Slashdot Mirror
Users Rejecting Security Advice Considered Rational
WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.
Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.
Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.
I have a simpler conclusion... Most users are idiots!
Even simpler: most people are idiots.
http://michaelsmith.id.au
Why do Employees like Microsoft Windows?
Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.
Why do Managers like Windows?
Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away escaped from the island.
I agree with this assesment. I work at an IT company that supports many different companies and users of different size. We are a small operation (10 techs).
Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers. Smaller businesses and individual users will reject them due to the lack of perceived risk.
Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it. We said no problem and offered to setup a guest network and secure their internal wireless network. No problems with their Cisco SA. They still did not want to do it. Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data? we have nothing sensitive"
They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.
That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.
prevention is more expensive than repair/recovery/treatment
How? Any prevention effort requires some kind of cost, very often a continual and on-going cost.
Whereas the cost of recovery is only necessary once the negative effect occurs. And since it only happens to other people, that means that the cost of not preventing is 0. Clear win.
Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.); economics (victims of fraud, high-risk investors, etc.); software development practices ("Release NOW" rather than quality).
Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.
Or, as others in this thread have put it, people are idiots.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics. How much does it cost to implement? How much do you stand to lose if your security is broken and your "stuff" stolen? At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.
And in this context, time, effort, and inconvenience all have a significant cost that must be counted.
The average idiot computer user is not always as dumb as you think they are.
As I said before, most users don't care because there are usually no consequences to ignoring security directives.
Most users figure that security is the corporation's problem. They just figure that whatever they do will be protected "by the firewall" and they go on with life. It's not their problem if things go wrong.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
How about this one... At least in businesses...
Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.
It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.
Ain't reality a bitch?
I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.
I understand the reasoning, and if it was only a handful of boxes .. or rarely used boxes ... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.
I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
People giving security advice often have no idea what the threat model is. For example, the typical home user's computer has no chance of being physically attacked. Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers. Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.
Seriously, there is only one kind of threat the home user faces, and that's software attacks, none of which are aimed specifically at him, and all of which are acquired either through his web browser or through infected executables given to him by his friends. If he runs NoScript, disables javascript in email, and gets executables only from reputable sources, there is simply no way he can get infected. If he's on Linux, he's safer than he's ever going to be already.
I conclude that most idiots are people.
They aren't kidding when they say that Microsoft Research is autonomous. I would have assumed that Microsoft would at least make its researchers use MS Word.
Even simpler: most people are idiots.
Yeah, that's a *simple* conclusion, that is.
You know, every single person I have ever heard say "most people are idiots" has never been all that high a wattage bulb themselves. Maybe they were book smart in one or two areas, but get outside their intellectual comfort zone, and forget it. This seems especially true of computer geeks.
The paper is not entirely unreasonable. However, there are at least some holes in it.
It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice. They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally. Under this hypothesis, people would have perfect information about which security advice is good and which is bad.
The article doesn't talk about costs to others. People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people. On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud. That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.
Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures. E.g., on p. 2 he estimates the economic costs of a particular exploit. But these estimates aren't based on any actual data. That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?) protecting against a particular exploit. What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others. And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures. That's like trusting GM to estimate the economic effects of global warming.
Find free books.
TFA:
Rule 6 will help only if the attacker waits weeks before
exploiting the password. So this amplies the burden
for little gain. Only if it is changed between the time of
the compromise and the time of the attempted exploit
does Rule 6 help.
IANASE, but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it. It had nothing to do with the attacker discovering the password then waiting quietly until nobody's looking to profit from it.
In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.
That said, it's an extremelly difficult rule to enforce/comply, unless you have a wonderful "I forgot my password" system.
http://dilbert.com/2010-12-13
It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer. My personal pet hate is the password aging practice. It specifically does one of two things. It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones. The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days. And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember it
One reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.
A Mac is basically BSD.
I stand by my original post.
-- Tigger warning: This post may contain tiggers! --
noun gerund noun noun gerund adjective - WTF!?
is sentence structure really that hard? how about
? /. headlines? lately you see lots like this one. It looks like
someone had thrown a dictionary into a blender...
