[dundee] Are Users Right In Rejecting Security Advice?

Kris Davidson davidson.kris at gmail.com
Thu Mar 18 13:29:03 UTC 2010 

I'd like to make the point that these are the same users who complain
bitterly at companies like Paypal, Google, their bank and their ISP
when information is lost, identity stolen etc due to personal
negligence. I'm all for users not caring in their own homes if they
don't complain at something they've caused. As an admin I can think of
ways to force users to be secure also and in addition if security is
enshrined into a company policy then appropriate penalties such as
personal liability and loss of job in extreme cases could counter the
economic argument.

Kris

On 18 March 2010 12:32, gordon dunlop <zubenel at fedoraproject.org> wrote:
>
>
> On 18 March 2010 07:50, Robert Ladyman <it at file-away.co.uk> wrote:
>>
>> OK, I've read the paper and its main claim is that users are not being
>> stupid
>> in ignoring security advice, as the economic cost to them of complying
>> with
>> security advice (sum delta-benefit) is massively greater than the possible
>> losses (sum delta-cost): unfortunately, this assumes that users actually
>> calculate this (which is economist-nonsense) - the paper's phrase is "We
>> argue
>> that users’ rejection of the security advice they receive is entirely
>> rational
>> from an economic perspective." It might be mathematically rational ('scuse
>> the
>> pun) but I doubt that users are actively calculating this ratio (I have no
>> evidence for that doubt, but I also see no evidence cited for the opposite
>> claim).
>>
>> The paper also takes the route of dividing the total individual losses by
>> the
>> user population and coming up with (for example) the average loss being 33
>> U.S. cents so that any advice taking more that 2.6 minutes annually (the
>> loss
>> using minimum wages, etc.) is uneconomic. By that calculation, I suppose
>> none
>> of us should bother with locks on our doors (as the cost of an individual
>> break-in divided by the population approaches zero).
>>
>> The report is U.S.-focussed and hence ignores things like DP Act
>> compliance
>> (all right, sound of my high horse galloping, I know).
>>
>> The general observation that Harry Home-owner doesn't understand many of
>> the
>> security issues is undeniable: my irony-senses were tingling, though,
>> based on
>> the source of the paper and some of the described vectors.
>
> I actually liked the paper in that some of these attack vectors were OS
> independent and therefore affects all computer users. The complexity and
> sheer volume of security advice given, due to different types of vector
> attack, certainly confuses Joe Public. The realistic conclusion of "Given a
> choice between dancing pigs and security, users will pick dancing pigs every
> time" means that software OS's, applications &  online businesses etc. has
> got to be the principal driving force for the protection of users rather
> than just saying "we should educate users". If Corman Herley's colleagues at
> Redmond had read and understood his paper we would not get inane ramblings
> like the following:
>
>  http://stop.zona-m.net/node/109
>
>  Gordon
>
>
>
>>
>> --
>>
>> Robert Ladyman
>> File-Away Limited, 32 Church Street, Newtyle
>> Perthshire, PH12 8TZ SCOTLAND
>> Registered in Scotland, Company Number SC222086
>> Tel: +44 (0) 1828 898 158
>> Mobile: +44 (0) 7732 771 649
>> http://www.file-away.co.uk
>>
>>
>> _______________________________________________
>> dundee GNU/Linux Users Group mailing list
>> dundee at lists.lug.org.uk  http://dundeelug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/dundee
>> Chat on IRC, #tlug on irc.lug.org.uk
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
>

More information about the dundee mailing list