Users Rejecting Security Advice Considered Rational

WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).

Wasted time

[Ethanol-fueled]

Average Joe User is cheap and lazy, that's a given. TFA:

Users understand, there is no assurance that heeding advice will protect them from attacks.

What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.

Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.

Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.

Re:Yeah

[MichaelSmith]

I have a simpler conclusion... Most users are idiots!

Even simpler: most people are idiots.

Interesting

I agree with this assesment. I work at an IT company that supports many different companies and users of different size. We are a small operation (10 techs).

Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers. Smaller businesses and individual users will reject them due to the lack of perceived risk.

Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it. We said no problem and offered to setup a guest network and secure their internal wireless network. No problems with their Cisco SA. They still did not want to do it. Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data? we have nothing sensitive"

They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.

That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.

Re:Interesting

[AuMatar]

And 99% of the time they're right to ignore it. Its quite simple- unless a site is getting my financial info, what do they have to lose? Nothing, unless they're stupid enough to use the same password as their email. And thats a rule you can get many of them to follow.

I'm a computer programmer, and except when I'm coding I've stopped giving a shit. I use the same default password everywhere except email and finance places, because I don't care. Oh no, you can now edit my slashdot and video game forum accounts. How can I live? I don't download files from untrusted sources, so I don't bother with antivirus. I don't bother with updates because they break stuff more often than I see any benefit to it. If I actually started dealing with all that shit it would take serious effort. It's just not worth it.

You can get 99% of the benefits with 5% of the effort- don't use the same password on your email as anything else, don't use the same password on finance stuff and anything else, don't download anything you aren't 100% about, don't trust any links in email. That's all you need to do.

Re:Interesting

[Jer]

For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks). We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.

This is actually one of the examples from TFA. The contention is that the statistics show that a majority of the certificate errors that users run across are false positives and ignoring them is perfectly harmless. And the TFA goes on to point out that a phisher would be pretty damn stupid to go to all the trouble to setup a fake domain and then put a broken certificate on it to throw up a warning and cause a potential victim to take a second look at the site and make sure it isn't something suspicious.

And IT people need to remember that what sounds like a "basic, unintrusive guideline" to us often sounds like babble, pointless rigmarole to make their jobs harder, or an IT person pulling an ego trip to the end users. The last one is especially bad because many users can't tell the difference between "arbitrary rule handed down by IT that makes their jobs easier while making my life harder" and "good solid advice handed down by IT for a very good reason." When they can't tell the difference, they'll just assume it's in the first camp and ignore it. If you're going to make their lives harder, you better have a damn good reason for it.

This is not a "new" interpretation

[frinkster]

I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics. How much does it cost to implement? How much do you stand to lose if your security is broken and your "stuff" stolen? At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.

And in this context, time, effort, and inconvenience all have a significant cost that must be counted.

The average idiot computer user is not always as dumb as you think they are.

No Economic Incentive?

[jjoelc]

How about this one... At least in businesses...

Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.

It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.

Ain't reality a bitch?

Some security measures don't seem practical.

[Richard+Steiner]

I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.

I understand the reasoning, and if it was only a handful of boxes .. or rarely used boxes ... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.

I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.

good advice versus bad advice; costs to others

[bcrowell]

The paper is not entirely unreasonable. However, there are at least some holes in it.

It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice. They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally. Under this hypothesis, people would have perfect information about which security advice is good and which is bad.

The article doesn't talk about costs to others. People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people. On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud. That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.

Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures. E.g., on p. 2 he estimates the economic costs of a particular exploit. But these estimates aren't based on any actual data. That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?) protecting against a particular exploit. What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others. And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures. That's like trusting GM to estimate the economic effects of global warming.

Re:Windows Joke

Why do Employees like Microsoft Windows? Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.

Why do Managers like Windows? Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away escaped from the island.

1992 called. It doesn't want these jokes back, and says you can keep them.

Re:Windows Joke

[Opportunist]

Why does IT like Windows?

Two words: Job security

Blunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space. Hey, at home I need to be productive! At work, I need to be certain I still have a job tomorrow. And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time. For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job? Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!

Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for ... well, at least 'til the next generation of system needs to be installed.

I used to agree with you ...

[nadahlman]

I used to hate expiring passwords on the financial data systems where I used to work. Then one day the Comptroller was locked out of his own account because he had tried his old password too many times. But it turned out the Comptroller was on vacation and hadn't even tried to log in.

It turned out that an inside person had put a physical keylogger (USB pass-through device between computer and keyboard, ordered straight from China) on the Comptroller's computer one night and collected it a week later, and then subtly tampered with her own salary. She had also stolen the e-mail passwords of any employee who would have been alerted about the change, and instantly deleted the e-mail notifications as soon as she modified the system. She was sophisticated enough to alter other logs and alerts as well.

We might have locked down our internal systems better to begin with, but I have to say that she might have gotten away with it if it hadn't been for those darn password changes.

Re:Windows Joke

[jc42]

Blunt and brutal as it sounds, ... ... I've occasionally run across this reasoning told as a joke, shown it to friends whose business is supporting Windows, and told that it's no joke at all. The typical response is along the lines of: Hey, I've installed linux for a few customers. Each time, it only took me an hour or so, and that's all I got paid for. Then I never heard from them again until they wanted someone for another hour to do an install on a new machine. OTOH, with my Windows clients, I typically get paid for at least a full day to install anything, and then I get called back for half- or full-days whenever the system shoots itself in the foot. We'd be fools to advocate a system like linux when Windows produces two to three orders of magnitude more billable time for us. Of course, we all use linux and/or OS X at home, but that's not where the support business is.

As long as the suckers^Wclients continue to act like they do and fall for the "market leader" sales propaganda, this isn't going to change. It's been like this in the computing industry since at least the 1960s, so don't expect it to change during your lifetime.