Users Rejecting Security Advice Considered Rational 389
WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
Wasted time (Score:5, Insightful)
What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.
Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.
Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.
Yeah (Score:2, Insightful)
Re:Yeah (Score:5, Insightful)
I have a simpler conclusion... Most users are idiots!
Even simpler: most people are idiots.
Interesting (Score:5, Insightful)
I agree with this assesment. I work at an IT company that supports many different companies and users of different size. We are a small operation (10 techs).
Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers. Smaller businesses and individual users will reject them due to the lack of perceived risk.
Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it. We said no problem and offered to setup a guest network and secure their internal wireless network. No problems with their Cisco SA. They still did not want to do it. Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data? we have nothing sensitive"
They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.
That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.
It's a fundamental human value calculation: (Score:5, Insightful)
prevention is more expensive than repair/recovery/treatment
How? Any prevention effort requires some kind of cost, very often a continual and on-going cost.
Whereas the cost of recovery is only necessary once the negative effect occurs. And since it only happens to other people, that means that the cost of not preventing is 0. Clear win.
Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.); economics (victims of fraud, high-risk investors, etc.); software development practices ("Release NOW" rather than quality).
Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.
Or, as others in this thread have put it, people are idiots.
This is not a "new" interpretation (Score:5, Insightful)
I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics. How much does it cost to implement? How much do you stand to lose if your security is broken and your "stuff" stolen? At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.
And in this context, time, effort, and inconvenience all have a significant cost that must be counted.
The average idiot computer user is not always as dumb as you think they are.
Re:Wasted time (Score:5, Insightful)
Users just don't care, because it dosn't cost them (Score:5, Insightful)
As I said before, most users don't care because there are usually no consequences to ignoring security directives.
Most users figure that security is the corporation's problem. They just figure that whatever they do will be protected "by the firewall" and they go on with life. It's not their problem if things go wrong.
No Economic Incentive? (Score:5, Insightful)
How about this one... At least in businesses...
Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.
It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.
Ain't reality a bitch?
Some security advice is not rational (Score:5, Insightful)
People giving security advice often have no idea what the threat model is. For example, the typical home user's computer has no chance of being physically attacked. Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers. Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.
Seriously, there is only one kind of threat the home user faces, and that's software attacks, none of which are aimed specifically at him, and all of which are acquired either through his web browser or through infected executables given to him by his friends. If he runs NoScript, disables javascript in email, and gets executables only from reputable sources, there is simply no way he can get infected. If he's on Linux, he's safer than he's ever going to be already.
Re:Yeah (Score:2, Insightful)
Even simpler: most people are idiots.
Yeah, that's a *simple* conclusion, that is.
You know, every single person I have ever heard say "most people are idiots" has never been all that high a wattage bulb themselves. Maybe they were book smart in one or two areas, but get outside their intellectual comfort zone, and forget it. This seems especially true of computer geeks.
Re:Wasted time (Score:5, Insightful)
OK so this is how it works. There are websites out there like these [krebsonsecurity.com] which allow you to quickly check your newly infected EXE against all the main AV products out there. Signature based AV is basically obsolete because there are lots of programs out there that will happily scramble your EXE for you, in the scene these are known simply as "crypters" and you will find many people in the PPI world advertising their crypter as being FUD (fully undetectable). Good article on this here [secureworks.com]. Of course with enough downloads eventually somebody savvy will catch on, unless your work is really good, and then your binary and uploading IP address are usually banned. At which point they do exactly what you'd expect - spin a new binary, get a new IP address and do it all over again.
If you're relying on only 15-20 other downloaders to certify something as "clean" and you regularly download warez you probably already have a rootkit on your system and have no idea it's even there.
