Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consumers Prefer Security Over Convenience For the First Time Ever, IBM Security Report Finds (techrepublic.com)

Posted by msmash on from the how-about-that dept.

A new study by IBM Security surveying 4,000 adults from a few different regions of the world found that consumers are now ranking security over convenience. For the first time ever, business users and consumers are now preferring security over convenience. From a report: TechRepublic spoke with executive security advisor at IBM Security Limor Kessem to discuss this new trend. "We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts...people actually would go the extra mile and will use extra security," Kessem said. Whether it's using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

28 of 50 comments (clear)

  1. Not that it really matters... by supremebob · · Score: 5, Insightful

    Because you know that some dumbass in the home office is storing their admin passwords in cleartext for everyone to see.

    The security auditors always focus on things like crazy password policies and front end security scans, but it's always something stupid like what I mentioned above that screws it up for the rest of us.

    1. Re:Not that it really matters... by Tom · · Score: 2

      Security auditors generally follow a script and the scripts are generally badly written. There are a lot of us security experts out there who have a wider perspective, who knew long before the 2017 NIST about-face that traditional password policies are bullshit, and who smile politely when the security auditors come.

      And if some dumbass stores the admin password in cleartext, or writes it on a post-it, then there's a 90% chance that your password policy is to blame.

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. Really? by Obfuscant · · Score: 1
    This is the result of a survey. They asked people. Only 4000 of them. And who knows what the question was?

    The answers are meaningless -- actions speak louder than words. What these survey takers have done is found the right question to ask that 4000 people knew the "right" answer to, and they got the "right" answer even if it didn't match reality. It's called "push polling". The only true way to say that people prefer security over convenience is by counting the number of people who actually USE security that gets in the way of them doing what they want to do.

    For example, I am right now trying to recall the password for a gmail account. I can't remember when I created the account, I don't remember the only password the account has ever had so I can't tell them what one of the old passwords was, and even though I enter the code they send me by email they refuse to believe I am me. Right now, security is getting in the way of getting something done.

    1. Re:Really? by geekmux · · Score: 3, Insightful

      For example, I am right now trying to recall the password for a gmail account. I can't remember when I created the account, I don't remember the only password the account has ever had so I can't tell them what one of the old passwords was, and even though I enter the code they send me by email they refuse to believe I am me. Right now, security is getting in the way of getting something done.

      They gave you multiple ways to protect yourself from security getting in the way, and the system is the problem?

      Hope this clarifies how much your "example", isn't.

    2. Re:Really? by Obfuscant · · Score: 3, Informative

      They gave you multiple ways to protect yourself from security getting in the way,

      If you don't remember the password, asking for the password doesn't protect you from the security. Do you remember when you created every account you have? And why bother sending a "secret code" to another email address if you're just going to ignore it? Those are the three ways they give me.

      Most of the "in the way" is the fact that the web page just hangs after you enter the code. So yes, that's their problem. Otherwise, I said "getting in the way", not whose fault it wasn't working was.

    3. Re:Really? by uvajed_ekil · · Score: 2

      If they're looking at this as an either/or question, they're doing it all wrong from the start. Of course most people are educated enough now that they expect some level of security without expecting it to be completely invisible. The trick is figuring out how obtrusive it can be before people will abandon it, and minimizing the user input and slowdown, without a need to completely eliminate either.

      --
      This is a hacked account, for which the owner can not be held responsible.
    4. Re:Really? by drinkypoo · · Score: 4, Insightful

      (. No system can guard against user stupidity.)

      Users sometimes do stupid things. If you don't account for that, you are failing.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Really? by ShanghaiBill · · Score: 1

      Only 4000 of them.

      I generally agree with what you wrote, but not this. A sample size of 4000 people is PLENTY. There are a lot of things you can do to make surveys and polls more accurate, like ensuring the respondents are representative of the population, and asking unbiased questions, but "asking more people" makes very little difference.

      Asking a few dozen people would have got them within 5% of the "real" answer, and a few hundred would have an error of less than 1%. So asking 4000 people is way overkill. The problems with this survey lay elsewhere.

    6. Re:Really? by postbigbang · · Score: 1

      Users DO do stupid things. They're users.

      And now, so many organizations have been breached, public, private, corporate, even small operations that people try to think about security because:

      Most everyone in the USA (I'll take my home country as an example) knows someone who's credit info has been snarfed (Equifax), military security/secrets info (OPM breach), health (how many insurers and hospitals now?) that it's almost impossible to be an American without having the taint of having your privacy for sale somewhere behind Tor.

      The average civilian knows little about what to do, and leaves security trust to others. Now they trust them as much any more, and for good reason. We as a professional community have failed at security, and we're being laughed at, and for good reason.

      --
      ---- Teach Peace. It's Cheaper Than War.
  3. BS by Anonymous Coward · · Score: 1

    I've worked with end users for 25 years. Security over convenience? 100% BULLSHIT. Not a chance.

    1. Re:BS by geekmux · · Score: 2

      I've worked with end users for 25 years. Security over convenience? 100% BULLSHIT. Not a chance.

      Exactly. Security has never been a priority over convenience, and asking 4,000 people sure as shit isn't proof.

    2. Re:BS by umghhh · · Score: 4, Insightful

      It means something still if public sentiment changes. Even if the difference between what people do and they say is huge if what they now say changes this much the chances are the masses move a bit and some less reckless and more competent of us will maybe prevail few % points more often than before. OC that will not be enough even if it is move in proper direction but better than nothing.

