So Long and No Thanks – Security Cost-Benefit Analysis
Kordel
I stumbled upon an exceptional and groundbreaking white paper on Microsoft’s website a couple of months ago. Written by Cormac Herley of Microsoft Research, I’d consider it a “Must Read” for any Security Analyst, Consultant, Administrator or interested user. Check out the abstract below, and then check out the full article in PDF here or directly from Microsoft here.
Please Note: All credit for this document and Abstract go directly to Cormac Herley!
ABSTRACT
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificate errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit trade off to users and is rejected.
Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
