Are people being rational when they ignore the security advice we give them? If so, what advice should we give them that they would not ignore?
Should people follow the security advice we give them?
The surprising answer is no. According to a recent paper by Cormac Herley at Microsoft Research, not only do people not follow the security advice we give them, but also they shouldn't.
The problem is that security advice ignores the cost of user effort. When the likelihood of having a loss is low, and if the cost of the loss in time or money is low, then the cost of being vigilant must be trivially low. Much of what we ask of people takes too much effort. Taking an example from the paper, if only 1%/year get hit with a threat that costs 10 hours to clean up, then the effort required to avoid the threat must be no more than 1 second per day.
This is a frighteningly low bar. It means that almost all end-user security must require nearly no effort.
Can security features have this little effort?
Some do. For example, rather than imposing harsh and mandatory restrictions on passwords (e.g. length between 6-8 characters, must contain a number and a letter, must be changed every three weeks), some websites merely report an estimate of the strength of a password while accepting almost anything. This imposes almost no effort while still encouraging longer, stronger, and more memorable passwords. Not only does this make sense for users, but also it makes sense for companies, since, as the paper also points out, costs of having more agent-assisted password resets after forcing people to choose difficult-to-remember passwords easily can be higher than the cost of having more attacks.
Another example implemented by some browsers is improving the visibility of the domain when displaying the URL in a browser. This makes it much easier to see if you are on the correct website, possibly reducing that effort below the threshold where people will find it worthwhile.
A third example is the anti-phishing feature now common in web browsers. This feature checks if a website is a known security threat and intervenes in the rare cases where someone goes to a known threat. The cost of this is zero for almost all web browsing since the feature is working quietly behind the scene.
Perhaps the question at the beginning is wrong. Perhaps we should ask not whether people should follow the security advice we give them, but what advice we should be giving. The security advice we give has to consider the cost of user effort. The security advice we give has to be worth following.
So, what security advice should we be giving?
No entries found