|THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING|
Please do not change your password
You were right: It’s a waste of your time. A study says much computer security advice is not worth following.
By Mark Pothier | April 11, 2010
To continue reading this story, enter your password now. If you do not have a password, please create one. It must contain a minimum of eight characters, including upper- and lower-case letters and one number. This is for your own good.
Nonsense, of course, but it helps illustrate a point: You will need a computer password today, maybe a half dozen or more — those secret sign-ins that serve as sentries for everything from
Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at
“Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley, a principal researcher for Microsoft Research.
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
Herley also looked at the validity of other advice for blocking security threats, including ways to recognize phishing e-mails (phony messages aimed at getting recipients to give up personal information such as credit card numbers) and how to deal with certificate errors, those impossible-to-fathom warning messages. As with passwords, the benefits of these procedures are usually outweighed by what users must do to carry them out, he said.
It’s not that Herley believes we should give up on protecting our computers from being hijacked or corrupted simply because safety measures consume time. The problem, he said, is that users are being asked to take too many steps, and more are constantly being added as new threats emerge or evolve. Security professionals have generally assumed that users can’t have too much knowledge in the battle against cyber crime. But that fails to take into account a crucial part of the equation, according to Herley: the worth of users’ time.
“A lot of advice makes sense only if we think user time has no value,” he said.
The study was first presented by Herley at a security workshop at Oxford University last fall, and began generating wider discussion last month after an essay about it appeared on TechRepublic, a popular technology website.
In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.
Herley’s paper gives “normal users a voice,” said Michael P. Kassner, a technology writer and IT veteran who wrote the TechRepublic piece. For too long, users have been asked to follow security instructions without being told why they are worth the time investment. “I’ve been a proponent of prioritizing” security measures, Kassner said. “The whole purpose of IT is to make people’s lives easier.”
The computer security community has long puzzled over why so many users fail to snap to attention when alerted to news about the latest threats, such as viruses, worms, Trojan horses, malware, and spyware. At countless conferences and seminars, experts have consistently called for more education and outreach as the answer to user apathy or ignorance. But the research of Herley and others is causing many to realize most of the blame for noncompliance rests not with users, but with the experts themselves — the pros aren’t able to make a strong case for all their recommendations.
Some advice is excellent, of course. But instead of working to prioritize what efforts are effective, government and security industry officials have resorted to dramatic boldface statements about the horrors of poor passwords and other safety lapses, overwhelming the public. For instance, the federal government’s website for computer safety tips, www.us-cert.gov, includes more than 50 categories under the heading of “Cyber Security Tips.” Each category leads to complex sets of instructions.
“It’s nice to see the industry starting to grapple with these issues,” said Bruce Schneier, the author of “Secrets and Lies,” a book about computer and network security. In a blog posting last year, Schneier recalled a security conference at which a speaker was baffled by the failure of workers at his company to adhere to strict computer policies. Schneier speculated that the employees knew following those policies would cut into their work time. They understood better than the IT department that the risks of not completing their assignments far outweighed any unspecified consequences of ignoring a security rule or three. “People do what makes sense and don’t do what doesn’t,” he said. To prompt them to be more rigorous about computer protection, he said, “You want actual studies, actual data.”
That poses a challenge for the security industry, Herley said. While doctors can cite statistics showing smoking causes cancer, and road-safety engineers can produce miles of numbers supporting seat belt use, computer security professionals lack such compelling evidence to give their advice clout. “Unbelievable though it might seem, we don’t have data on most of the attacks we talk about,” he said. “That’s precisely why we’re in this ‘do it all’ approach.”
His paper argues for advice that incorporates more information, and less hyperbole. Security professionals need to consider that user education costs everyone (in time), but benefits only the small percentage who are actually victimized, he wrote. Advice must be based on an estimate of the victimization rate for a particular security issue, not a worst-case scenario risk analysis. It’s a start to quantify in a rough way the value of user time, he said, but more study is required. The central question that remains to be answered: Given all the threats, what steps produce results that outweigh the price for society at large?
Costs can come in unexpected ways, he suggests. One example he studied was phishing. Banks and other investment companies often guarantee to reimburse customers if unauthorized withdrawals are made from their online accounts, so the customer does not pay a direct price. The banks face losses, but they are relatively modest — the annual cost nationwide as a result of phishing attacks is $60 million, Herley estimated. By instructing users to take measures against them (such as by scouring URLs to make sure they lead to legitimate websites), “we’re imposing a cost that is orders of magnitude greater than the problem it addresses,” he said.
For banks, the greater potential for damages comes not from a phishing attack itself, but indirect expenses. Herley used
No one is saying computer security threats are not a serious matter. Attacks multiply daily and are becoming more effective, having risen far beyond the sophistication level of the Nigerian prince looking to unload $12 million. Check your in-box — within the last few hours a criminal probably sent you an invitation to be victimized. Herley’s paper cites a report that said an unprotected PC will be invaded within 12 minutes of being connected to the Internet, on average. And last month, Justice Department Inspector General Glenn A. Fine warned the government isn’t keeping pace with cyber crooks in its efforts to combat the fastest-growing crime in the United States — identity theft. About 10 million Americans are affected each year.
With all that scary stuff in mind, it is easy to appreciate the sincerity of those pushing us to be more vigilant, even if their methods are muddled.
So which security measures offer a reasonable return on time and effort? Although coming up with a sensible list of security actions was not a goal of Herley’s research, he does have some suggestions based on personal experience. Start with bullet-proof passwords, he said, even if your employer requires you to periodically reinvent them or use too many (he juggles about three dozen as part of his work). Beyond that, he is big on one-time measures that offer ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically update). Two-thirds of computers have outdated software protection, according to a Microsoft spokesman. The company also recommends activating a firewall, which “functions like a moat around a castle.” Combined, such measures shouldn’t take more than 30 minutes, it said, and offer insulation from what is perhaps the biggest security menace of all: users.
“One of the main ways people get compromised is that they open the door to an attacker themselves,” said Herley. Someone might load software promoted as offering protection when it is actually spyware in disguise, he said, or they “open an e-mail attachment with a malicious payload....If this happens, it can be very bad. A piece of malicious keylogging software on your machine can grab all of your passwords: It makes no difference at that point whether they are strong or weak.”
After all this trash talk about security, you might wonder what Microsoft chief executive Steve Ballmer thinks about one of his key researchers challenging much of the advice the industry giant dispenses like gospel. Herley insists there has not been any blowback. Microsoft encourages its researchers to “push against fixed beliefs, even when some of the ideas can be controversial,” he said. And from outside Redmond, Wash., he added, “the reaction has been tremendous.”
“Maybe I’m just saying out loud what is rather obvious — we seem to be causing lots of unnecessary misery.”
Mark Pothier is the Globe’s senior assistant business editor. He can be reached at firstname.lastname@example.org.