Paid Advertising
web application security lab

Effectiveness of User Training… and Security Products in General

It’s not every day I come across real wisdom in research but I saw a link yesterday to So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which is a research paper written by one of the guys at Microsoft. There are some amazingly choice quotes in there, like:

as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever. Thus, to a good approximation, 100% of certificate errors are false positives.

Priceless… Mozilla - take a word of advice from the MS guys and make your invalid SSL cert flow 1000% less annoying please. Anyway, another one of the quotes I thought was even more interesting:

If phishing victimizes 0.37% of users per year and each victim wastes 10 hours sorting it out, to be beneficial the daily effort of following the advice should be less than 0:0037 x 0:5 x 10=365 hours or 0.18 seconds per day.

So… if .18 seconds per day is too much, let’s take a look at what our anti-phishing technologies are doing. Let’s say they take up 2 whole seconds a day to download their lists, and verify that the sites you browse aren’t on that list, while you are surfing and trying to boot up and shut down browser processes, etc…. We are talking about more than 10x delta between what it should actually take. Further, let’s do the math on what would happen if anti-phishing went away. How many times worse would the phishing black market be if anti-phishing filters went away entirely and phishing was instead dealt with the registrars, ISPs and the brand owners themselves? Three times? Five times? Would it go to ten times? Would it go to more than ten times to make it actually worthwhile from an economic perspective?

How about UAC in Windows? How many seconds has that added to everyone’s day to stop the threat of malware? Does it add up and does it actually stop malware infections for the additional time it incurs? What about Anti-virus? Are we operating in a deficit or do those security products actually prove themselves to be worthwhile for the entire public? I know this is really tricky math based on an insane amount of variables, and it very might well prove out that some products are a no-brainer because they don’t add time or latency. But I do suspect there are a lot of things that we tend to think of as good ideas that actually end up being worse for the end user if you do the math. I know the article was really talking about user education being a bad idea economically (and I couldn’t agree more based on every study I’ve seen or been a part of). But it’s still interesting to think about how a similar formula could be applied elsewhere. Thought provoking research anyway.

19 Responses to “Effectiveness of User Training… and Security Products in General”

  1. AppSec Says:

    I guess I got a differnet feel from the article then about simply “Education isn’t worth the money.”. The feel that I got was “the end user doesn’t want to deal with these because they find it more economical to avoid it.”. If the article was about “user education” being not worth it, then it would have focused not on the loss by the consumer but on the loss of the bank/company.

    Regardless, I think the study is off. I mean, based on what I gathered from the study — it doesn’t pay for me to roll up my windows or lock my house. After all, insurance will take the brunt of the cost and I spend more than my deductible in time over the course of ownership in “securing” those items.

    Don’t get me wrong, I think there’s a lot in our area which needs to be improved on (but as I’ve said elsewhere — it’s a no win situation because some of those “easier” methods would mean a perception of “loss of privacy.”)..

  2. RSnake Says:

    @AppSec - no, they didn’t say “Education isn’t worth the money.” but I would. I know it’s a bold statement, but I haven’t seen a single example where a company spending $100k on user education has stopped more than $100k worth of crime. It just doesn’t work out that way. There are some exceptions to that rule, but they use unconventional teaching techniques (E.g. which uses “teachable moments” based on immediate fear induced by the threat of having already been compromised). Adrenaline might teach people, but security pundits like me can’t do so in a meaningful way to the average user.

    If you look at the statistics, it may or may not make sense to roll up your window or lock your car. I don’t have access to those stats. But it could easily be not worthwhile. I mean, if I want whatever is in your car, a window isn’t going to do much to stop me, now is it? Your point is taken, but you can’t rely on your gut to make that call - it really is a numbers game.

  3. Ron W Says:

    You forget the importance of the “feeling” of security. We lock our car doors, front doors, and Windows (both kinds) to remove the risk of feeling violated. The psychology of security is just as important as the reality of security. You can’t put a number to a feeling.
    My job is to ensure my client’s (in this case employers) feel that the security in place is sufficient. In reality, there are still exposures, but they’re not going to care as long as they feel secure.
    To be truly affective, we need our feet in both realms and hope we find the sweet spot in balancing security feelings and security realities.

  4. fahadsadah Says:

    If it weren’t for the invalid SSL cert warning, people would be MiTMing SSL left, right and centre. Because there’s a warning, they don’t waste their time - it’s a deterrent.

  5. Dominic Cronin Says:

    Except that, of course, for the victim, the price is more than the 10 hours or so. They feel a lot of intangible, but high cost things, like the feeling of being violated, worry that other parts of their life are not safe. As a society, we have police and security agencies, simply because some things are not to be tolerated. We all feel safer because we know that if we were the victim, our personal drama would be treated as important

  6. RSnake Says:

    @Dominic - yes, those are indirect soft losses. That’s a bigger problem when consumer confidence is shaken and people transact less as a result (indirect hard losses for the companies). Those costs absolutely need to be calculated into any equation.

  7. RSnake Says:

    @fahadsadah - Would they? Do you have proof or is that speculation? I concur it would happen more often but so much so that it’s worth the cost of having them? It’s fine to speculate, but it’s better if we can put hard numbers around the actual damage and the actual losses in preventing that damage.

  8. thrill Says:

    You know what guys, you’re just scaring the people.. I don’t need any browser security, my company has a firewall.. that’s all we really need.

    oh.. wait.. this is the real world? wuh?

    @fahadsadah - yes, the club is a deterrent for honest people, but guess what, thieves that are determined to own your (insert rare vehicle here) don’t care about the club.. there’s dozens upon dozens of ways to subvert them, just like the silly security warnings that no one, except for security people, pay attention to.. and even in those cases, if we were to read that someone’s certificate was ’self signed’ there’s a good chance we’d still OK it on firefox.. so what’s the use?