  4. They will finally stop using IE 6? by jfdavis668 · · Score: 3, Funny

    Does this mean people will move on from Windows XP and IE 6? About time.

  5. If this were true by OrangeTide · · Score: 1

    Then people wouldn't use the same damn password on most of their accounts.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:If this were true by skids · · Score: 2

      ...and demand SSO solutions from the IT department. If the trend ever does really reverse, we'll see requests for separating password realms from users... and then end up with an even more complicated SSO solution to accommodate that functionality since apparently so many of them neglected to think to implement that feature in their rush towards "one password that works everywhere."

      Oh, BTW, TFA needs to get a clue. SMS texts are not a NIST approved 2FA mechanism anymore, for good reason.

      --
      Someone had to do it.
  6. complete bullshit by gravewax · · Score: 1

    complete and utter bullshit. They will happily say that in a survey but when push comes to shove the majority choose convenience over security. this applies to passwords, device configurations and just about any aspect where their is an option that allows convenience.

  7. Never believe what people say. by petes_PoV · · Score: 3, Insightful

    Some 74% of respondents said that they would use extra security

    I'll believe this when that actually start doing it.

    People in surveys say all sorts of things. What they actually do is often entirely different. And what they will do in the long term is entirely different again.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  8. What they say by plopez · · Score: 1

    versus what they will do. Anyone can say they prefer A over B. But when the time comes will they really choose A. There are many companies out there that have been burned when market research said one thing, but what the customer did was something else. I guess what it comes down to is marketing and advertising. A fear campaign would work. Maybe.

    --
    putting the 'B' in LGBTQ+
  9. Actually by Brockmire · · Score: 1

    They asked a guy named Bob Consumers and he thought security should be more important than convenience. Bob Consumers is an only child.

  10. allies, not enemies by Tom · · Score: 1

    Been preaching this for 10+ years: Usability and security are allies, not enemies.

    If your usability is good, your users make less mistakes, which leads to less unintentional issues.
    Phishing is largely a usability thing. I have a couple slides about that, the very short version is that all the info you need to spot a phishing mail is typically hidden, while all the info that lures you in is prominent.
    Proper decision making by users can be guided through usability, to prevent them from doing stupid things.
    User feedback of most security apps is abysmal, to say it nicely.

    There are great examples of usability and security working together. I still wonder why nobody picked up the Chamaeleon concept, for example (basically: A set of user-configurable domains running under one windowing system, with colored borders indicating for every window which domain it belongs to).

    Usability needs to be designed into security. We are failing our users with this bullshit 80s attitude of blaming their stupidity.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:allies, not enemies by Obfuscant · · Score: 1

      Been preaching this for 10+ years: Usability and security are allies, not enemies.

      "Usability" is not "convenience". Convenience and security truly are enemies; usability and security are orthogonal concepts.

      You can have a website with the best UX in the world, but if the access controls to get there are inconvenient, users will often opt for more convenience in place of security.

      I could PGP sign every piece of email I send from my tablet. The UX is there. It's not convenient, so I don't. (Set up a key pair, publish the right half, teach all my corespondents how to decrypt it, etc. None of this is in the email client UX.) I could go for better security on my airline account, but I've chosen to reduce security so I don't have to write down all the answers to the multiple security questions they ask at the most inconvenient times. I could use a unique password for every account I have, but I choose to create passwords in a similar way, thus reducing security. And I choose convenience over security because I have my web browser remember both login and password for me, which is the only reason I have been able to recover my forgotten gmail password. (Google reduced the security of their own system by remembering that I HAD the account, telling me the login, which makes it more convenient for me.)

  11. Sure. by rsilvergun · · Score: 1

    And they like a bold, rich roast too (Yeah, it's Malcolm Gladwell, but the ideas aren't his so it's all good).

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  12. dysfunctional child by bigtreeman · · Score: 1

    I used to be a dysfunctional child and now prefer reduced functionality caused by tight security. Privacy Badger is my latest ally in fighting 'the man'.
    When you get to a web page full of blanks that doesn't make a lot of sense you get to realise how much we are being taken for a ride.
    Pictures, videos, tables can be tracking us, they used to be called viruses.
    Now it is just accepted as normal for companies to automatically provide us with what we want to experience.

    --
    Go well
  13. 18 trackers by bigtreeman · · Score: 1

    Your link to TechRepublic also leads to 18 potential trackers
    and yes, my blocking broke the video which probably says no more than the text.

    --
    Go well
  14. Can blind people have a preference of color? by Anonymous Coward · · Score: 1

    If the people with preferences do not have the ability to assess if their preferences are being met, they will still use shitty products.

  15. Re: First time ever by Zero__Kelvin · · Score: 1

    That is an incredible analogy fail. What you are talking about is security vs no security. A correct analogy would be do they prefer a lock that is easier to use and trivial to bypass over one that is slightly harder to use but nontrivial to bypass. That being said the study only tells us what they say, not what they do. Ask any Christian if they prefer to go to Heaven or Hell and they will say Heaven. An analysis of their behavior will often uncover an incongruence however.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  16. Re: What two-factor?? by Zero__Kelvin · · Score: 1

    That is because you don't know what two factor means.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  17. Re:Stop keeping them there then!! by gravewax · · Score: 1

    The problem is they ARE NOT in the mindset. They simply know what to say on a survey or think they are really in the mindset. In actuality while they care about security it simply is not as important as having an easy to remember password or being able to access that phone faster to get to their urgent game/tweet/facebook post. I would truly love people to actually get it and would celebrate if they did but I work in security every day and I see people even in IT and security that don't get it. convenience is just more important to them up until something goes wrong.