Ben Laurie blathering

The Rational Rejection of Security Advice

At the (always fun) New Security Paradigms Workshop this year, Cormac Herley presented “So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users”
. In short, this paper looks at the cost to users of implementing security advice, versus the cost of failing to do so, and concludes that the advice we give is far too expensive.

I’ve been meaning to blog about it for a while, but today is a good day, because today I learnt that AOL are dropping support for SecurID. Why does AOL always get this stuff wrong? It’s supposed to be the users who ignore the security advice, not the provider who stops giving it! Also, you have got to love this quote

“We feel that users can have a better experience without sacrificing their security, and we’ve offered assistance in creating passwords that follow recognized protocols for complexity and measures to guard against online threats and hackers,” the company said in a statement.

Right, because the whole point of a one-time password device is to compensate for weak passwords. Not.

1 Comment

  1. […] Links » The Rational Rejection of Security Advice […]

    Pingback by Interesting elsewhere – 17 December 2009 to 6 January 2010 | Public Strategist — 7 Jan 2010 @ 13:13

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress