I just finished reading a truly brilliant research paper, “So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users,” by Cormac Herley of Microsoft Research. Every one of you needs to read the whole thing, which is online at bit.ly/lZZsyr.
How often have we given users security instructions and had them ignore us? And then we got mad when our beautiful security code didn’t prevent losses because the users wouldn’t do what we told them to? Bad, naughty users, we said. It’s your own dumb fault you got hurt.
Wrong. It’s our fault for telling them to do things that we knew, or should have known, that they wouldn’t do.
According to Herley, users who ignore our security instructions are being rational from their point of view. They subconsciously calculate that the constant efforts we demand of them are greater than the infrequent (albeit larger) losses to them if they don’t follow our instructions. They then rationally decide to ignore us. Herley writes: “Consider an exploit that affects 1 percent of users annually, and they waste 10 hours clearing up when they become victims. Any security advice should place a daily burden of no more than 0.98 seconds per user in order to reduce rather than increase the [total] amount of user time consumed. This generates the profound irony that much security advice not only does more harm than good (and hence is rejected), but does more harm than the attacks it seeks to prevent, and fails to do so only because users ignore it.” An ounce of cure is not worth five pounds of prevention.
A user will tolerate only so much security-related (or other) overhead before he either dumps your product or figures out a workaround. I call this amount the user’s “hassle budget,” a term I coined in my book, “Why Software Sucks” (Addison-Wesley Professional, 2006).
Example: Suppose your landlord put a combination lock on the bathroom door in your apartment. What would you do? You’d enter the combination the first time and maybe the second, but definitely not the third. After that you’d find some sort of workaround—you’d prop the door open, you’d tape down the latch so it wouldn’t lock or you’d relieve yourself in the kitchen sink.
I recently saw a Web article entitled “37 Tips to Prevent ID Theft Online.” If I have to remember 37 different items to keep my identity safe online, the bad guys can have the damn thing.
Herley applies rigorous cost-benefit analysis to such common security practices as changing passwords regularly. You’re somewhat safer if you do this, but how much? And is that benefit greater or lesser than the cost of the time that you spend changing them and keeping track of them? You’ll probably get better overall results if you spend a user’s hassle budget ensuring that his initial password is strong, rather than on periodic changes.
I’ve seen lots of security advice, but this is the first time I’ve seen anyone compare the cost of following that advice with the harm avoided by doing so. When you start putting the two together, a much more nuanced picture emerges. You can only understand it if you put yourself in your user’s shoes—if you Know Thy User, Because He Is Not Thee. (Where have I heard that before?)
I’ll leave you with this final thought from Herley, which I very much hope convinces you to read his entire paper:
“There are about 180 million online adults in the U.S. At twice the U.S. minimum wage, one hour of user time is then worth $7.25 x 2 x 180e6 = $2.6 billion. … We suggest that the main reason security advice is ignored is that it makes an enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour. It’s not uncommon to regard users as lazy or reluctant. A better understanding of the situation might ensue if we viewed the user as a professional who bills at $2.6 billion per hour, and whose time is far too valuable to be wasted on unnecessary detail.”
David S. Platt teaches Programming .NET at Harvard University Extension School and at companies all over the world. He’s the author of 11 programming books, including “Why Software Sucks” (Addison-Wesley Professional, 2006) and “Introducing Microsoft .NET” (Microsoft Press, 2002). Microsoft named him a Software Legend in 2002. He wonders whether he should tape down two of his daughter’s fingers so she learns how to count in octal. You can contact him at rollthunder.com.
This definitely needs to be applied to the massive repositories of passwords we have. Instead of building websites to security standards, we are told to have a different password for every account. Single signon was a good approach, but not well adopted, so the password sprawl grows. I shouldn't have to carry around this database of passwords just to be "secure" until I eventually get hacked anyway because the site itself was written by an idiot.
I've been a software developer for over 15 years and I still find much of the security stuff terribly confusing, poorly executed. Example 1: Running MS-Security Essentials. All of a sudden it tells me it has found a trojan virus. It doesn't tell me anything else. I cannot tell if it has uninstalled or quarantined it. I look at M$ site and very little detail about it. I am forced to install another Virus Scanner in an attempt to see what is going on. Other virus scanner Kaspersky does not see the trojan. Is this a false positive? I decided to continue with Kaspersky, however, and I forget that I installed it. A few days later I attempt to print to my home network printer. Can't do it. I cannot figure out why. Hours wasted. Yes, I forgot that Kaspersky is newly installed and it's blocking the port that I print on. I uninstall Kaspersky and re-install M$ Security Essentials. Hey, there's that old trojan and now I just don't care. I decided it is quarantined. OK. So how many hours did all that crap cost me? My sister who is less experienced with computers has McAfee and every time some piece of software updates it requires her to confirm it. She thinks it's a virus, because it's her virus software telling her. Sometimes she just says no. Other times she thinks about it for minutes or days before finally allowing software to update. My wife has Norton Anti-Virus and she went to a page that she'd gone to before safely. This time Norton tells her she has a Trojan. Looks like there are trojan's being injected on previously safe sites. She doesn't know what to do. I examine her machine and it looks quarantined, but what site did it come from? Difficult to tell. Very obscure. Waste of time. Don't even get me started on expired certificates on web sites. Even Microsoft had an expired cert. on hotmail site and couldn't figure it out for days, leaving us who wanted to sign in unable to do so. What did M$ support tell us? Said that we had to delete some cert. from our machine and then redownload a cert. or something. Is that how it really works? I don't think so, because we did all that and it still didn't work. Then, magically, wait a few more days and voila, can sign in to hotmail again. Crazy waste of time. Great article. Hope it sheds some light on the problem and brings some attention.
More MSDN Magazine Blog entries >
Browse All MSDN Magazines
Subscribe to MSDN Flash newsletter
Receive the MSDN Flash e-mail newsletter every other week, with news and information personalized to your interests and areas of focus.