[dba-Tech] Why we ignore security advice.

Tina Norris Fields tinanfields at torchlake.com
Sat Nov 28 11:09:22 CST 2009 

A very interesting article, Stuart.  Thanks.  The author makes a point 
that is hard to refute in terms of cost-benefit ratio to the user.  
Still, I just can't break the habit of trying to keep my stuff secure.  
So, even if it takes me more than a couple minutes a year, I'm going to 
keep my protection up-to-date and run my scans regularly.  As for 
passwords, I keep them in an encrypted file somewhere I know how to 
find.  Thanks again, a good read.  :-)
T

Stuart McLachlan wrote:
> <http://research.microsoft.com/en-
> us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf>
>
> ABSTRACT:
>
> It is often suggested that users are hopelessly lazy and unmotivated on security questions.   
> They chose weak passwords, ignore security warnings, and are oblivious to certificates 
> errors.   We argue that users´ rejection of the security advice they receive is entirely rational 
> from  an  economic perspective.   The  advice  offers  to shield them from the direct costs of 
> attacks, but burdens them with far greater indirect costs in the form of effort. Looking at 
> various examples of security advice we find that the advice is complex and growing, but the 
> benefit is largely speculative or moot. For example, much of the advice concerning 
> passwords is outdated and does little to address actual treats, and fully 100% of certificate 
> error warnings appear to be false positives.  Further, if users spent even a minute a day 
> reading URLs to avoid phishing, the cost (in terms of user time) would be two orders  of  
> magnitude  greater  than  all  phishing  losses. Thus we find that most security advice simply 
> offers a poor cost-benefit tradeoff to users and is rejected.  Security advice is a daily burden, 
> applied to the whole population, while an upper bound on the benefit is the harm suffered by 
> the fraction that become victims annually.  When that fraction is small, designing security 
> advice that is beneficial is very hard.  For example, it makes little sense to burden all users 
> with a daily task to spare 0.01% of them a modest annual pain. 
> Stuart McLachlan
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>

More information about the dba-Tech mailing list