Content

Security advice

FOR

Security advice doesn't offer security. It offers to reduce, by an unknown amount, the unknown risk of harm.

The cost side of the ledger is the clearer: Choose strong passwords, pay attention to incomprehensible security warnings, read URLs etc.

Worse, the burden is growing. There are many threats and there's just too much stuff to do. What of the benefits? The worst-case analysis that security excels at says nothing about the questions that users care about. What are my chances of being hacked, and how much do they improve if I choose a stronger password? If I ignore this popup how likely is it that something bad happens? How much of this stuff is happening anyway?

We ask a lot of users, but on these perfectly reasonable questions we are silent. Thus, the effort is definite and ongoing, but the benefit is uncertain.

That the benefit is greater than the cost has been asserted or assumed rather than shown. This is our failure, not theirs.

– Cormac Herley, principal researcher, Microsoft

AGAINST

I'd argue the primary reason users, especially those in corporate environments, don't follow security advice is because of an underlying belief that IT security shouldn't be their job. I've commented before that security advice suffers from ‘user-friendliness' issues: It's too technical, boring, overhyped and so on. But given a choice, I suspect users don't want more or better security education. Instead, they'd want programs with security seamlessly and unobtrusively incorporated, so that users aren't distracted from their primary task.

Unfortunately, users are often forced (by availability or workplace policies) to depend on insecure programs, despite knowing that doing so leaves them vulnerable. To add insult to injury, security advice tends to foist the burden of maintaining security on the (already overtaxed) user, which is perceived as “passing the buck.” And like most unwelcome obligations, it's not always handled well. I'd say this isn't a failing in the user's behavior. It's a failing in IT security to meet the user's needs.

– Alia Hilyati, technical writer/editor, F-Secure Labs

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.