There's certainly a difference in motivations between users and IT security folks, which generates a lot of frustration in the latter group. IT needs to manage risk; users are supposed to get their jobs done (in other words, make money for the company). It's a truism that we say that security is everyone's job; users say security is IT's job. I mean, look who gets paid for it.
There's a quite interesting research paper out from Microsoft's Principle Security Researcher, that argues that this attitude on the part of users is rational:
We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot.I work pretty hard to filter out irrelevant security news and advice here, because I think that there's something to that. The people who get jazzed about a daily dose of triple propeller head security news probably aren't regular readers here. The security industry in general does a poor job of filtering out the noise, which leads to the "boy who cried wolf" syndrome:
He offers the following as reasons why:I (mostly) agree with the perception, although I think that attacks via passive downloaded malware (say, from advertisements that exploit vulnerable browsers) shouldn't be considered "rare".
- Users understand, there is no assurance that heeding advice will protect them from attacks.
- Users also know that each additional security measure adds cost.
- Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.
IT also offers complicated advice. For example, this is typical for how to pick a secure password:
As a public service, here's how to pick a very strong password that is easy for you to remember. Think of a sentence or a phrase that describes something about you that you will remember. For example:
Password rules place the entire burden on the user. So, they understand the cost from having to abide by the following rules:
- Composition (e.g. digits, special characters)
- Non-dictionary words (in any language).
- Don’t write it down
- Don’t share it with anyone
- Change it often
- Don’t re-use passwords across sites
I used to live on Pond St. when I was 6.Now take the first letter from each word, preserving capitalization and punctuation:
IutloPS.wIw6.That's one heck of a password right there, and is something that is easy to remember for you, and very hard to guess for an attacker. And it takes care of the first 5 bullet points listed above. Well done, you! And this is hard to argue with:
We have argued that the cost-benefit trade off for most security advice is simply unfavorable: users are offered too little benefit for too much cost.Anyone in IT really needs to read this. Anyone interested in security should take a read, too.
Better advice might produce a different outcome. This is better than the alternative hypothesis that users are irrational. This suggests that security advice that has compelling cost-benefit trade off has real chance of user adoption. However, the costs and benefits have to be those the user cares about, not those we think the user ought to care about.
UPDATE 19 March 2010 13:44: Dr. Boli offers some (ahem) excellent security advice.