So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
Authors: Cormac Herley

Date: September 2009
Publication: Proceedings of the 2009 Workshop on New Security Paradigms NSPW '09
Page(s): 133 - 144
Publisher: ACM
Source 1: http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf
Source 2: http://www.nspw.org/papers/2009/nspw2009-herley.pdf
Source 3: http://dx.doi.org/10.1145/1719030.1719050 - Subscription or payment required

Abstract or Summary:
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.



Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com