  9. Wladimir Palant Says:

    @RSnake: You are late to the party, I read that article months ago :)

    @thrill: Actually, OK’ing the warning in Firefox is everything but simple - the chance that unexperienced users will ever do that is rather low. And that’s a good thing, it puts some pressure on the websites to fix their certificates. If an app absolutely cannot do without self-signed certificates, it should at least use a root certificate that only needs to be imported once. With some luck, certificate warnings (which are still very common) will become rare enough that any user hitting one will stop and think twice (thrice) before continuing.

  10. Wladimir Palant Says:

    @RSnake: Btw, your math is wrong. An anti-phishing solution isn’t wasting 2 seconds of user’s time to download lists - any properly designed application will do that in background without bothering the user. It is mostly the warnings it might display that are wasting user’s time. Which is why “classic” personal firewalls make no sense whatsoever - they consistently nag the user with warnings (”Do you want to allow foo.exe to access port 12345?”) without providing an equivalent value. Any other security solution that constantly requires user’s attention is equally badly designed and only suitable for geeks who value their security higher than this time loss.

  11. Jawdy Says:

    Ultimate deterrent, get Terry Tate - Office Linebacker, and just shift his job roll to include slamming folks for not paying attention to their browser security ;-)

  12. AppSec Says:

    @Wladimir: “Any other security solution that constantly requires userís attention is equally badly designed and only suitable for geeks who value their security higher than this time loss.”

    Yep, and that’s why I made the comment up top, because any truly ease solution requires someone to give up information which they would then perceive as a loss of privacy or control.

    @RSnake: “concur it would happen more often but so much so that itís worth the cost of having them? ”

    Isnt’ that the same as saying that if we didn’t have the education that we have about security that the potential is there for more atacks — you don’t have proof that their wouldn’t be.. That it would be more efficient for attackers so their costs would go down because consumers would be less responsible? (this is all things being equal — meaning that the state of security is what it is today, not some ideal situation). I mean, let’s take password complexity for example: the paper says this is a waste because if you have lock outs, then there’s no need to have the complexity. But if you have those lockouts, then you can have a mass denial of service attack. If you have soft lockouts, then you customer confusion (I’m sorry, but soft lockouts are a waste in my mind).

  13. AppSec Says:

    Argh.. Lack of sleeping is making brain and fingers not work correctly.. Sorry for the typos :-/.

  14. Picci Says:

    I get certificate warnings on microsoft sites all the time. (too many subdomains and nobody fixing certificates i guess)

  15. RavenSteals Says:

    @Ron W: I think you’re spot on that the feeling of security is very important, but this is exactly what the paper says end-users don’t get. If I choose a strong password am I safe? No, you’re a little safer against one particular type of attack. The effort you made is wasted if you’re phished or keylogged. Same thing with 50 other pieces of advice: do it all and am I safe?

    @AppSec: If we could reduce security advice to 2 things like “roll up the windows and lock the doors” then maybe end-users would pay attention. As it is they are presented with an endless list. Teaching users to read URLs and look for spelling mistakes on web-sites is just insane.

  16. RavenSteals Says:

    @Dominic: There are costs that are hard to measure. I don’t fully agree with the way the paper calculates things either. But the fact that users shrug and ignore all of this is worth trying to explain.

  17. Sniper Says:

    end-user education with a bit of scare tactics through demos featuring hacking techniques can be effective sometimes. you can find it at

  18. PLH Says:

    I am no academic, but I am left with a nagging feeling that some of the authorís arguments, if not actually flawed, are at least incomplete.

    For example:

    - The paper minimizes the potential collateral effects of individual incidents, and does not contemplate the costs of user-oriented security failures in a corporate/multi-user setting at all.
    - This analysis dwells heavily on estimated costs (measured in productivity) associated with certain user-focused security practices, but appears to assume 100% productivity in its estimations of these costs. Furthermore, many of the estimated figures appear to be fairly arbitrary.
    - It also does not consider the aggregate reduction in risk realized when the majority of the population heeds certain security advice. In other words, it appears to assume that the risk would be the same whether or not some or all users follow the advice. However, the author rightly points out that there are virtually no data available on how many compromises occur, for example, due to people writing down or otherwise mishandling passwords.

  19. austin Says:

    when i was younger (~11) i used to give out personal information all the time, my name, id show pictures, id tell the city i lived in and the state but i wouldn’t tell them my address thinking that kept me safe…then someone showed me a site which explained how everyday things you say can be used to extrapolate where you live, your sleeping habits, when you go to or return from school, etc. and that scared me a bit. since then i have been diligent not to give out personal information (im 24 now so i do occasionally use my name online…i just started about a year or two ago..) and i have had many occasions where i tell people where they live or information about them i could derive from talking with them…and their tone changes quite a bit. i imagine them with a shocked look on their face but being over the internet i cant tell.
    i had one friend who, when i was explaining how i could find where they live from their ip address which i can get from having them view an image hosted on my site, still seemed uninterested….then i also explained that she had showed off her image, gave her real name, and told where she works….she since stopped those three things…
    i think most people dont care about most security because its not protecting them from something they hold dear. a virus isnt going to kill them at night for instance(i hope i dont come off as someone who WOULD do that…). and having your address known to the world can be scary for that reason…someone could come and kill them while they sleep. this is why people lock their door…its not because of the stuff…the stuff can be replaced thats an inconvenience…but the idea that someone broke into their house and could have killed them is the real source of fear.
    so a hacker could steal your credit card, they could infect your computer, etc most people would be upset but not scared. but if you show them how this could lead to them knowing where they live or open up a method of physically hurt them or their family and its much scarier.
    and training people in just the things which can lead to THAT scenario would probably make them more secure.