|COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring.|
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
If you have a question about this talk, please contact Andrew Lewis.
The failure of users to follow security advice has often been noted. They chose weak passwords, ignore security warnings, and are oblivious to certificates. It is often suggested that users are hopelessly lazy and unmotivated on security questions. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. As with many activities, online crime generates direct losses and externalities. The advice offers to shield them from the direct costs of attacks, but burdens them with the indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones, they reject this bargain. We examine three areas of user education: password rules, phishing site identification, and SSL certificates. In each we find that the advice is complex and growing, but the benefit is largely speculative or moot. In the cases where we can estimate benefit, it emerges that the burden of following the security advice is actually greater than the direct losses caused by the attack.
Bio: Cormac Herley is a Principal Researcher at Microsoft Research. His main current interests are data and signal analysis problems that reduce complexity and help users avoid harm. He’s been at MSR since 1999, and before that was at HP where he headed the company’s currency anti-counterfeiting efforts. Some of his recent published work has focused on problems of passwords and authentication, the economics of cybercrime, phishing prevention technologies and keylogger resistant access to existing web accounts.
He received the PhD degree from Columbia University, the MSEE from Georgia Tech, and the BE(Elect) from the National University of Ireland. He is a former adjunct at UC Berkeley, has authored more than 50 peer reviewed papers, is inventor of 70 or so US patents (issued or pending) and has shipped technologies used by tens of millions of users.
This talk is part of the Computer Laboratory Security Seminar series.
This talk is included in these lists:
Note that ex-directory lists are not shown.
Other listsInstitute of Continuing Education Departmental Seminars in History and Philosophy of Science Centre for Science and Policy Seminars
Other talksVariation in measures and markers of timeliness of diagnosis in cancer Hack the Lab Chaucer's Franklin's Tale Café Synthetique Wound Healing 2016 Measuring Ethnicity in the NHS