Re:Microsoft Researcher using TeX. (Score:1, Insightful)
Re:Interesting (Score:3, Insightful)
In this case, the cost was $50 up front but the indirect cost would be needing to learn how to add new devices to the secured wireless, store yet another password somewhere, possibly change the password as problems occurred: all of which would likely lead to having network outages and having your team come back to fix it when it breaks. The benefit in their mind was that someone in the parking lot couldn't check their facebook. So instead they leave it open and run a small risk of viruses from people sharing the connection, an even smaller risk of their Internet connection being used for illegal activity, and an even smaller risk of being attacked for their data. It isn't that they're dumb, it's that the security industry hasn't given them enough return for their investment. Most business users I've ever known are used to making snap judgements on worth/value. They know they don't have to be perfect, just slightly better than their competition and they're always asking themselves if the company next door went to "all this trouble." They're just applying that same logic to the security industry. If we made it less costly, they'd buy in because it'd be an easy way to get ahead of their competitors. For a little while.
Re:Some security advice is not rational (Score:5, Insightful)
Onscreen keyboards are good for avoiding generic keylogging viruses. Keylogging and looking for passwords isn't too hard (especially if you can look for email address + tab + word with no spaces in + enter) but defeating an onscreen keyboard means either writing a program to search specifically for that implementation or recording/compressing/uploading/watching full videos of all screen activity which is way too heavy.
Of course two-factor transaction signing is even better ....
It's a matter of reputation (Score:1, Insightful)
Among crackers, reputation is very important.
These people spend their time and effort and money to crack the protection on an application/game/movie and get it out to the world. They don't do it for profit. They do it to become known as the person/group that did it first or best. They frequently sign their work, and will go to great lengths to maintain their reputation.
A bad release, or one with a virus/trojan will quickly gather notice on torrent forums. It would be a one way ticket to expulsion from any release group. It can take years to become accepted into a major release group, its not something taken lightly.
Re:This is not a "new" interpretation (Score:5, Insightful)
One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both. An $80 external HDD can substantially reduce your risk of losing files to disk failure. A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental. The risks just aren't in their face; but the price tag is, so they don't do it.
The other thing, again most likely an artefact of inherited historical limitations to human cognition, is the difficulty that people have understanding the implications of automation for their likelyhood of being attacked. To the degree that joe user has a threat model at all, it tends to be the classic man-is-a-social-animal naive theory that a person is attacking, or might be attacking him. He then shrugs, and says "I couldn't possibly be worth the effort." and does nothing. If cracking PCs was something done one-by-one, with manual labor, furiously typing to guess the passwords and break through the code walls just like in the movies, he'd be completely correct. However, since the vast majority of online attacks are largely automated, the naive threat model is bunk(for physical attacks, the naive model is probably mostly correct. Planting trojans on unattended laptops in public is almost as risky, and far less lucrative, than simply stealing them. Jealous spouses, asshole roomates, fucked-up middle school social dynamics and the like, though, provide ample motive for the sorts of attacks performed with physical access on home machines).
Re:Interesting (Score:3, Insightful)
But in that instance they're just being dumb. All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.
They feel they're not a valuable enough target, but are they right? Maybe - it's hard to say for sure. But what's the cost of being wrong? For a smallish salon, almost definitely enough to put them entirely out of business.
And the cost being $50? They're simply being stupid. None of this bullshit "analyzing the economic realities and making the logical choice", just stupid.
Fact of the matter is, all this stuff only needs to happen once - especially for a small business. No security can prevent a super-hacker-paratrooper team from taking everything, but it can improve a once-in-5-years odd from some kid, to a once-in-1000-years odd.
Some security *is* ridiculous. But most of it isn't. You provide a great anecdote but I suspect it's fairly common.
Security people are a bit like doctors. It's not really up to the patient to tell the doctor how to do their job, in most cases. Witness the whole autism-vaccine BS. In both professions, the customer can override the professional advice, but it's not a good idea.
Carrying the analogy a bit further: Reasonable security is a bit like a prostate exam. It's easy and straightforward, a little unpleasant, and entirely unnecessary until it saves your life. Is it rational to forgo a prostate exam because "why would I need a prostate exam? I don't have cancer"
It's obvious (Score:5, Insightful)
It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer. My personal pet hate is the password aging practice. It specifically does one of two things. It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones. The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days. And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember it
One reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.
