Cormac Herley
ABSTRACT
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
- http://isc.sans.org/survivaltime.html.Google Scholar
- http://www.vnunet.com/vnunet/news/2163714/bank-ireland-backtracks.Google Scholar
- http://www.theregister.co.uk/2005/07/19/password_schneier/.Google Scholar
- http://www.schneier.com/blog/archives/2005/06/write_down_your.html.Google Scholar
- http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1256995,00.html.Google Scholar
- http://www.readwriteweb.com/archives/will_mainstream_users_ever_learn.php.Google Scholar
- http://www.phishtank.com.Google Scholar
- http://www.securitycartoon.com.Google Scholar
- Making Waves in the Phishers Safest Harbor: Exposing the Dark Side of Subdomain Registries. http://www.antiphishing.org/reports/APWG_Advisory_on_Subdomain_Registries.pdf.Google Scholar
- Phishers get more wily as cybercrime grows. http://www.reuters.com/article/technologyNews/idUSTRE53G01620090417?feedType=RSS&feedName=technologyNews.Google Scholar
- Regulation E of the Federal Reserve Board. http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=0283a311c8b13f29f284816d4dc5aeb7&rgn=div9&view=text&node=12: 2.0.1.1.6.0.3.19.14&idno=12.Google Scholar
- The Fidelity Customer Protection Guarantee. http://personal.fidelity.com/accounts/services/findanswer/content/security.shtml.cvsr?refpr=custopq11.Google Scholar
- US-Cyber Emergency Response Readiness Team: CyberSecurity Tips. http://www.us-cert.gov/cas/tips/.Google Scholar
- Wells Fargo News Release, Jan 1, 2009. https://www.wellsfargo.com/press/2009/20090101_Wachovia_Merger.Google Scholar
- Wells Fargo: Online Security Guarantee. https://www.wellsfargo.com/privacy_security/online/guarantee.Google Scholar
- Wired: Weak Password Brings 'Happiness' to Twitter Hacker. http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html.Google Scholar
- Department of Defense Password Management Guideline. Technical Report CSC-STD-002-85, U.S. Dept. of Defense, Computer Security Center, 1985.Google Scholar
- A. Acquisti and J. Grossklags. Uncertainty, Ambiguity and Privacy. WEIS, 2005.Google Scholar
- A. Beautement, M.A. Sasse and M. Wonham. The Compliance Budget: Managing Security Behaviour in Organisations. NSPW, 2008. Google ScholarDigital Library
- A. Ozment and S. Schecter. Milk or wine: does software security improve with age? Usenix Security, 2006. Google ScholarDigital Library
- A. Adams and M.A. Sasse. Users Are Not the Enemy. Commun. ACM, 42(12), 1999. Google ScholarDigital Library
- C. Jackson, D.R. Simon, D.S. Tan and A. Barth. An Evaluation of Extended Validation Certificates and Picture-in-Picture Phishing Attacks. Proc. Usable Security, 2007. Google ScholarDigital Library
- R. Dhamija and J.D. Tygar. The battle against phishing: Dynamic security skins. Symp. on Usable Privacy and Security, 2005. Google ScholarDigital Library
- R. Dhamija, J.D. Tygar, and M. Hearst. Why phishing works. CHI, 2006. Google ScholarDigital Library
- D.W. Stewart and I.M. Martin. Intended and Unintended Consequences of Warning Messages: A Review and Syntheis of Empirical Research. J. of Public Policy and Marketing, 1994.Google Scholar
- D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. WWW 2007, Banff. Google ScholarDigital Library
- D. Florêncio, C. Herley, and B. Coskun. Do Strong Web Passwords Accomplish Anything? Proc. Usenix Hot Topics in Security, 2007. Google ScholarDigital Library
- C. Herley and D. Florêncio. A Profitless Endeavor: Phishing as Tragedy of the Commons. NSPW 2008, Lake Tahoe, CA. Google ScholarDigital Library
- C. Herley and D. Florêncio. Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. WEIS 2009, London.Google Scholar
- J. Sobey, R. Biddle, P.C. van Oorschot and A.S. Patrick. Exploring User Reactions to New Browser Cues for Extended Validation Certificates. ESORICS, 2008. Google ScholarDigital Library
