning, and if it was only a handful of boxes .. or rarely used boxes ... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.
I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
People reject security advice because everybody knows at least one poor sucker that is tech-savvy and can fix there FUBAR system. That person may do it grudgingly, may b*tch the entire time, but they'll still do it. Not only that, they'll do it for free. Sound familiar?
The recent story from Canada about the group of snow mobile riders who triggered an avalanche that killed a few of them. The risk was obvious. Environment Canada had issued an avalanche risk warning. But the guys went out anyways.
Some people will always not do the right thing. No matter how obvious it may be.
"Maybe this world is another planet's hell"
Aldous Huxley
People giving security advice often have no idea what the threat model is. For example, the typical home user's computer has no chance of being physically attacked. Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers. Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.
Seriously, there is only one kind of threat the home user faces, and that's software attacks, none of which are aimed specifically at him, and all of which are acquired either through his web browser or through infected executables given to him by his friends. If he runs NoScript, disables javascript in email, and gets executables only from reputable sources, there is simply no way he can get infected. If he's on Linux, he's safer than he's ever going to be already.
They aren't kidding when they say that Microsoft Research is autonomous. I would have assumed that Microsoft would at least make its researchers use MS Word.
A simple solution: some enterprising grey-hats just need to put together a sufficiently malicious exploit. Maybe users would pay attention to security if they had to worry that the "M3ga K3wl Cod3c Pakzor" they just downloaded was going to email all their contacts, Facebook friends and LinkedIn contacts a link to nimp.org whilst deleting all their files and emptying their bank accounts.
By the same token, the dick pill spam could be stopped overnight by a small group collecting "orders" and mailing out poison. After a dozen or so deaths, one would presume that *most* people would be concerned about buying drugs from spam.
In both cases, anyone who *still* ignores common sense deserves what they get - thin the herd a little, ya know?
The paper is not entirely unreasonable. However, there are at least some holes in it.
It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice. They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally. Under this hypothesis, people would have perfect information about which security advice is good and which is bad.
The article doesn't talk about costs to others. People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people. On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud. That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.
Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures. E.g., on p. 2 he estimates the economic costs of a particular exploit. But these estimates aren't based on any actual data. That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?) protecting against a particular exploit. What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others. And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures. That's like trusting GM to estimate the economic effects of global warming.
Find free books.
What is the probability my password will be hacked (low/medium/high)
What is the impact if my password is hacked (none/moderate/severe)
If I have low probability of being compromised, and the outcome is moderate, than that is a low risk. If I have a high chance of being compromised and the impact is severe, that is a high risk.
The problem with these sort of articles is not determining why people don't care about security, it's failing to take into account that a "low" risk rating on this matrix isn't worth the costs associated with protecting a system set up to prevent the "high" risk scenario I described.
We know you work on the basis of economics Tom, so, because of this breech you've caused we'll be docking your pay for the next, ahhhh, 376,042 pay cycles. thanks, you may go.
Want security? Buy a Mac.
Want s/w that breaks? Buy Windows.
Want to roll your own and get every ounce of power out - use a Linux distro.
At one point I was the acting security officer for Pacific Region. If people can subvert security they will.
Not much has changed in the security sphere for a long time, and difficult security just begs to be subverted.
-- Tigger warning: This post may contain tiggers! --
Am I going to spend a lot of time on a 7 year old's game PC protecting it from being added to the botnet army of darkness on its latest evil crusade for human souls? Frankly, why the hell would I care?
Please do not read this sig. Thank you.
Among crackers, reputation is very important.
These people spend their time and effort and money to crack the protection on an application/game/movie and get it out to the world. They don't do it for profit. They do it to become known as the person/group that did it first or best. They frequently sign their work, and will go to great lengths to maintain their reputation.
A bad release, or one with a virus/trojan will quickly gather notice on torrent forums. It would be a one way ticket to expulsion from any release group. It can take years to become accepted into a major release group, its not something taken lightly.
TFA:
Rule 6 will help only if the attacker waits weeks before
exploiting the password. So this amplies the burden
for little gain. Only if it is changed between the time of
the compromise and the time of the attempted exploit
does Rule 6 help.
IANASE, but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it. It had nothing to do with the attacker discovering the password then waiting quietly until nobody's looking to profit from it.