Re:Interesting (Score:5, Insightful)
And 99% of the time they're right to ignore it. Its quite simple- unless a site is getting my financial info, what do they have to lose? Nothing, unless they're stupid enough to use the same password as their email. And thats a rule you can get many of them to follow.
I'm a computer programmer, and except when I'm coding I've stopped giving a shit. I use the same default password everywhere except email and finance places, because I don't care. Oh no, you can now edit my slashdot and video game forum accounts. How can I live? I don't download files from untrusted sources, so I don't bother with antivirus. I don't bother with updates because they break stuff more often than I see any benefit to it. If I actually started dealing with all that shit it would take serious effort. It's just not worth it.
You can get 99% of the benefits with 5% of the effort- don't use the same password on your email as anything else, don't use the same password on finance stuff and anything else, don't download anything you aren't 100% about, don't trust any links in email. That's all you need to do.
Re:Windows Joke (Score:5, Insightful)
Why does IT like Windows?
Two words: Job security
Blunt and brutal as it sounds, I'm all for Windows in a work environment, even though I don't want to be subjected to it in my private space. Hey, at home I need to be productive! At work, I need to be certain I still have a job tomorrow. And, bluntly again, that's more secure with a system that acts "weird" from time to time and keeps failing on the user than with a system you set up once and run 'til the end of time. For crying out loud, Linux even does generation changes without aid from IT, can you imagine what that would mean to your job? Imagine Linux being used in office, with the new versions quietly installing themselves while all the software keeps working!
Tell me you don't prefer a system that needs YOU to go there and install it, then breaks every kind of compatibility and keeps you busy and employed for ... well, at least 'til the next generation of system needs to be installed.
Re:7. Don't re-use passwords across sites (Score:4, Insightful)
I think it's a credible threat. I've had my password compromised (as part of a larger compromise) 4-5 times in my life that I know of. Realistically, it's probably happened more than that. Re-using passwords would have meant that I'd want to change my password at umpteen sites (many of which I probably wouldn't remember.)
Re:Interesting (Score:5, Insightful)
For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks). We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.
This is actually one of the examples from TFA. The contention is that the statistics show that a majority of the certificate errors that users run across are false positives and ignoring them is perfectly harmless. And the TFA goes on to point out that a phisher would be pretty damn stupid to go to all the trouble to setup a fake domain and then put a broken certificate on it to throw up a warning and cause a potential victim to take a second look at the site and make sure it isn't something suspicious.
And IT people need to remember that what sounds like a "basic, unintrusive guideline" to us often sounds like babble, pointless rigmarole to make their jobs harder, or an IT person pulling an ego trip to the end users. The last one is especially bad because many users can't tell the difference between "arbitrary rule handed down by IT that makes their jobs easier while making my life harder" and "good solid advice handed down by IT for a very good reason." When they can't tell the difference, they'll just assume it's in the first camp and ignore it. If you're going to make their lives harder, you better have a damn good reason for it.
Re:It's a fundamental human value calculation: (Score:2, Insightful)
people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.
I'm pretty sure TFA's entire point is that sometimes the guaranteed cost of preventative measures does exceed the statistical risk times the economic risk of actual damage. Skating by on luck totally works if luck, even including the cost of failures at or somewhat above statistical norms, costs less over the long run than the preventative measure.
I actually have a car analogy here: I don't insure my vehicle for theft or comprehensive damage, because it would cost $400 a year with a $500 deductible on a vehicle only worth $2000. I'm refusing the preventative measure, but only because the likely cost of relying on the preventative measure far exceeds the cost of just buying another car, provided my car gets stolen or totaled less than every two years.
Information security, like insurance, becomes a transaction on many levels, and many products or preventions in both arenas aren't really worth the cost.
