July 2011

Volume 26 Number 07

Don’t Get Me Started - When Security Doesn’t Make Sense

By David Platt | July 2011

David PlattI just finished reading a truly brilliant research paper, “So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users,” by Cormac Herley of Microsoft Research. Every one of you needs to read the whole thing, which is online at bit.ly/lZZsyr.

How often have we given users security instructions and had them ignore us? And then we got mad when our beautiful security code didn’t prevent losses because the users wouldn’t do what we told them to? Bad, naughty users, we said. It’s your own dumb fault you got hurt.

Wrong. It’s our fault for telling them to do things that we knew, or should have known, that they wouldn’t do.

According to Herley, users who ignore our security instructions are being rational from their point of view. They subconsciously calculate that the constant efforts we demand of them are greater than the infrequent (albeit larger) losses to them if they don’t follow our instructions. They then rationally decide to ignore us. Herley writes: “Consider an exploit that affects 1 percent of users annually, and they waste 10 hours clearing up when they become victims. Any security advice should place a daily burden of no more than 0.98 seconds per user in order to reduce rather than increase the [total] amount of user time consumed. This generates the profound irony that much security advice not only does more harm than good (and hence is rejected), but does more harm than the attacks it seeks to prevent, and fails to do so only because users ignore it.” An ounce of cure is not worth five pounds of prevention.

A user will tolerate only so much security-related (or other) overhead before he either dumps your product or figures out a workaround. I call this amount the user’s “hassle budget,” a term I coined in my book, “Why Software Sucks” (Addison-Wesley Professional, 2006).

Example: Suppose your landlord put a combination lock on the bathroom door in your apartment. What would you do? You’d enter the combination the first time and maybe the second, but definitely not the third. After that you’d find some sort of workaround—you’d prop the door open, you’d tape down the latch so it wouldn’t lock or you’d relieve yourself in the kitchen sink.

I recently saw a Web article entitled “37 Tips to Prevent ID Theft Online.” If I have to remember 37 different items to keep my identity safe online, the bad guys can have the damn thing.

Herley applies rigorous cost-benefit analysis to such common security practices as changing passwords regularly. You’re somewhat safer if you do this, but how much? And is that benefit greater or lesser than the cost of the time that you spend changing them and keeping track of them? You’ll probably get better overall results if you spend a user’s hassle budget ensuring that his initial password is strong, rather than on periodic changes.

I’ve seen lots of security advice, but this is the first time I’ve seen anyone compare the cost of following that advice with the harm avoided by doing so. When you start putting the two together, a much more nuanced picture emerges. You can only understand it if you put yourself in your user’s shoes—if you Know Thy User, Because He Is Not Thee. (Where have I heard that before?)

I’ll leave you with this final thought from Herley, which I very much hope convinces you to read his entire paper:

TSA-compliant lock“There are about 180 million online adults in the U.S. At twice the U.S. minimum wage, one hour of user time is then worth $7.25 x 2 x 180e6 = $2.6 billion. … We suggest that the main reason security advice is ignored is that it makes an enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour. It’s not uncommon to regard users as lazy or reluctant. A better understanding of the situation might ensue if we viewed the user as a professional who bills at $2.6 billion per hour, and whose time is far too valuable to be wasted on unnecessary detail.” 

David S. Platt teaches Programming .NET at Harvard University Extension School and at companies all over the world. He’s the author of 11 programming books, including “Why Software Sucks” (Addison-Wesley Professional, 2006) and “Introducing Microsoft .NET” (Microsoft Press, 2002). Microsoft named him a Software Legend in 2002. He wonders whether he should tape down two of his daughter’s fingers so she learns how to count in octal. You can contact him at rollthunder.com.