I’m sure this news will come as a relief to many computer and Internet users out there: a recent study by a researcher at Microsoft has found that many IT security measures—those things we love to hate like having to change passwords every three months or having individual passwords for a dozen different work accounts—simply don’t provide good value for the time and effort they involve, not to mention the bad habits they often cause!
In the report, researcher Cormac Herley writes, “Most security advice simply offers a poor cost-benefit trade-off to users”.
It’s not that there’s no point in using passwords to protect users’ data. Rather, there is a gap between the people who develop and promote security measures and the users who must implement them. Security professionals have done their best to provide as much information to users as they can—about potential risks and the ways to avoid them—but consuming the information and putting it into practice takes more time than it’s worth, at least according to Herley’s report. Employees’ time is more valuable than the time it takes to perform all of the commonly required security measures. “A lot of advice makes sense only if we think user time has no value,” said Herley.
Phew! Now, when do you get to ditch all of those passwords? Well, I’m not holding my breath.
Of course, as you probably know, many users already ignore or bypass required security measures whenever possible. They will use the same password for every log-in; they’ll use common words or names as passwords; they’ll even write their user IDs and associated passwords on sticky notes and leave them on their monitors! And according to Herley, this behaviour is perfectly rational, because:
- Users understand, there is no assurance that heeding advice will protect them from attacks.
- Users also know that each additional security measure adds cost (e.g., in time and effort).
- Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.
You can take from that what you will. To address the issue of security-fatigue, Herley recommends closing the gap between security measures and users by helping users understand specific risks without drowning them in general information and instruction, and by making sure that the cost of implementing a security measure is commensurate with the potential benefit of protection as well as the users’ time it will involve, among other measures.
At the same time, Herley offers several general IT security measures that take little time and work very well to close security gaps. These include installing (and activating!) a firewall, and updating software on users’ computers; it can help to allow authorized software to update automatically.
A thorough policy could cover both the back- and front-ends of an organization’s IT security, making sure that security processes are strong, functional, easy to use and efficient. This should make it clearer for security designers in developing security measures and for end-users in their day-to-day tasks. There are numerous other advantages to having a clear policy, as well: users can refer to it when they are unsure of what to do; IT staff can have a clear guide to troubleshoot problems or in the event of or a security emergency; and everyone can know whom to contact when they need help. Together, all of these things will certainly make an organization more secure and confident in its security.
Is IT security a burden or a breeze at your workplace? And do workers put up with it or rebel?
You can read all about IT controls in Information Technology PolicyPro from First Reference’s Internal Controls Library. ITPP features chapters on physical and systems security, data security, network security, user responsibilities, data and systems management, training and support and much more.
Adam Gorley
First Reference, Human Resources and Compliance Editor
It’s a breeze in our workplace, and that’s largly because there is no firm policy. We have a firewall and anti virus software, but password selection/change is left in the employee’s hands. I think the cost (time and effort) of having a security policy in place is worth it in the long run. It takes about 1 minute to change your password (maybe 3 minutes if you’re thinking really hard of a strong password) but it takes hours to fix a computer after a virus infection. And possibly longer if the virus can’t be removed and the computer has to be reformatted.
But it’s not only password, it’s clicking links in email you get, it’s visiting certain websites and allowing scripts to run, it’s opening email attachments – even from sources you trust. Employees are just not aware of all the risks most of the time so making a policy should be accompanied by educating them about the risks. If employees were aware they would probably be more inclined to put up with the policy.