- J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri and L.F. Cronor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. Usenix Security, 2009. Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G.M. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 3--14, Alexandria, Virginia, USA, October 2008. Google ScholarDigital Library
- M.E. Zurko. User-Centered Security: Stepping Up to the Grand Challenge. ACSAC, 2004. Google ScholarDigital Library
- M.J. Freedman and E. Freuenthal and D. Mazières. Democratizing Content Publication with Coral. NSDI, 2004. Google ScholarDigital Library
- M. Jakobsson, A. Tsow, A. Shah, E. Blevis and Y-K Lim. What Instills Trust? A Qualitative Study of Phishing. Proc. Usable Security, 2007. Google ScholarDigital Library
- M. Mannan and P.C. van Oorschot. Security and Usability: The Gap in Real-World Online Banking. NSPW, 2007. Google ScholarDigital Library
- Z. Mao and C. Herley. A Robust Link-Translating Proxy Mirroring the Whole Web. ACM SAC 2010. Google ScholarDigital Library
- M.E. Zurko and R.T. Simon. User-Centered Security. NSPW, 1996. Google ScholarDigital Library
- N.G. Mankiw. Principles of Economics. 4-th ed., 2007.Google Scholar
- P. Kumaraguru, S. Sheng, A. Acquisti, L.F. Cranor, J. Hong. Testing PhishGuru in the Real World. SOUPS, 2007.Google Scholar
- R. Anderson. Why Cryptosystems Fail. In Proc. CCS, 1993. Google ScholarDigital Library
- R. Anderson. Why Information Security is Hard. In Proc. ACSAC, 2001. Google ScholarDigital Library
- R. Anderson. Security Engineering. In Second ed., 2008.Google Scholar
- R. Anderson and T. Moore. The Economics of Information Security. Science Magazine, 2006.Google Scholar
- R. Morris and K. Thompson. Password Security: A Case History. Comm. ACM, 1979. Google ScholarDigital Library
- S. Bellovin. Security by Checklist. IEEE Security & Privacy Mag., 2008. Google ScholarDigital Library
- S. Egelman, L.F. Cronor and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI, 2008. Google ScholarDigital Library
- S. Schechter, R. Dhamija, A. Ozment, I. Fischer. The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. IEEE Security & Privacy, 2007. Google ScholarDigital Library
- S.J. Greenwald, K.G. Oltho, V. Raskin and W. Ruch. The User Non-Acceptance Paradigm: INFOSEC's Dirty Little Secret. NSPW, 2004. Google ScholarDigital Library
- T. Moore and R. Clayton. Examining the Impact of Website Take-down on Phishing. Proc. APWG eCrime Summit, 2007. Google ScholarDigital Library
- T.S. Kuhn. The Structure of Scientific Revolutions. 1962.Google Scholar
- V. Anandpara, A. Dingman, M. Jakobsson, D. Liu, and H. Roinestad. Phishing IQ Tests Measure Fear, Not Ability. Proc. Financial Crypto, 2007.Google Scholar
- M. Wu, R. Miller, and S.L. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks. CHI, 2006. Google ScholarDigital Library
Index Terms
- So long, and no thanks for the externalities: the rational rejection of security advice by users
Recommendations
Investigating Security Folklore: A Case Study on the Tor over VPN Phenomenon
CSCWUsers face security folklore in their daily lives in the form of security advice, myths, and word-of-mouth stories. Using a VPN to access the Tor network, i.e., Tor over VPN, is an interesting example of security folklore because of its inconclusive ...
Systematic analysis and comparison of security advice as datasets
AbstractA long list of documents have been offered as security advice, codes of practice, and security guidelines for building and using security products, including Internet of Things (IoT) devices. To date, little or no systematic analysis ...
Understanding the Security and Privacy Advice Given to Black Lives Matter Protesters
CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing SystemsIn 2020, there were widespread Black Lives Matter (BLM) protests in the U.S. Because many attendees were novice protesters, organizations distributed guides for staying safe at a protest, often including security and privacy advice. To understand what ...
Comments