Sign In

Communications of the ACM

BLOG@CACM

What Security Advice Should We Give?


Geeky Ventures Founder Greg Linden

Should people follow the security advice we give them?

The surprising answer is no.  According to a recent paper by Cormac Herley at Microsoft Research, not only do people not follow the security advice we give them, but also they shouldn't.

The problem is that security advice ignores the cost of user effort.  When the likelihood of having a loss is low, and if the cost of the loss in time or money is low, then the cost of being vigilant must be trivially low.  Much of what we ask of people takes too much effort.  Taking an example from the paper, if only 1%/year get hit with a threat that costs 10 hours to clean up, then the effort required to avoid the threat must be no more than 1 second per day.

This is a frighteningly low bar.  It means that almost all end-user security must require nearly no effort.

Can security features have this little effort?

Some do.  For example, rather than imposing harsh and mandatory restrictions on passwords (e.g. length between 6-8 characters, must contain a number and a letter, must be changed every three weeks), some websites merely report an estimate of the strength of a password while accepting almost anything.  This imposes almost no effort while still encouraging longer, stronger, and more memorable passwords.  Not only does this make sense for users, but also it makes sense for companies, since, as the paper also points out, costs of having more agent-assisted password resets after forcing people to choose difficult-to-remember passwords easily can be higher than the cost of having more attacks.

Another example implemented by some browsers is improving the visibility of the domain when displaying the URL in a browser.  This makes it much easier to see if you are on the correct website, possibly reducing that effort below the threshold where people will find it worthwhile.

A third example is the anti-phishing feature now common in web browsers.  This feature checks if a website is a known security threat and intervenes in the rare cases where someone goes to a known threat.  The cost of this is zero for almost all web browsing since the feature is working quietly behind the scene.

Perhaps the question at the beginning is wrong.  Perhaps we should ask not whether people should follow the security advice we give them, but what advice we should be giving.  The security advice we give has to consider the cost of user effort.  The security advice we give has to be worth following.

So, what security advice should we be giving?


 

No entries found

Comment on this article

Signed comments submitted to this site are moderated and will appear if they are relevant to the topic and not abusive. Your comment will appear with your username if published. View our policy on comments

(Please sign in or create an ACM Web Account to access this feature.)

Create an Account

Log in to Submit a Signed Comment

Sign In »

Sign In

Signed comments submitted to this site are moderated and will appear if they are relevant to the topic and not abusive. Your comment will appear with your username if published. View our policy on comments
Forgot Password?

Create a Web Account

An email verification has been sent to youremail@email.com
ACM veriŽes that you are the owner of the email address you've provided by sending you a veriŽcation message. The email message will contain a link that you must click to validate this account.
NEXT STEP: CHECK YOUR EMAIL
You must click the link within the message in order to complete the process of creating your account. You may click on the link embedded in the message, or copy the link and paste it into your browser.