Prev: NEWS: HTC Sales Soar 58% Thanks To Google Android
Next: NEWS: Apple ads to target your iTunes history
From: John Navas on 6 Jul 2010 17:43

ABSTRACT

It is often suggested that users are hopelessly lazy and unmotivated on
security questions. They chose weak passwords, ignore security
warnings, and are oblivious to certificates errors. We argue that
users' rejection of the security advice they receive is entirely
rational from an economic perspective. The advice offers to shield them
from the direct costs of attacks, but burdens them with far greater
indirect costs in the form of effort. Looking at various examples of
security advice we find that the advice is complex and growing, but the
benefit is largely speculative or moot. For example, much of the advice
concerning passwords is outdated and does little to address actual
threats, and fully 100% of certificate error warnings appear to be false
positives. Further, if users spent even a minute a day reading URLs to
avoid phishing, the cost (in terms of user time) would be two orders of
magnitude greater than all phishing losses. Thus we find that most
security advice simply offers a poor cost-benefit tradeoff to users and
is rejected. Security advice is a daily burden, applied to the whole
population, while an upper bound on the benefit is the harm suffered by
the fraction that become victims annually. When that fraction is small,
designing security advice that is beneficial is very hard. For example,
it makes little sense to burden all users with a daily task to spare
0.01% of them a modest annual pain.

<http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf>

--
John FAQ for Wireless Internet: <http://wireless.navas.us>
FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
 | 
Pages: 1
Prev: NEWS: HTC Sales Soar 58% Thanks To Google Android
Next: NEWS: Apple ads to target your iTunes history