In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.
That said, it's an extremelly difficult rule to enforce/comply, unless you have a wonderful "I forgot my password" system.
http://dilbert.com/2010-12-13
It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer. My personal pet hate is the password aging practice. It specifically does one of two things. It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones. The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days. And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember it
One reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.
That $50 liability per customer represents a shared-risk pool, i.e. insurance. In the US, we also have the FDIC insurance. As a bank customer, I welcome that insurance over putting money in a mattress.
TFA:
This would appear to include only the cases where
the user is phished (rather than keylogged) or a rogue
employee steals the credentials from A. This appears
a minor reduction of risk for a 3.9x magnication of
password management effort.
Unless the user in question uses facebook. Or rather is a rival of the site he's using.
http://dilbert.com/2010-12-13
Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.
Almost, no quite. I maintain a 'guest' profile when I have company so they can use the computer without messing up my profile. I like my configuration the way it is. As well, auto-login really only makes sense on a single user computer. For any system that is truly multi-user, you want to hit the user selection screen at startup, otherwise you have to wait for logging out/task switching before you can login. (my wife and I both bounce between computers)
Lastly, even in Linux having an actual password is important as it's what prevents apps from self installing. Yes there's the negative of getting people used to typing in their password with every damn update, but that's better than allowing things to completely self install.
This of course, gets back into the economics of the whole thing. What is the real likely-hood of someone penetrating the ubuntu repositories and turning the world's ubuntu installs into a botnet with a kernel update?
How about this, instead of worrying about automatically getting the latest and greatest updates right away but still needing to enter your password: only grab updates that are older than 'X' but they'll auto-install? There could very well be more value in having the downstream computers ignore any updates that are less than a week or two old. This gives the repository monitors time to discover anything fishy. For a computer to download the update, it would have to look at see the update on the server (ie: download it but not install), get the md5/sha hash and compare it with the server. Wait a week and do it again. If that specific update hasn't changed, go ahead with the install from what is already downloaded.
If the user is really sure they want the update, they can password prove for it and force the install, but this provides a relatively trustworthy mechanism of verifying and automating updates without harassing the user.
One could expand this to have updates get rated with feedback from the users. Most installs will go fine, but occasionally something gets borked. Users could optionally feedback on updates, so those updating afterwards can set a 'success rate' value to not install updates that have more than 'X' problems reported. This part can be gamed, unless you build trust into the feedback mechanism. Each install auto-generates a gpg certificate. Each 'complaint' gets rated by how many successful (signed) update reports have been submitted by the same key in the past.
Ultimately and security infrastructure depends on trust, and trust is a function of time and abuse.
Hey, technogeek, "most people" are the people you're supposed to work with. You guys get all bent when Apple is 'draconian', and yet you come to conclusions about average users. It's not that at all. It doesn't matter what OS you're talking about. When is the last time you tried to update your security? OK, go have someone at least 60 years old do it for you, and all you can do is talk without seeing the screen. See how long THAT takes. The more difficult security is to deal with, the less often it is used, and that's not just computers. That's EVERYTHING security. I would make the case that it is more important to get the security updating as seamless and silent as possible.
What is rational about all the hurdles you have to jump through now?
noun gerund noun noun gerund adjective - WTF!?
is sentence structure really that hard? how about
? /. headlines? lately you see lots like this one. It looks like
someone had thrown a dictionary into a blender...
What is up with
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Technically savy people are missing the point. The average user doesn't understand 'how to install,understand messages, etc of all the security issues out there. (myself included) The average Joe is fearful of his security, but cannot negotiate the maze of security issues. They go to retailers for answers, and get soaked for software solutions, much of which isn't any better than the free solutions, etc. They are not"stupid/lazy/ or penny pincers". Some (probably most) are smarter than the geeks on the web, but just in other areas. Or were born before transistors existed, and Bakelite was the major synthetic insulator in electronics.
Unless you count the "GPL is the General Public Virus" misconception, then these torrents should be well known as virus-free.
I have a simpler conclusion... Most users are idiots!
You're only half right. It turns out that most users are *selfish* idiots.
I used to feel a little bad about hating users. I was afraid it might be arrogant to despise the people who, ultimately, justify my salary. But now I see they deserve whatever they get.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I just can't feel the 'Net if I'm using protection.
