Should Users Reject IT Security Advice?

Writing on the TechRepublic's IT Security blog, Michael Kassner has an interesting point here. There seems to be an endless drumbeat of security advice dumped on users, ranging from more frequent password resets to watching for phishing e-mails and invalid certificates.

But does the information sink in? And, if not, why? It doesn't catch not only because there are too many rules, and among those too many to follow to the letter, but because users don't see a cost benefit, or sometimes any tangible benefit, at all.

Kassner was quoting a paper by Microsoft researcher Cormac Herley, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users".

Here some highlights of the recommendations from Herley's work:

• We need an estimate of the victimization rate for any exploit when designing appropriate security advice. Without this we end up doing worst-case risk analysis.

• User education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. Thus the cost of any security advice should be in proportion to the victimization rate.

• Retiring advice that is no longer compelling is necessary. Many of the instructions with which we burden users do little to address the current harms that they face.

• We must prioritize advice. In trying to defend everything we end up defending nothing. When we provide long lists of unordered advice we abdicate all opportunity to have influence and abandon users to fend for themselves.

• We must respect users’ time and effort. Viewing the user’s time as worth $2.6 billion an hour is a better starting point than valuing it at zero.