Should people follow the security advice we give them?
The surprising answer is no. According to a recent paper, "So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users," by Cormac Herley at Microsoft Research, not only do people not follow the security advice we give them, but they shouldn't.
The problem is that security advice ignores the cost of user effort. When the likelihood of having a loss is low, and if the cost of the loss in time or money is low, then the cost of being vigilant must be trivially low. Much of what we ask of people takes too much effort. Taking an example from Herley's paper, if only 1% per year get hit with a threat that costs 10 hours to clean up, the effort required to avoid the threat must be no more than one second per day.
This is a frighteningly low bar. It means that almost all end-user security must require nearly no effort.
Can security features have this little effort?
Some do. For example, rather than imposing harsh and mandatory restrictions on passwords (for example, length between 68 characters, must contain a number and a letter, must be changed every three weeks), some Web sites merely report an estimate of the strength of a password while accepting almost anything. This imposes almost no effort while still encouraging longer, stronger, and more memorable passwords. Not only does this make sense for users, but it also makes sense for companies since, as Herley's paper points out, the costs of having more agent-assisted password resets after forcing people to choose difficult-to-remember passwords can easily be higher than the cost of having more attacks.
Another example implemented by some browsers is improving the visibility of the domain when displaying the URL in a browser. This makes it much easier to see if you are at the correct Web site, possibly reducing that effort below the threshold where people will find it worthwhile.
A third example is the anti-phishing feature now common in Web browsers. This feature checks if a Web site is a known security threat and intervenes in the rare cases where someone visits a known threat. The cost of this is zero for almost all Web browsing as the feature is working quietly behind the scene.
Perhaps the question at the beginning of this post is wrong. Perhaps we should ask not whether people should follow the security advice we give them, but what advice we should be giving. The security advice we give has to consider the cost of user effort. The security advice we give also has to be worth following.
So, what security advice should we be giving?
I'm at the Anti-Phishing Working Group's Counter eCrime Operations Summit IV this week. The conference is attended by law-enforcement officers, researchers, and industry professionals. I'll be giving some highlights that are relevant to usable privacy and security.
Gary Warner from University of Alabama reported on trends in malvertising, a relatively new kind of attack where criminals inject malware or scareware into online advertisements. These malvertisements, for example, might be Flash files that make use of exploits, or use scare tactics that "warn" users about viruses that are on their computer and urge people to click a link to install fake antivirus software.
There are three points I want to discuss. First, these advertising networks have a very wide reach on the Internet. Even the New York Times' Web site was hit with one of these fake advertisements. As such, these malvertisements represent a very serious threat to the operation of the Internet.
Second, as a user, you could be doing everything right and still be infected. You might keep your antivirus software up to date, always install the latest patches, avoid sketchy programs and Web sites, and not fall for any phish, but still end up with malware.
Third, using fake virus scans has been a growing tactic to convince people to install malware onto their computers. This kind of malware is growing in sophistication, and is also causing damage to legitimate antivirus vendors by reducing people's trust. Admittedly, it's a good strategy for the bad guys to take.
I had the misfortune of facing some of this fake antivirus software recently. My wife fell for one of these scams and asked me to fix her computer. The malware actually blocked standard antivirus software from running, so I tried to remove the software manually. However, as I did this, I saw the malware start to reinstall itself from a remote location. I tried again after turning off all networking, and deleted all the malware files. However, I either missed something in the registry or a browser helper object as it started reinstalling itself again after rebooting. After wasting an hour of time, we decided it would be easier and safer to just wipe the machine and start over.
If we take a step back, we can view malvertisements as just another type of attack where criminals try to make use of our greater connectivity. It's useful to revisit the three basic strategies for usable privacy and security: 1) make it invisible; 2) provide better user interfaces; and 3) educate users. In the short term, we can educate people about fake antivirus programs. However, in the long term, advertising networks will need far better tools for detecting and filtering these kinds of malware so users don't see them at all.
At the beginning of May, the ACM Education Board visited Qatar University. The goal was to meet with stakeholders and plan for developing computing education in the Middle East and India. John Impagliazzo, professor at Qatar University (QU), longtime Education Board member, and emeritus professor from Hofstra University, organized the meeting. We went with Dame Wendy Hall, ACM President [at the time], and John White, ACM CEO and executive director. The trip was amazingenlightening and confounding.
Qatar University has a significant gender imbalance in its computer science program, but it's opposite of the U.S. and much of the Western world. Seventy percent of QU's CS students are female. The QU professors explained that being a computer scientist isn't a well-respected job in Qatar. The men go for engineering-labeled degrees, which lead to higher-paying jobs. The QU faculty explained that the computing jobs in Dohathe capital of Qatar, home of QU, and of the majority of Qatar's populationare mostly about adapting and customizing applications from elsewhere to make them fit in Qatar and the Middle Eastern culture.
The QU CS faculty are planning to add more information systems and information technology into their curriculum to better prepare their students for the available jobs. Then we got to meet the female CS students at QU. These women totally embrace "geekiness." They are pushing their faculty to let them build applications sooner in the curriculum. QU offers no programming competitions. These women are looking up international programming competition problems to push themselves! I was amazed at how eager these women are, how much they want to program "robots, animation, mobilesanything! We want to be challenged!"
On the next day, we visited Education City, home to the satellite campuses of six American universities. Built by the Qatar Foundation, the goal is to change Qatari culture into a knowledge-based society where people build their own intellectual property and not just adapt Western ones. Qatar has oil wealth now, but knows it won't last forever. They're investing now for a future society with a culture focused on knowledge creation and innovation.
CMU Qatar (CMUQ) has a computer science program that is 50/50 female and male! They emphasize developing "a Geek culture," because they want to encourage the sense of wanting to learn and digging in to figure it out yourself, which they saw as missing from the local culture. Classes at CMUQ are coed, integrating men and women. Not all CMUQ students are from Doha, while most of the women at QU are from Doha, and have no interest in leaving Doha.
Why are the women of QU not going to CMUQ? They told us because they want segregated classes. They don't want to go to classes with men. QU has a women's campus and a men's campus. Many women at QU never go to the men's campus.
When we met with the CMUQ faculty, they told us they want to see more "computer science" curriculum in Doha, and less information systems and information technology. That's what the Qatar Foundation wants, to see more about creating new technologies, not adopting, adapting, and managing existing ones. Are there jobs for that in Doha? "Maybe not now, but there will be!"
But will the new jobs be there in time for these students who won't leave Doha? How quickly can culture (and industry) change to embrace innovation over adaptation? The CS women of Qatar University are eager to program, hungry to build new applications, but just as intensely value their gender segregation and staying with their families in Doha. It's a complicated and fascinating problem of the challenges of changing the culture of a nation.
©2010 ACM 0001-0782/10/1200 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
No entries found