It’s common sense that strong passwords and awareness of malicious URLs are the best line of defense for applications and data. However, one IT researcher has done a cost/benefit analysis of such efforts, and questions whether the costs of strong password management outweighs the benefits.
That’s the gist of a recent study by Microsoft researcher Cormac Herley, who questions the advantages of strong password rules, which “shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.”
Niel Rubenking, who surfaced Herley’s paper on his blogsite, provides a synopsis of Herley’s logic: that “users who ignore security advice aren’t lazy or stupid; rather they’re acting rationally. The advice is complex, and the benefits are ‘largely speculative or moot.’”
Time is what is at issue with most security incidents, Herley reasons. The bottom line is the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code. As Herley explains:
“We need better understanding of the actual harms endured by users. There has been insuﬃcient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them.”
Herley also points out that while “user education is a cost borne by the whole population,” the benefits may only be seen by the small percentage of users that fall victim to security attacks. “The cost of any security advice should be in proportion to the victimization rate,” he says.
Rubenking also points to another piece of Herley’s analysis, which finds that teaching users to recognize phishing URLs is a losing proposition, not worth the time spent. “Herley calculates that a task requiring one minute per day from every working adult in the U.S. costs about $15.9 billion per year. Unnecessary security advice ‘treats as free a resource that is actually worth $2.6 billion an hour.’”
Rubenking says, however, that complex, non-guessable passwords are still an important security protocol that needs to be kept in place. He recommends automating the process as much as possible for end users with a password manager that generates strong passwords.
In the words of Herley:
“Security advice is a daily burden, applied to the whole population, while an upper bound on the beneﬁt is the harm suﬀered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneﬁcial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.”
Is the time and cost of requiring everyone to address security protocols worth the potential time and cost saved among users who need to get back to work after an incident?