Have gnu, will travel.
Human beings are NOT 'rational animals'
Any theory that depends on humans being rational agents is inevitably flawed.
In the free world the media isn't government run; the government is media run.
I used to hate expiring passwords on the financial data systems where I used to work. Then one day the Comptroller was locked out of his own account because he had tried his old password too many times. But it turned out the Comptroller was on vacation and hadn't even tried to log in.
It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later, and then subtly tampered with her own salary. She had also stolen the e-mail passwords of any employee who would have been alerted about the change, and instantly deleted the e-mail notifications as soon as she modified the system. She was sophisticated enough to alter other logs and alerts as well.
We might have locked down our internal systems better to begin with, but I have to say that she might have gotten away with it if it hadn't been for those darn password changes.
You try and try to teach your child about how knives can cut them. Keep them pointed away from you, cut carefully, blah blah blah. But until it actually cuts them, they won't know for sure the threat. if anything, they will hear your annoying voice and that's the only reason they won't act foolishly.
If you really want the general population to react, get them to feel the pain. Perhaps simulate a security breach for each individual?
Alternatively, lecture them until they hear your annoying voice in their head 24 x 7.
I hate being bipolar; it's awesome!
I have to say, the linked article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.
"Third, the claimed benefits are not based on evidence:
we have a real scarcity of data on the frequency and
severity of attacks."
This is a very good point. What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords? How much safer do they get if you then say they have to have a symbol as well?
When they make me jump through hoops, I'd like to know what exactly I'm gaining.
http://www.geoffreylandis.com
For some family members where I have suggested very basic security steps like disabling automatic logins, turning automatic updates on for everything (not just Windows), and a few other usual steps, they have asked "what for? The hackers are gonna get in anyway!"
It has become so ingrained in them that hackers are everywhere and that they are so talented that it is futile to resist. Quite honestly, I can't understand this mentality, but it does exist.
I used to work in a restaurant. The manager always wondered why his employees wasted so much food and used equipment roughly. At 16, I went through a prodigious amount of glassware. Why weren't we careful? Because it was a pain. It took time. The manager wanted us to get things done as fast as possible. Many of us didn't like the company and felt a little better if something broke. Occasionally something big would break, or we'd run out of an ingredient early, and that was ok too--we then had less work to do.
There's not a lot of incentive for someone to take the trouble to change their password each month and to use difficult characters and when such a thing becomes mandatory, they'll write it on a post-it not and stick it to their monitor. When the boss yells at people with post-its on their monitor, the employee will email the password and account name to themselves.
People do good work when they love their work. If you fire all your workers who don't love their work, you won't have many workers. There's always going to be a gradient.
Slashdot, where anything outside of computing is "new" or "novel" or "creative".
The conclusion (that rejecting computer security advice is rational) is not unusual from the POV of economics.
Imagine a mainstream paper shouting "Computers can print on both A4 and US Legal paper".
The article doesn't talk about costs to others.
Indeed, Herley's paper would probably be better titled "So long, and thanks for the externalities" -- for most end users (read: end users not in the IT dept), security countermeasures are not taken precisely because the majority of the cost is externalized, either to the business they work for, to the bank that will reimburse them for lost $$$, or to the world in general in the form of yet another botnet node. The $120 they pay geek squad to clean their computer every now and again is a small portion of the overall cost of their lack of security. Because they don't feel the full blow, they are less likely to modify their behavior. And that is the essence of what an externality is, AFAIK.
Ultimately, I think the biggest problem with Herley's paper is the same problem a lot of economists have with "free agents" -- they make an argument that observed behavior is rational, and then assume that the actors are therefore behaving rationally. In actuality, it's merely coincidence that the observed behavior is rational and there is therefore no reason to suspect that, in the future, choices will continue to be rational.
This is most true for end users (businesses = econ/business people = trained to make decisions as economists... so big surprise they follow "rational models"). This is because even if observed behavior in consistent with rational choices, the choice is not made because it's rational. People get their information on computer security from hearsay and anti-virus advertisements, and often make emotional choices ("ZOMG EVIL HACKERZ, MEH IDENTITY!!!") that provide the path of least resistance ("look, norton seems to claim it's a golden bullet, and I don't have to learn hard new stuff.")
