Security advice

Great post from rsnake; pointing out a Microsoft Research paper (So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users ) on how security advice often does more harm than good. http://ha.ckers.org/blog/20100317/effectiveness-of-user-training-and-security-products-in-general/
I have always disagreed with password policies. There is no gain to most strict password policies over a passphrase, with lots of negative effects (usually because the user can’t remember them) and having a password on a home computer that doesn’t need to be protected from physical access is a total waste.

But I didn’t hear anything about deterrence. Following security advice, or even the fact that some of us do, prevents many attacks from happening because they wouldn’t work, might not work, or the attacker isn’t willing to risk a small chance they won’t work. If we drop our guard, (browsers didn’t warn for invalid certs, people didn’t look for phishing emails…) it would idiotic to assume that the attacks would not increase. How much would they increase? That’s the real question to be answered.

Advertisements

, ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: