The Communications Web site, http://cacm.acm.org,
features more than a dozen bloggers in the BLoG@CaCm
community. in each issue of Communications, we’ll publish
selected posts or excerpts.
follow us on Twitter at http://twitter.com/blogCaCm
DOI:10.1145/1859204.1859208
http://cacm.acm.org/blogs/blog-cacm
Security advice;
malvertisements; and
CS Education in Qatar
Greg Linden discusses security advice and the cost of user effort,
Jason Hong considers the increase in malvertisements, and
Mark Guzdial writes about gender and CS education in Qatar.
Greg Linden “What Security advice Should We Give?” http://cacm.acm.org/ blogs/blog-cacm/87847 Should people follow the security advice we give them? The surprising answer is no. According to a recent paper, “So Long, And No
Thanks for the Externalities: The Rational Rejection of Security Advice by
Users,” by Cormac Herley at Microsoft
Research, not only do people not follow
the security advice we give them, but
they shouldn’t.
The problem is that security ad-
vice ignores the cost of user effort.
When the likelihood of having a loss
is low, and if the cost of the loss in
time or money is low, then the cost
of being vigilant must be trivially
low. Much of what we ask of people
takes too much effort. Taking an ex-
ample from Herley’s paper, if only
1% per year get hit with a threat that
costs 10 hours to clean up, the effort
required to avoid the threat must be
ity of the domain when displaying the
URL in a browser. This makes it much
easier to see if you are at the correct
Web site, possibly reducing that effort
below the threshold where people will
find it worthwhile.
no more than one second per day.
This is a frighteningly low bar. It
means that almost all end-user security
must require nearly no effort.
Can security features have this little
effort?
Some do. For example, rather than
imposing harsh and mandatory restrictions on passwords (for example,
length between 6–8 characters, must
contain a number and a letter, must
be changed every three weeks), some
Web sites merely report an estimate
of the strength of a password while accepting almost anything. This imposes
almost no effort while still encouraging
longer, stronger, and more memorable
passwords. Not only does this make
sense for users, but it also makes sense
for companies since, as Herley’s paper
points out, the costs of having more
agent-assisted password resets after
forcing people to choose difficult-to-re-member passwords can easily be higher
than the cost of having more attacks.
Another example implemented by
some browsers is improving the visibil-
Jason hong
“malvertisements
Growing as online
Security Threat”
http://cacm.acm.org/
blogs/blog-cacm/90522
I’m at the Anti-Phishing Working
Group’s Counter eCrime Operations
Summit IV this week. The conference
is attended by law-enforcement officers, researchers, and industry professionals. I’ll be giving some highlights
that are relevant to usable privacy and
security.
Gary Warner from University of Ala-
