Subscribe Via Email

Subscribe Via RSS

Facebook Us

Follow Us On Twitter

Connect On Linkedin

New to SimoleonSense?
Learn About This Blog
«
»

Much computer security advice is not worth following

April 11, 2010 No Comments

Click Here To Read: Much computer security advice is not worth following

Introduction (Via Boston.com)

To continue reading this story, enter your password now. If you do not have a password, please create one. It must contain a minimum of eight characters, including upper- and lower-case letters and one number. This is for your own good.

To continue reading this story, enter your password now. If you do not have a password, please create one. It must contain a minimum of eight characters, including upper- and lower-case letters and one number. This is for your own good.

Nonsense, of course, but it helps illustrate a point: You will need a computer password today, maybe a half dozen or more — those secret sign-ins that serve as sentries for everything from Amazon shopping carts to work files to online bank accounts. Just when you have them all sorted out, along comes another “urgent” directive from the bank or IT department — time to reset those codes, for safety’s sake. And the latest lineup of log-ins you’ve concocted won’t last for long, either. Some might temporarily stay in your head, others are jotted on scraps of paper and stuffed in a wallet. A few might be taped to your computer monitor in plain view (or are those are from last year’s batch? Who can remember?).

Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.

“Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley, a principal researcher for Microsoft Research.

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

Interesting Bit (via Boston.com)

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.

Click Here To Read: Much computer security advice is not worth following

Other Related Posts From Simoleon Sense:
  1. Do we listen to advice just because we paid for it? The impact of advice cost on its use.
  2. Psychology of Password Picking
  3. Video: Ted Talk – Is Security A Mirage?
  4. Understanding The Value Of Advice (by Alon Nir)
  5. What Does Expert Advice Really Do to Our Brains?

Leave a Reply