Text Size
- Home
-
News
Advanced computing news from Communications of the ACM, other ACM resources, and from around the Web.
- Blogs
- Opinion
-
Browse by Subject
Recent articles from Communications organized into categories that encompass the broad scope of computing.
-
Magazine Archive
-
Careers
Jump-start your career with information on trends, opportunities and jobs – in both industry and academia.
- ACM Resources
-
Subscribe
Receive the benefits of ACM membership with a subscription to its flagship publication, Communications of the ACM.
This Article
BLOG@CACM
What Security Advice Should We Give?
![[article image]](/system/assets/0000/0301/021909_Linden_Greg_250.large.jpg?1235077917&1235077917 "Geeky Ventures Founder Greg Linden")
Should people follow the security advice we give them?
The surprising answer is no. According to a recent paper by Cormac Herley at Microsoft Research, not only do people not follow the security advice we give them, but also they shouldn't.
The problem is that security advice ignores the cost of user effort. When the likelihood of having a loss is low, and if the cost of the loss in time or money is low, then the cost of being vigilant must be trivially low. Much of what we ask of people takes too much effort. Taking an example from the paper, if only 1%/year get hit with a threat that costs 10 hours to clean up, then the effort required to avoid the threat must be no more than 1 second per day.
This is a frighteningly low bar. It means that almost all end-user security must require nearly no effort.
Can security features have this little effort?
Some do. For example, rather than imposing harsh and mandatory restrictions on passwords (e.g. length between 6-8 characters, must contain a number and a letter, must be changed every three weeks), some websites merely report an estimate of the strength of a password while accepting almost anything. This imposes almost no effort while still encouraging longer, stronger, and more memorable passwords. Not only does this make sense for users, but also it makes sense for companies, since, as the paper also points out, costs of having more agent-assisted password resets after forcing people to choose difficult-to-remember passwords easily can be higher than the cost of having more attacks.
Another example implemented by some browsers is improving the visibility of the domain when displaying the URL in a browser. This makes it much easier to see if you are on the correct website, possibly reducing that effort below the threshold where people will find it worthwhile.
A third example is the anti-phishing feature now common in web browsers. This feature checks if a website is a known security threat and intervenes in the rare cases where someone goes to a known threat. The cost of this is zero for almost all web browsing since the feature is working quietly behind the scene.
Perhaps the question at the beginning is wrong. Perhaps we should ask not whether people should follow the security advice we give them, but what advice we should be giving. The security advice we give has to consider the cost of user effort. The security advice we give has to be worth following.
So, what security advice should we be giving?
Post a comment...
Tools For Readers
Related ACM Resources
Conferences:
- ICCNEIMT 2012: International Conference on Communication Networks, Engineering & Information Management Technology - May 24 – 25, 2012; Bratislava, Slovakia
Courses:
- Project Management for Technical Teams - In this course, you will identify methods of effectively managing small- to medium-sized projects and achieving their stated objectives. (Duration: 113 minutes)
About Communications |
Join ACM 
|
Renew |
Subscribe |
Sign In |
For Authors |
For Advertisers |
Privacy |
Site Map |
Help |
Contact Us |
Mobile Site
Copyright © 2012 by the ACM. All rights reserved.