-{ a hewer of maps }-

Rejecting security advice

Are users right in rejecting security advice? is a must read, in my opinion. Make sure to set some time aside to think it through and follow links. Favourite quotes:

We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort*

...costs and benefits do not always directly refer to financial gains or losses... Password rules place the entire burden on the user. ... [who] know that strictly observing the above rules is no guarantee of being safe from exploits. That makes it difficult for them to justify the additional effort and associated cost.

"The typical user does not always see benefit from heeding security advice. ...Try to explain to someone who had a password stolen by a key logger, why a strong password is important."[doesn't make a damn difference how strong it is, does it!]

The main difficulty in teaching users to read URLs is that in certain cases this allows users to know when something is bad, but it never gives a guarantee that something is good. Thus the advice cannot be exhaustive and is full of exceptions.

It probably bears emphasizing that this isn't about rejecting security advice wholesale or discouraging strong passwords. Rather it's that if we don't keep the actual cost to the user in mind there won't be significant uptake, and thus the security effort is wasted anyway. \ \ I think my favourite viewpoint adjustment of this piece is turning the "users are too simple|uninformed|dumb to apply security" assumption into an active question,  "are security experts are too simple|uninformed|dumb to get users?"

Schneier speculated that the employees knew following those policies would cut into their work time. They understood better than the IT department that the risks of not completing their assignments far outweighed any unspecified consequences of ignoring a security rule or three. -- http://www.boston.com/bostonglobe/id...ssword/?page=2\ \

Stack Overflow penalizes community wiki » « Reading Untagged Document bug