What is up with
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Technically savy people are missing the point. The average user doesn't understand 'how to install,understand messages, etc of all the security issues out there. (myself included) The average Joe is fearful of his security, but cannot negotiate the maze of security issues. They go to retailers for answers, and get soaked for software solutions, much of which isn't any better than the free solutions, etc. They are not"stupid/lazy/ or penny pincers". Some (probably most) are smarter than the geeks on the web, but just in other areas. Or were born before transistors existed, and Bakelite was the major synthetic insulator in electronics.
I think it's a credible threat. I've had my password compromised (as part of a larger compromise) 4-5 times in my life that I know of. Realistically, it's probably happened more than that. Re-using passwords would have meant that I'd want to change my password at umpteen sites (many of which I probably wouldn't remember.)
I have a simpler conclusion... Most users are idiots!
You're only half right. It turns out that most users are *selfish* idiots.
I used to feel a little bad about hating users. I was afraid it might be arrogant to despise the people who, ultimately, justify my salary. But now I see they deserve whatever they get.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I just can't feel the 'Net if I'm using protection.
Have gnu, will travel.
I used to hate expiring passwords on the financial data systems where I used to work. Then one day the Comptroller was locked out of his own account because he had tried his old password too many times. But it turned out the Comptroller was on vacation and hadn't even tried to log in.
It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later, and then subtly tampered with her own salary. She had also stolen the e-mail passwords of any employee who would have been alerted about the change, and instantly deleted the e-mail notifications as soon as she modified the system. She was sophisticated enough to alter other logs and alerts as well.
We might have locked down our internal systems better to begin with, but I have to say that she might have gotten away with it if it hadn't been for those darn password changes.
I have to say, the linked article is the best article on security that I have ever read; and, for that matter, just about the first one that ever considers the radical concept that the user's time is of value.
"Third, the claimed benefits are not based on evidence:
we have a real scarcity of data on the frequency and
severity of attacks."
This is a very good point. What fraction of attacks are frustrated by making users change their passwords from one which is chosen from a set of 1E12 possible passwords, to one which is one of 1E20 possible passwords? How much safer do they get if you then say they have to have a symbol as well?
When they make me jump through hoops, I'd like to know what exactly I'm gaining.
http://www.geoffreylandis.com
For some family members where I have suggested very basic security steps like disabling automatic logins, turning automatic updates on for everything (not just Windows), and a few other usual steps, they have asked "what for? The hackers are gonna get in anyway!"
It has become so ingrained in them that hackers are everywhere and that they are so talented that it is futile to resist. Quite honestly, I can't understand this mentality, but it does exist.
On the phishing front, it's useful to stop blaming the end user, and blame the site that hosted the phishing page.
For some time, I've encouraged taking a harder line on phishing-friendly sites, sites that host phishing pages. I had a paper on this at the 2008 MIT Spam Conference. At SiteTruth, we take the position that one phishing page blacklists the whole second-level domain. Here's the current list of major domains being exploited by active phishing scams.
The free hosting sites and the "short URL" sites show up on the blacklist regularly. After much nagging and some press coverage, most of them are now very aggressive about kicking off phishing pages, and they don't stay on for long. The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up. Currently, Google is in the doghouse, because they've recently entered the "free hosting business" without adequate phishing defenses. See this abuse of Google Spreadsheets.
At the moment, "t35.com", a free hosting service, is the site most abused in this way, by a large margin. I've contacted their people. The problem is that they're being attacked by a program, and they're cleaning up by hand. Right now, they're hosting 545 known phishing pages. Nobody else is even in double digits. "piczo.com" (a social network/free hosting service for teenage girls) was the last big victim, but they're gradually getting the problem under control.
A Draconian blacklisting policy may seem harsh, but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem. We're seeing more free hosting sites with a "click here if this is abuse" button on every page. The number of people who have to be educated to deal with the problem in this way is in the hundreds, not the hundreds of millions. So it's a solveable problem.
If you're going to blame the victim, this is the way to go at it.