I have always maintained that the best security system is to have nothing to protect. Sure if you are talking business systems or governement this method is simply not an option but on a personal computer it certainly is. My best example is my old car that I always left the doors unlocked on so no one would break a window to find out there was nothing worth stealing. I also removed the ignition so it could be started without a key. The only security I had was a kill switch hidden under the dash which killed the electrics. I even once profited when a potential thief left one of his tools in my car by mistake.
This principle is one od the ones that makes personal linux so secure, there is virtually no profit or satisfaction to be had designing viruses and trojans for linux when the same effort could compromise hundreds of windows pcs.
If you have nothing to steal you don't need locks and people that try to sell you locks never seem to understand this.
Of course it's an economic assessment. And, you are dealing with people that think the lottery is the best-shot investment strategy for retirement. Bad stuff only happens to bad people and I am a good person. So, what's the point of this again?
Any sufficiently advanced influence is indistinguishable from control.
In one of the sections of this article, the author uses, as an example, how complex URL 'interpretation' can be for average users, going over all sorts of ways phishers can attack bank/ebay/paypal/amazon URL's.
I figured this out a long time ago. I'm very much a K.I.S.S. (Keep It Simple, Stupid.) advocate with regards to this particular problem. The advice I would give any 'average user' who came to me is simple: never click links, or call phone numbers, or use any other communications mechanism provided in emails purporting to come from a business entity. If it claims to come from your bank, you should probably call your bank's customer service phone number (from your bank statement or ATM card, or if you know your banks URL, open your browser and type it in yourself, or use a bookmark you have already preveiously saved in your browser from a previous visit to the bank's website) to verify if there is a problem with your account. Just take the email completely out of the equation.
That way, they don't have to judge if the email and link are legitimate or not - just don't use the email.
Links that are just to a page of photos, or a map, or something like that, are ok to click, generally, but if any link you follow from an email asks you for personal info or a login, or asks you to download something to the computer, just close the browser, step back, and do the above (e.g. calling the bank/business, or opening a new browser window and going to the proper website manually for by bookmark).
With that advice, I have to teach them exactly nothing about how to understand URLs. It's also fairly common-sense advice that most people can easily understand - it's very unlikely that the phone number on your bank statements and cards are not 'authentic'. Most bank statements probably include the URL of the bank's website, too, these days - mine definitely do.
By not following links in emails, you can avoid probably 99% of phishing attacks - no matter how cleverly they manage disguise the links in the email.
On the phishing front, it's useful to stop blaming the end user, and blame the site that hosted the phishing page.
For some time, I've encouraged taking a harder line on phishing-friendly sites, sites that host phishing pages. I had a paper on this at the 2008 MIT Spam Conference. At SiteTruth, we take the position that one phishing page blacklists the whole second-level domain. Here's the current list of major domains being exploited by active phishing scams.
The free hosting sites and the "short URL" sites show up on the blacklist regularly. After much nagging and some press coverage, most of them are now very aggressive about kicking off phishing pages, and they don't stay on for long. The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up. Currently, Google is in the doghouse, because they've recently entered the "free hosting business" without adequate phishing defenses. See this abuse of Google Spreadsheets.
At the moment, "t35.com", a free hosting service, is the site most abused in this way, by a large margin. I've contacted their people. The problem is that they're being attacked by a program, and they're cleaning up by hand. Right now, they're hosting 545 known phishing pages. Nobody else is even in double digits. "piczo.com" (a social network/free hosting service for teenage girls) was the last big victim, but they're gradually getting the problem under control.
A Draconian blacklisting policy may seem harsh, but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem. We're seeing more free hosting sites with a "click here if this is abuse" button on every page. The number of people who have to be educated to deal with the problem in this way is in the hundreds, not the hundreds of millions. So it's a solveable problem.
If you're going to blame the victim, this is the way to go at it.
It isn't just ONE thing, or even mostly one. It's varying permutations of varying degrees of all of the above, depending on the user, OS, risk(s), and solutions available.
--- Asking inconvenient questions for over 30 years...
Super locked down systems just lead to high tech work time and people bypassing the system just to get work done with out having to sit on hold / wait for paper work to there job done.
and if your help desk spends all day just unlocking and re lock stuff for uses you may be a little to much locked down.
