|COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring.|
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
If you have a question about this talk, please contact Andrew Lewis.
The failure of users to follow security advice has often been noted. They chose weak passwords, ignore security warnings, and are oblivious to certificates. It is often suggested that users are hopelessly lazy and unmotivated on security questions. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. As with many activities, online crime generates direct losses and externalities. The advice offers to shield them from the direct costs of attacks, but burdens them with the indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones, they reject this bargain. We examine three areas of user education: password rules, phishing site identification, and SSL certificates. In each we find that the advice is complex and growing, but the benefit is largely speculative or moot. In the cases where we can estimate benefit, it emerges that the burden of following the security advice is actually greater than the direct losses caused by the attack.
Bio: Cormac Herley is a Principal Researcher at Microsoft Research. His main current interests are data and signal analysis problems that reduce complexity and help users avoid harm. He’s been at MSR since 1999, and before that was at HP where he headed the company’s currency anti-counterfeiting efforts. Some of his recent published work has focused on problems of passwords and authentication, the economics of cybercrime, phishing prevention technologies and keylogger resistant access to existing web accounts.
He received the PhD degree from Columbia University, the MSEE from Georgia Tech, and the BE(Elect) from the National University of Ireland. He is a former adjunct at UC Berkeley, has authored more than 50 peer reviewed papers, is inventor of 70 or so US patents (issued or pending) and has shipped technologies used by tens of millions of users.
This talk is part of the Computer Laboratory Security Seminar series.
This talk is included in these lists:
Note that ex-directory lists are not shown.
Other listsLaing O'Rourke Centre Seminars 'Three Tales' pre-performance talks 'There is no FairTrade Cocaine'
Other talksHow should we interpret Y-chromosome evidence? What can gambling machine data tell us about betting behaviour? Motility and Invasion of apicomplexan parasites: What do we know? Motion filtering: Marshalling, steering and sorting Helminth parasites - masters of the immune system Extinction time for the weaker of two competing SIS epidemics