Wednesday, November 25, 2009

Rational Rejection of Security Advice - what can we do about it? (Pt 1)

Cormac Herley of Microsoft Research has written a thought provoking paper which outlines economic reasons why security advice is often ignored.

The guts of the problem according to Herley is that:

most security advice simply offers a poor cost-benefit tradeoff to users and is rejected

If you are interested in security awareness then you should read his paper, partly because it will save me trying to explain it here (my brain hurt trying to get my head around some of the economic concepts) but also because it asks some searching questions of current security awareness practices.  I for one will be tuning my delivery of security advice as a result.

The paper however does fall down IMHO in a few ways. It is more an economics paper than a technical one, and like all good capitalists Herley assumes a level playing field with everyone starting from zero.  An example of this is where he estimates that the annual cost of phishing loses in the US is $60 million. He then goes on to explain that the cost of mitigating phishing (in the US) therefore works out at 33 cents (or 2.6 minutes of an individual’s time) if we were to spend more on fixing the problem than the loses incurred by that problem.

This all sounds reasonable, if we assume that the cost of phishing in the US is $60million without any prior phishing awareness campaigns taking effect.

As a colleague pointed out, the paper also assumes that there is a quantifiable cost associated with the time a person spends engaging with awareness information. This cost assumes that people are productive 100% of the time – which is of course how an economist would perceive the perfect workforce.  Anyone living in the real world knows this to be different.  Sure, if my awareness materials stop an employee doing something productive instead of encroaching on their Facebook time at work then yes, let the accountants have their day. But if my materials are engaging enough to replace that ‘non-productive’ time (because they’d rather play the new security awareness game than Farmville) then what they learn only has to reduce the attack surface of the organisation even minutely to be a worthwhile spend.

There’s a lot of other really good stuff in Herley’s paper, and a lot of good discussion about it.

My conclusion from reading it was that as security professionals we need to offer simple, realistic advice that is easy to follow, and focuses on quantifiable risks not worst case scenarios.

How we do this is a challenge.  I’m currently writing a submission for AusCERT. Hopefully it will get accepted because the presentation will provide some of my own answers to the questions posed by the paper. More here soon.

[Via http://infosec2.wordpress.com]

No comments:

Post a Comment