Re:Wasted time (Score:4, Insightful)
Personally, I buy things with the intent of running Linux on them.
I wish I could, but Best Buy doesn't have enough hardware with a cartoon penguin on it. How do you expect the general public to do this sort of research?
No, you missed the point. (Score:3, Insightful)
I have a simpler conclusion... Most users are idiots!
You're only half right. It turns out that most users are *selfish* idiots.
I used to feel a little bad about hating users. I was afraid it might be arrogant to despise the people who, ultimately, justify my salary. But now I see they deserve whatever they get.
Re:It's obvious (Score:4, Insightful)
And when management replies with the inevitable, "Password aging provides a fail-safe against compromised accounts," then what is your reply?
I would reply that requiring passwords to be changed frequently provides little or no fail-safe against compromised accounts.
Once they've installed the malware on your machine, it doesn't matter that you changed the locks.
However, frequent mandatory password changes, along with a requirement for impossible-to-remember passwords, will pretty much insure that users will write their passwords down. If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
Re:Interesting (Score:5, Insightful)
Re:Interesting (Score:3, Insightful)
All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.
That would only do that kid any good if the salon keeps the customer credit card numbers in their database. What competitive advantage does the salon gain from storing their customers' credit card numbers? I bet it would cost them a lot less than $50 to not store their customers' credit card numbers
Re:Windows Joke (Score:5, Insightful)
Blunt and brutal as it sounds, ... ... I've occasionally run across this reasoning told as a joke, shown it to friends whose business is supporting Windows, and told that it's no joke at all. The typical response is along the lines of: Hey, I've installed linux for a few customers. Each time, it only took me an hour or so, and that's all I got paid for. Then I never heard from them again until they wanted someone for another hour to do an install on a new machine. OTOH, with my Windows clients, I typically get paid for at least a full day to install anything, and then I get called back for half- or full-days whenever the system shoots itself in the foot. We'd be fools to advocate a system like linux when Windows produces two to three orders of magnitude more billable time for us. Of course, we all use linux and/or OS X at home, but that's not where the support business is.
As long as the suckers^Wclients continue to act like they do and fall for the "market leader" sales propaganda, this isn't going to change. It's been like this in the computing industry since at least the 1960s, so don't expect it to change during your lifetime.
Another possibility... (Score:2, Insightful)
For some family members where I have suggested very basic security steps like disabling automatic logins, turning automatic updates on for everything (not just Windows), and a few other usual steps, they have asked "what for? The hackers are gonna get in anyway!"
It has become so ingrained in them that hackers are everywhere and that they are so talented that it is futile to resist. Quite honestly, I can't understand this mentality, but it does exist.
Re:6. Change often (Score:5, Insightful)
Yes -- in theory. But people are good at subverting policies like that.
Suppose it takes about four months for an attacker to brute-force your password hash, and you change your password every month. If they get lucky today and discover that as of December your password was "foobar@Dec09", I think they might be able to make a plausible guess as to its current value.
Re:Windows Joke (Score:2, Insightful)
That's like saying you like the kid that breaks glass [wikipedia.org], because you as a glazier stay in business. In reality, generating useless work costs the whole society.
Are you allowed to think about where your society -- the large family of the people of the USA -- is going as a whole, or would that be evil socialism?
so long and thanks... (Score:1, Insightful)
Indeed, Herley's paper would probably be better titled "So long, and thanks for the externalities" -- for most end users (read: end users not in the IT dept), security countermeasures are not taken precisely because the majority of the cost is externalized, either to the business they work for, to the bank that will reimburse them for lost $$$, or to the world in general in the form of yet another botnet node. The $120 they pay geek squad to clean their computer every now and again is a small portion of the overall cost of their lack of security. Because they don't feel the full blow, they are less likely to modify their behavior. And that is the essence of what an externality is, AFAIK.
