The Over-Burdoning of Security Advice

November 24, 2009 in Information Security | No comments

Now that my academic modules are drawing to a close, I’ll be able to devote a little more time to the blog before I start the … dan-dan-dannn… Dissertation! So, a tip o’ the hat to Bruce Schneier for this paper from Cormac Herley on the rational rejection of security advice by a user population.

To make this concrete, consider an exploit that affects 1% of users annually, and they waste 10 hours clearing up when they become victims. Any security advice should place a daily burden of no more than 10/(365 × 100) hours or 0.98 seconds per user in order to reduce rather than increase the amount of user time consumed. This generates the profound irony that much security advice, not only does more harm than good (and hence is rejected), but does more harm than the attacks it seeks to prevent, and fails to do so only because users ignore it. In the model we set forward it is not users who need to be better educated on the risks of various attacks (as Adams et al. [21] suggest), but the security community. Security advice simply offers a bad cost-benefit tradeoff to users.

I just can’t fault logic such as this, and I’m sure we’ve all noted how confusing security awareness has become over the years for users. As Security professionals, we all read the advice that gets communicated to them through various channels, and we may find it pointless and lacking. Serving only to confuse the user or entirely fail to engage them in the first instance… Or worse, be utterly incorrect or at least fail to be applicable. Try as we might, we should eventually realise that users are not good at detecting fraud, nor are they good at doing our jobs for us!

Does this mean all security advice is useless? No, just a vast majority of it. In my opinion, an awareness programme should be cohesive and bespoke for each user population, for each organization to meet the top issues for that organization. It’s also important controls are in place to reduces the requirement for the secondment of users’ time to the security team. The awareness programme should be short, entertaining and designed to get users thinking about transferable security checks and balances, which they can then apply to their own processes.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • email
  • Technorati
  • Reddit
  • StumbleUpon
  • TwitThis

Related posts:

  1. Environment Controls Are Important to Security
  2. Fedora Core 10: LUKS and dm-crypt
  3. Going home today… Yippee!
  4. Environment Creep in Printing
  5. Free Rainbow Tables

Tags: , , ,