So Long and No Thanks – Security Cost-Benefit Analysis

Kordel

I stumbled upon an exceptional and groundbreaking white paper on Microsoft’s website a couple of months ago. Written by Cormac Herley of Microsoft Research, I’d consider it a “Must Read” for any Security Analyst, Consultant, Administrator or interested user. Check out the abstract below, and then check out the full article in PDF here or directly from Microsoft here.

Please Note: All credit for this document and Abstract go directly to Cormac Herley!

ABSTRACT
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificate errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit trade off to users and is rejected.

Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.

fish hook

Catching the Big Phish

By Eberly Systems September 20, 2024
We're all in the same boat trying to avoid cybercrime! Here's our top ways to identify a potential phishing attempt.

Key Notes from the Security Team: Q3 2024

By Eberly Systems September 10, 2024
Focus on integrating with new team members and new customers

Key Notes from the Security Team: Q2 2024

By Eberly Systems July 9, 2024
Keeping you abreast of security news

Eberly Systems Acquires Lebanon County LYLAB Technology Solutions

By Eberly Systems May 2, 2024
West Lawn, PA, May 2, 2024 — Eberly Systems , the West Lawn-based managed IT services and managed voice provider, today announces its acquisition of the Lebanon-based LYLAB Technology Solutions. Eberly Systems seeks to further a movement of people who are motivated and equipped to make a difference in their world through their daily work. They believe in building lasting partnerships based on trust and transparency while delivering industry-leading solutions to support and protect critical business assets. Driven by the principles of people, excellence, integrity, and stewardship, the team prides itself on partnering with companies to securely, reliably, and efficiently grow their businesses. “We cannot be more excited to join forces with the LYLAB team,” comments Kordel Eberly, Eberly Systems President & Founder. “ The integration of LYLAB Technology Solutions into Eberly Systems solidifies our commitment to providing small businesses with unparalleled service and support. We’re proud of this new opportunity to carefully design and manage the IT infrastructure and systems of even more local businesses and communities.” The acquisition solidifies the Eberly Systems commitment to supporting businesses in Lebanon County. Merging the two teams together as one entity offers the collective team the benefit of enhancing capabilities, refining processes, and extending reach to better serve the evolving needs of small businesses in the surrounding area. Future plans include expanding their presence into Lancaster County.
computer help with IT support

Navigating Small Business Success: The Power of IT Outsourcing for SMBs

By Eberly Systems January 16, 2024
A trusted MSP can be your invaluable strategic partner.

Enhancing Business Security and Productivity with Microsoft Office 365

By Eberly Systems January 2, 2024
These 5 key features of Office 365 Business Premium make it essential for businesses to have.
set of keys

Key Notes from the Security Team: Q4 2023

By Eberly Systems December 19, 2023
Eberly Systems has been hard at work over the last year in a concerted effort to enhance the security posture of our clients’ information technology environments. Here are the quarterly updates.
construction site

Customer Success Story: Construction

By Eberly Systems July 3, 2023
After years of steady growth, the workforce at a construction development and property management company was becoming increasingly frustrated by disorganized data. Eberly Systems deployed a hybrid cloud storage solution for efficiency and secure data access.

SharePoint File Storage & Sharing Best Practices 

By Nate M. June 1, 2023
SharePoint file storage has both features and limitations that you should be aware of while storing and accessing files. Here's a rundown.

Best Practices for Creating Passwords in 2023

By Nate M. January 5, 2023
These are the Eberly Systems recommendations for creating good passwords in 2023.
More Posts