|![[Search]](https://talks.cam.ac.uk/images/search.gif?1209136071)
|![[A-Z Index]](https://talks.cam.ac.uk/images/az.gif?1209136071)
|![[Contact]](https://talks.cam.ac.uk/images/contact.gif?1209136071)
||![[University of Cambridge]](https://talks.cam.ac.uk/images/identifier2.gif?1209136071){kind=small} |
COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring. | ![[Talks.cam]](https://talks.cam.ac.uk/images/talkslogosmall.gif?1209136071) |
University of Cambridge > Talks.cam > Computer Laboratory Security Seminar > So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by UsersAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Andrew Lewis. The failure of users to follow security advice has often been noted. They chose weak passwords, ignore security warnings, and are oblivious to certificates. It is often suggested that users are hopelessly lazy and unmotivated on security questions. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. As with many activities, online crime generates direct losses and externalities. The advice offers to shield them from the direct costs of attacks, but burdens them with the indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones, they reject this bargain. We examine three areas of user education: password rules, phishing site identification, and SSL certificates. In each we find that the advice is complex and growing, but the benefit is largely speculative or moot. In the cases where we can estimate benefit, it emerges that the burden of following the security advice is actually greater than the direct losses caused by the attack. Bio: Cormac Herley is a Principal Researcher at Microsoft Research. His main current interests are data and signal analysis problems that reduce complexity and help users avoid harm. He’s been at MSR since 1999, and before that was at HP where he headed the company’s currency anti-counterfeiting efforts. Some of his recent published work has focused on problems of passwords and authentication, the economics of cybercrime, phishing prevention technologies and keylogger resistant access to existing web accounts. He received the PhD degree from Columbia University, the MSEE from Georgia Tech, and the BE(Elect) from the National University of Ireland. He is a former adjunct at UC Berkeley, has authored more than 50 peer reviewed papers, is inventor of 70 or so US patents (issued or pending) and has shipped technologies used by tens of millions of users. This talk is part of the Computer Laboratory Security Seminar series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsScience meets Faith Type the title of a new list here Managing Open Data with an Industrial PartnerOther talksGlucagon like peptide-1 receptor - a possible role for beta cell physiology in susceptibility to autoimmune diabetes Prof Murray Shanahan: Artificial Intelligence Whence the force of the law? John Rawls and the course of American legal philosophy The Digital Railway - Network Rail Interconversion of Light and Electricity in Molecular Semiconductors Investigation into appropriate statistical models for the analysis and visualisation of data captured in clinical trials using wearable sensors Networks, resilience and complexity Coin Betting for Backprop without Learning Rates and More From Euler to Poincare To be confirmed Animal Migration |
Tuesday 15 September 2009, 16:15-17:15