<br><br><div class="gmail_quote">On 18 March 2010 07:50, Robert Ladyman <span dir="ltr"><<a href="mailto:it@file-away.co.uk">it@file-away.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
OK, I've read the paper and its main claim is that users are not being stupid<br>
in ignoring security advice, as the economic cost to them of complying with<br>
security advice (sum delta-benefit) is massively greater than the possible<br>
losses (sum delta-cost): unfortunately, this assumes that users actually<br>
calculate this (which is economist-nonsense) - the paper's phrase is "We argue<br>
that users’ rejection of the security advice they receive is entirely rational<br>
from an economic perspective." It might be mathematically rational ('scuse the<br>
pun) but I doubt that users are actively calculating this ratio (I have no<br>
evidence for that doubt, but I also see no evidence cited for the opposite<br>
claim).<br>
<br>
The paper also takes the route of dividing the total individual losses by the<br>
user population and coming up with (for example) the average loss being 33<br>
U.S. cents so that any advice taking more that 2.6 minutes annually (the loss<br>
using minimum wages, etc.) is uneconomic. By that calculation, I suppose none<br>
of us should bother with locks on our doors (as the cost of an individual<br>
break-in divided by the population approaches zero).<br>
<br>
The report is U.S.-focussed and hence ignores things like DP Act compliance<br>
(all right, sound of my high horse galloping, I know).<br>
<br>
The general observation that Harry Home-owner doesn't understand many of the<br>
security issues is undeniable: my irony-senses were tingling, though, based on<br>
the source of the paper and some of the described vectors.<br>
<div><div></div><div class="h5"></div></div></blockquote><div><br>I actually liked the paper in that some of these attack vectors were OS independent and therefore affects all computer users. The complexity and sheer volume of security advice given, due to different types of vector attack, certainly confuses Joe Public. The realistic conclusion of "Given a choice between dancing pigs and security, users will pick dancing pigs every time" means that software OS's, applications & online businesses etc. has got to be the principal driving force for the protection of users rather than just saying "we should educate users". If Corman Herley's colleagues at Redmond had read and understood his paper we would not get inane ramblings like the following:<br>
<br> <a href="http://stop.zona-m.net/node/109">http://stop.zona-m.net/node/109</a><br><br> Gordon <br><br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div class="h5">--<br></div></div>
<br>
Robert Ladyman<br>
File-Away Limited, 32 Church Street, Newtyle<br>
Perthshire, PH12 8TZ SCOTLAND<br>
Registered in Scotland, Company Number SC222086<br>
Tel: +44 (0) 1828 898 158<br>
Mobile: +44 (0) 7732 771 649<br>
<a href="http://www.file-away.co.uk" target="_blank">http://www.file-away.co.uk</a><br>
<br>
<br>
_______________________________________________<br>
dundee GNU/Linux Users Group mailing list<br>
<a href="mailto:dundee@lists.lug.org.uk">dundee@lists.lug.org.uk</a> <a href="http://dundeelug.org.uk" target="_blank">http://dundeelug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/dundee" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/dundee</a><br>
Chat on IRC, #tlug on <a href="http://irc.lug.org.uk" target="_blank">irc.lug.org.uk</a></blockquote></div><br>