So long, and no thanks for the externalities: the rational rejection of security advice by users

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.

[1]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[2]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[3]  Lorrie Faith Cranor,et al.  Testing PhishGuru in the Real World , 2008 .

[4]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[5]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[6]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[7]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[8]  Markus Jakobsson,et al.  What Instills Trust? A Qualitative Study of Phishing , 2007, Financial Cryptography.

[9]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[10]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[11]  Ingrid M. Martin,et al.  Intended and Unintended Consequences of Warning Messages: A Review and Synthesis of Empirical Research , 1994 .

[12]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[13]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[14]  Victor Raskin,et al.  The user non-acceptance paradigm: INFOSEC's dirty little secret , 2004, NSPW '04.

[15]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[16]  T. Kuhn,et al.  The Structure of Scientific Revolutions. , 1964 .

[17]  Steven M. Bellovin Security by Checklist , 2008, IEEE Security & Privacy Magazine.

[18]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[19]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[20]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[21]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[22]  N. Mankiw,et al.  Principles of Economics , 1871 .

[23]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[24]  Paul C. van Oorschot,et al.  Security and usability: the gap in real-world online banking , 2008, NSPW '07.

[25]  Robert Biddle,et al.  Exploring User Reactions to New Browser Cues for Extended Validation Certificates , 2008, ESORICS.

[26]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[27]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[28]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[29]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[30]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[31]  Cormac Herley,et al.  A robust link-translating proxy server mirroring the whole web , 2010, SAC '10.

[32]  Alessandro Acquisti,et al.  Uncertainty, Ambiguity and Privacy , 2005, WEIS.

[33]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[34]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[35]  David Mazières,et al.  Democratizing Content Publication with Coral , 2004, NSDI.

[36]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[37]  Mary Ellen Zurko User-centered security: stepping up to the grand challenge , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).