I’ve just been reading So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users written by Cormac Herley in 2009. It gracefully captures why the security advice propagated by IT folks everywhere is almost universally rejected and resented by users.
Cormac Herley thesis is a simple one—that users are acting in their own best interest by ignoring most security advice. The cost and impact for most end users to a security problem are fairly small and fairly rare, so that the on-going cost of remembering and following security advice is large in comparison.
While we argue that it is rational for users to ignore security advice this does not mean that the advice is bad. In fact much, or even most of it is beneficial. It’s better for users to have strong passwords than weak ones, to change them often, and to have a different one for each account. That there is benefit is not in question. However, there is also cost, in the form of user effort. In equilibrium, the benefit, to the user population, is balanced against the cost, to the user population. If observed user behavior forms the scales, then the decision has been unambiguous: users have decided that the cost is far too great for the benefit offered. If we want a different outcome we have to offer a better tradeoff.
I know that I have always hated the web sites that make me change passwords every couple of months and use five different character sets in each password. The result of needing so many passwords has meant that I can’t remember them, and so I’ve had to record all my passwords in a file, producing a security hole much larger than the one they were attempting to patch by requiring super-strong passwords that change frequently. Some of the statements seem quaint: “Florêncio and Herley estimate that users have an average of 25 password accounts to manage”—I probably have hundreds of accounts, since every web site seems to want a password these days, even though the accounts exist only for the web site to track users (usually to the user’s detriment, so imposing password costs on them is doubly damaging).
This doesn’t mean that large corporations should ignore security—particularly if they are responsible for handling many customers’ credit cards. The consequences of a security breach can be quite large for the company, not only in direct costs but in reputation damage and lost of customers to competitors seen as less careless. The solution, however, is not to require all customers and employees to have super-secure passwords, but to restrict access to the credit card information so that a stolen laptop does not unlock hundreds of thousands of accounts.
I wish that IT people everywhere would read the paper, if only for the obvious observations like the following:
First, we need better understanding of the actual harms endured by users. There has been insufficient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them. A main finding of this paper is that we need an estimate of the victimization rate for any exploit when designing appropriate security advice. Without this we end up doing worst-case risk analysis, and this can lull us into thinking that we are offering orders of magnitude more benefit than is actually the case.
Of course, the same analysis applies to a lot of the mandates for “training” everyone at the university about FERPA, about lab safety, about fire safety, about earthquakes, about sexual harassment policies, about health services, about signs of depression, about parking regulations, about smoking, about using the online purchasing system, … . Each individual training may have benefits but the cumulative cost is huge.
I know I was forced to sit through a training session on the online purchasing system a few years ago, but I have never used the system since—I spent all my grant money on student salaries, which didn’t go through purchasing. The system has since changed, so I wouldn’t be able to use the training even if I remembered it (and had any grant money to spend). Allowing people who did a lot of purchasing to have direct access to the system rather than having to go through purchasing personnel was a good idea, but requiring that everyone (even those who made less than one purchase a year) to take the training was a total waste of effort.
I have refused to take the online sexual harassment course every 2 years as the University mandates—not because it is an unimportant topic, but because the course is a stupid one that serves no purpose, particularly not after the first time. Note: I do teach about sexual harassment policies and procedures in the how-to-be-a-graduate-student course, and I have the Title IX officer give a guest lecture—setting up an appropriate culture among the grad students is an appropriate use of time in that course. TAs do have to know how to deal with sexual harassment by students in their classes and do have to know that the University has support mechanisms for them. The students need to know that we care about them and will not tolerate a hostile environment. (They also need to know the limits on their own behavior, but this has been such a rare problem that spending a lot of time on it would be a waste of time and an insult to the grad students.)