[dba-Tech] Why we ignore security advice.

Stuart McLachlan stuart at lexacorp.com.pg
Fri Nov 27 17:43:21 CST 2009


<http://research.microsoft.com/en-
us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf>

ABSTRACT:

It is often suggested that users are hopelessly lazy and unmotivated on security questions.   
They chose weak passwords, ignore security warnings, and are oblivious to certificates 
errors.   We argue that users´ rejection of the security advice they receive is entirely rational 
from  an  economic perspective.   The  advice  offers  to shield them from the direct costs of 
attacks, but burdens them with far greater indirect costs in the form of effort. Looking at 
various examples of security advice we find that the advice is complex and growing, but the 
benefit is largely speculative or moot. For example, much of the advice concerning 
passwords is outdated and does little to address actual treats, and fully 100% of certificate 
error warnings appear to be false positives.  Further, if users spent even a minute a day 
reading URLs to avoid phishing, the cost (in terms of user time) would be two orders  of  
magnitude  greater  than  all  phishing  losses. Thus we find that most security advice simply 
offers a poor cost-benefit tradeoff to users and is rejected.  Security advice is a daily burden, 
applied to the whole population, while an upper bound on the benefit is the harm suffered by 
the fraction that become victims annually.  When that fraction is small, designing security 
advice that is beneficial is very hard.  For example, it makes little sense to burden all users 
with a daily task to spare 0.01% of them a modest annual pain. 
Stuart McLachlan




More information about the dba-Tech mailing list