Users Rejecting Security Advice Considered to be Rational
Simple and clear.
My fully updated copy of Windows XP Pro x32 SP3:
C:\Windows = 5.25GB, 17,179 files, 1,716 folders
TROLLS!
Interesting effort. However I don't see any user model behind it - and in fact economics are a good way to get rid of human models since the process of using average economic behaviour actually marginalises all the unknown parameters that normally should be taken into account for each individual.
Users' perception of risk, to which the paper devotes only a small paragraph, is to me of paramount importance. For example, personally, I will decide to more security measures under only either of the two conditions:
1. If I already have had a security accident incident in the past (or if a friend/family/colleague of mine had one).
2. If the perceived by me risk of a particular attack is considered as "high".
Both these are purely experiential factors. Advice from webpages of magazines or my firm's list of security measures are irrelevant to me because I consider their probability of occurring low. But when an accident happens near me, it will raise my perceived probability of the specific threat, and force me to take precautions.
Therefore, the above two factors increase the (subjective) probability of attacks and thus then and only then become motives for me to educate myself (or convince my friends/family/colleagues that they should listen to me).
In conclusion, in my humble opinion, users' conceptions of PROBABILITY is the primary factor that should be researched and taken into account when trying to approach security-related user behaviour.
Anybody familiar with the pioneering (and Nobel prize-worthty) 30-year old work of Tversky & Kahnemann will find an abundance of well-established research results that will enable them and guide them to conduct research and publish at least 20 papers on users' (mis)perception of IT security and formulate highly predictive user models based on users' fallacies regarding the evaluation of probability.
I am giving away this tip for free, since IT security is not my field. I just kindly ask future authors to acknowledge the source of the idea.
What computer enthousiasts like to call "an end-user being lazy, stupid, and ignorant" is simply an end-user refusing to sink a lot of time into non-revenue activity that isn't even guaranteed to protect them. There really is no call to regard users as stupid because they're not interested in knowing a lot about their computer and only want to use it as a tool to do their (office) work and to surf or to connect to social networks.
For example the note that strong passwords don't help if someone is able to install a trojan (let alone a keylogger) on your machine (or network) is spot on. In order to rationally evaluate the benefit of having strong passwords a user would need to know the probabilities of his account or machine being attacked, and conditional on that, of the strength and sophistication of his attacker. Conditional on the sophistication of the attacker you get a different set of probabilities of a his password being brute-forced or dictionary-guessed, or his machine being hijacked through vulnerabilities(whether zero-day, or simply unpatched).
In addition the recommendations for password length, composition, non-dictionary and non-sharing are one thing. However, together with this the recommendations to change it often, not to write it down, and not to re-use it across sites is very burdensome to users. And frankly unrealistic. Such rules are percieved more as a cheap cop-out on part of IT experts than helpful advice.
Being interested in, knowledgeable of, and spending time understanding and monitoring the workings of, your computer is a discretionary choice, not a compulsory one. Which is why e.g. Microsoft Windows still holds such overwhelming market share: they address the need for a computer in the role of a simple utility.
That piece about certificate errors and how to spot fake URLs is also spot on.
I'm afraid that the article hits the nail on the head: only computer enthousiasts, computer burglars, and IT professionals can rationally be expected to expend that much time and effort on being knowledgeable about and avoiding security pitfalls. Ordinary users really do make a rational decision in rejecting elaborate security measures, and asking for a simple and easy-to-follow set of rules in order to stay safe.
Unfortunately computer burglars adapt too. So any set of fixed rules will be met by an attack that's optimized to defeat it. Adherence to security rules may make life much harder for an attacker, and may even thwart 99% of all existing "dumbo attacks". However it takes only 1 attacker with a higher level of sophistication (or simply a bought zero-day exploit) to target you or your machine and you've lost anyway. In this light it's pretty reasonable to take a critical view of security advice and to reject it if it becomes too much of a hassle.
Something like that may be difficult to swallow for the average Slashhdot reader though.
Try getting MOTU or Firewire RME stuff to work in Linux/BSD...
You *won't ever be able to*.
I was told by RME that they wouldn't EVER release OSS-compatible drivers for their firewire stuff, because it'd give their competition advantage in reverse-engineering their stuff.