Ultimately, I think the biggest problem with Herley's paper is the same problem a lot of economists have with "free agents" -- they make an argument that observed behavior is rational, and then assume that the actors are therefore behaving rationally. In actuality, it's merely coincidence that the observed behavior is rational and there is therefore no reason to suspect that, in the future, choices will continue to be rational.
This is most true for end users (businesses = econ/business people = trained to make decisions as economists... so big surprise they follow "rational models"). This is because even if observed behavior in consistent with rational choices, the choice is not made because it's rational. People get their information on computer security from hearsay and anti-virus advertisements, and often make emotional choices ("ZOMG EVIL HACKERZ, MEH IDENTITY!!!") that provide the path of least resistance ("look, norton seems to claim it's a golden bullet, and I don't have to learn hard new stuff.")
Re:Some security advice is not rational (Score:3, Insightful)
If somebody wrote a Bank X Keylogger, it wouldn't. They could just watch for you to go to your bank, start tracking mouse movements and clicks, tie it to a screen resolution and reconstruct what you did.
But that almost never happens. A general-purpose keylogger sitting in the background hoping for something juicy isn't going to be tracking mouse movements. For one, it's a hell of a lot of data generated very quickly and you don't know when to start or stop. Two, since you don't know what the user is looking at you couldn't reconstruct it. On the flip side, seeing "http://wellsfargo.com[enter]bob[tab]dole[enter]" pretty much gives you all the information you need.
Most keyloggers out there simply aren't targeted, and without some degree of targeting an on-screen keyboard could help. If they know what they're looking for, you're still boned.
Re:Windows Joke (Score:3, Insightful)
I agree with your principal but it applies to more then just windows.
Put Linux onto everyone's computer and even if it works perfectly you will still have problems because you cant control users. Users will have problems no matter what, so tech support is always needed. Systems will need to be upgraded, logs need to be read so syadmins will still be needed. Linux will not stop the business from needing/wanting new functionality or new software from being developed. Yes the IT landscape would change radically (it does this on a regular basis anyway IMHO) if we all of a sudden switched to Linux but it would not kill job security for most IT workers.
Putting Linux onto most desktops would kill many current security headaches, but it will create some new ones and a few of the old ones will remain (social engineering attacks immediately spring to mind).
Re:Wasted time (Score:3, Insightful)
Welcome to the school of tail wagging the dog. What would the ROI calculation have looked like *before* you acquired that sound card when you effectively married yourself to the Windows culture and all that comes with it? Five minutes well invested against the throes of consumption lust?
For that matter, why bother learning about birth control until *after* you discover you're not shooting blanks?
I was looking forward to reading this paper, because there are good arguments to be made about the externality burden. This paper is not that paper. Author seems to have a tin ear concerning second order effects. Maybe SSL certificates are rarely faked because the mechanism grants the adversary a dominating response. In game theory, one can't neglect the influence of moves never played. That tends to correlate with the move being super kick ass when confronting an opponent with rational self-preservation.
I found the paper extremely self-serving to the Microsoft camp. From a larger perspective, we should have engineered these systems in such a way that it was never a rational proposition for the black hats to invest so much in gaining expertise over its manipulation. Not that this could have been forestalled indefinitely considering the value held within the network walls, but we certainly didn't have to make it so darn easy for the agents of darkness to self-finance their learning curve.
Now that it's a done deal, Microsoft finds all kinds of time for shirt-rending accounts of the TCO of learned-helplessness.
One more note. I have to slap my forehead over all the effort invested in training people to use strong passwords. Password strength needs to grow by about six bits per decade, just to track Moore's law while the number of passwords a typical person requires seems to double every decade or so.
It's socially embarrassing to forget an important password because you were conscientious and didn't write it down.
The human brain doesn't scale to the demands of this security practice, and this has been obvious for thirty years.
The risk of key loggers forces one into making each password unique and significantly detracts from the notion of aggregating a huge basket of passwords onto OpenID.
If every human had 2kB of glucose backed NVRAM with thirty years guaranteed retention, life would be different. We don't, and you can't educate this into existence.