[dundee] Are Users Right In Rejecting Security Advice?
gordon dunlop
zubenel at fedoraproject.org
Thu Mar 18 12:32:47 UTC 2010
On 18 March 2010 07:50, Robert Ladyman <it at file-away.co.uk> wrote:
> OK, I've read the paper and its main claim is that users are not being
> stupid
> in ignoring security advice, as the economic cost to them of complying with
> security advice (sum delta-benefit) is massively greater than the possible
> losses (sum delta-cost): unfortunately, this assumes that users actually
> calculate this (which is economist-nonsense) - the paper's phrase is "We
> argue
> that users’ rejection of the security advice they receive is entirely
> rational
> from an economic perspective." It might be mathematically rational ('scuse
> the
> pun) but I doubt that users are actively calculating this ratio (I have no
> evidence for that doubt, but I also see no evidence cited for the opposite
> claim).
>
> The paper also takes the route of dividing the total individual losses by
> the
> user population and coming up with (for example) the average loss being 33
> U.S. cents so that any advice taking more that 2.6 minutes annually (the
> loss
> using minimum wages, etc.) is uneconomic. By that calculation, I suppose
> none
> of us should bother with locks on our doors (as the cost of an individual
> break-in divided by the population approaches zero).
>
> The report is U.S.-focussed and hence ignores things like DP Act compliance
> (all right, sound of my high horse galloping, I know).
>
> The general observation that Harry Home-owner doesn't understand many of
> the
> security issues is undeniable: my irony-senses were tingling, though, based
> on
> the source of the paper and some of the described vectors.
>
I actually liked the paper in that some of these attack vectors were OS
independent and therefore affects all computer users. The complexity and
sheer volume of security advice given, due to different types of vector
attack, certainly confuses Joe Public. The realistic conclusion of "Given a
choice between dancing pigs and security, users will pick dancing pigs every
time" means that software OS's, applications & online businesses etc. has
got to be the principal driving force for the protection of users rather
than just saying "we should educate users". If Corman Herley's colleagues at
Redmond had read and understood his paper we would not get inane ramblings
like the following:
http://stop.zona-m.net/node/109
Gordon
> --
>
> Robert Ladyman
> File-Away Limited, 32 Church Street, Newtyle
> Perthshire, PH12 8TZ SCOTLAND
> Registered in Scotland, Company Number SC222086
> Tel: +44 (0) 1828 898 158
> Mobile: +44 (0) 7732 771 649
> http://www.file-away.co.uk
>
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20100318/5e7501da/attachment.htm
More information about the dundee
mailing list