ALL E-MU cards? Never available for us.
You want 2 channels of *balanced* I/O, the 1010LT is fine.
You want multi-channel, GOOD multi-channel, your only choice becomes the RME Hammerfall DSP series, through PCI/PCIe/ExpressCard, and that is stupidly expensive, for most. ... or, just wipe Linux off your system, install MS-Windows, and BE ALLOWED to use all the different HW choices...
Most of the HW "choice" is deliberately blocked from us by the makers/vendors, either due to FUD or to "religion" or something.
( if RME believes that their determined competitors are going to be stopped from reverse-engineering their FPGAs by simply not releasing a Linux-compatible driver, they're delusional -- disassembly of their Win/Mac drivers is entirely possible, in free countries... )
Anyways, MOST good A/V stuff is deliberately broken for us, in order to enforce a homogenous market.
( that's the real reason, it seems -shrug- )
And with copyright-infringement being felonized in ACTA, Linux users *accessing* AVCHD source material we shot, or mp3 files we paid for for our soundtracks, are more likely to be convicted of crimes, for participating in our culture!
( Once copyright infringement becomes felonized, then patent infringement would be next on the agenda. Then trademark infringement. )
Ain't Life ( the way the gangs make it ) Grand?
This is no surprise at all. If there weren't a cost benefit to pushing the responsibility for malware onto the user, platform vendors wouldn't do it. Microsoft wouldn't do it.
That is why iPhone users see it as an advantage that Apple audits the native apps to keep the platform 100% malware-free. It's anti-virus that requires nothing from the user. This is what 90% of users EXPECT TO GET FOR FREE. They do not expect to have to be an I-T person at all and platform vendors should not expect it either. They expect their system to do only the things they ask it to do, they expect apps not to be doing sneaky stuff behind their back. When you think about it, that's what they ought to expect.
When somebody with an iPhone tells me they like the App Store, they are installing hundreds of apps, I always ask them, "are you concerned about malware?" and the most common answer by far is "what's malware?" and occasionally somebody says "no, I know Apple is auditing the apps." So competing vendors who want to sell to iPhone users are going to have to provide 100% malware-free platforms. The users are already spoiled for anything else. Android has a much smaller user base yet there has already been an incident of malware being downloaded from Android Market, and an incident where a consumer was sold a phone that had multiple malwares running on it. That has to be fixed. It's irresponsible to sell a malware-capable phone to an iPhone user. That responsibility has moved back onto the platform vendor and it's not going back to the users. There are 4 billion plus mobiles that are about to get smart and the users do not want to take computer science courses or play junior I-T man. But the benefit to vendors and developers is that once users can trust the apps, they buy and use many, many times more of them. If you ask people to tell you how many apps they installed on their iPhone and on their Mac/PC, the iPhone always wins. Mac/PC software developers should be so lucky as to sell apps like iPhone developers sell apps.
Consider if Windows XP had only been able to run audited apps from the start, we would have no botnets right now, we wouldn't have situations where consumers are having their bank accounts emptied by malware on their PC's. Don't you think that if iPhone can go 3 years with no malware, always-on, always-connected, that a full Windows PC should be able to do the same? A Windows PC can't go 3 months.
So the tech community is going to have to take more responsibility. The computer scientists and I-T people all already have PC's. If you want to sell more on top of that, you have to take more responsibility. If you want to put computers into 20 devices all around the typical human, you are going to have to make them much less fragile and exploitable than Windows and Android.
tempers flare The threat of Open Source indeed.
This is going to piss everyone off but seriously...
Other than the hassle of an infected/compromised and possible identity theft, what do most people have to fear if their PC is compromised? The worst case for most people would be identity theft, and most of those cases would simply result in bogus credit card charges which, in general, get refunded by the credit card agency. Clean your PC, cancel your card(s), & change your passwords and get on with your life. Many worse things can happen.
I'm sure you can all come up with more serious doomsday scenarios and there will always be serious exceptions but give me just one that is has the likelihood & consequences to make an average user really care.
I would even say the average business has little to fear as well. Certainly their employees do.
let's see, what kind of tools does the general public have at their disposal. Oh, wait, I know! How about *drumroll* Google?
Not everybody has the disposable income for a smartphone with which to search Google for compatibility information while inside Best Buy.
Unless googling "$hardware linux drivers" is considered rocket science these days
Access to Google inside a shop isn't rocket science as much as a luxury. People are more likely to have Internet access at home than on the go. Not everybody is willing to pay $600 a year to upgrade from a $10 per month prepaid plan with a "feature phone" to a $60 per month contract plan.
and folks that do think it is typically don't buy a separate soundcard to do their own upgrading.
I'm not talking about sound cards as much as printers and flatbed scanners. If you don't have a printer, you can't print a list of compatible printers to take into Best Buy.
I have an Echo Audio MIA that works well in Ubuntu using just the Medibuntu repo, balanced as well as digital I/O. I haven't checked if the higher end cards and boxes work, though.
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Some feel that regardless of what happens, users will only do the minimum required.
It is a known fact that all life that survives, is that which used the most efficient way. Even on other planets. And in fact in the whole universe. Because the laws of physics demand it.
And if you look at it, it does not look as if it would hurt them enough for it to be worth to do something about it. Even with a botnet client on their system.
Believe me, when they hear that their neighbor got to jail for hosting child porn, because of a trojan running on his system, they WILL try to prevent it. Or just die out. (Unless protected by false but politically correct “being social” saving those failures.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Is it just me or does this article simply sound like common sense? Users only follow procedures that benefit them. Theoretical attacks are theoretical while security policies are real and immediate. How is this news?
"prevention is more expensive than repair/recovery/treatment"
I don't think you can proclaim that as universally true. Especially if you start talking about medicine/social services. And I'm pretty sure there are many computer related situations where that statement would not be true. For instance, military computer networks.
From http://swpc.ou.edu/doucments/publications/ResearchSummary10.04.pdf :
"Primary Findings
Return on investment of prevention programs range from $2-$20. That is for every
dollar spent on prevention programs, from $2 to $20 is returned in benefits. Benefits are
estimates of savings over a period of time resulting from reduced demand for health and
social services.
"
"Average Joe User is cheap and lazy, that's a given" - by Ethanol-fueled (1125189) * on Tuesday March 16, @04:33PM (#31501726) Homepage
Not every "avg. 'Joe User'" is that way - you're "over-generalizing" on your part man! I've got proofs of guys JUST LIKE THE OPPOSITE OF WHAT YOU STATE TOO man, keep reading, IF you are interested...
----
"What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S."" - by Ethanol-fueled (1125189) * on Tuesday March 16, @04:33PM (#31501726) Homepage
Well, because of that, & especially vs. that which I quote from you above, initially in my reply here? There are also MANY "avg. 'Joe User'" types who, conversely & in response to what you stated of them above (again, what I quoted from you above 1st/initially in this very reply of mine to you): They start reading & learning HOW it's done to secure a Windows system properly (as well as habits/behaviors online to avoid for "smarter/safer" websurfing too)... & know what?
Hey - They also do well @ it!
Proofs? Ok - First, the security guide they used (I wrote it, & have been writing it/building upon it, since late 1997 in fact (for Windows NT-based OS users)):
----
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):
http://www.tcmagazine.com/forums/index.php?s=568d95985ad83ef4add94de09f6026d3&showtopic=2662
----
It works, & is based on the concept you lay out via your quoted words above - what computer security folks the past few years have been calling "LAYERED SECURITY"...
Proofs to its efficacy? Ok, some quoted testimonials:
----
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the k
If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
Good, that's what I want. A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables.
Since the standard demands that the password be used to exit screensaver, and screensaver must activate in fifteen minutes of disuse, keeping passwords written down in the wallet wastes too much time. Expect passwords to be on a post-it note posted to the screen, or written in pencil on the keyboard.
...People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.
Users aren't "afraid" of anything of the sort. They are, however, massively pissed off by "security" measures that have no rational claim to thwart attacks in the real world, but which waste hours of user time as if user time had no value whatsoever. Guess what: changing my password from an eight character alphabetic password to twelve characters mixing upper, lower, numbers, and symbols is not going to thwart even one phishing attack ever.
The referenced article suggested that system admins should treat user time as if it's worth 2.6 billion dollars an hour. (200 million users, times $13/hour). Current system administrators treat it as if it is free.
http://www.geoffreylandis.com