I’m sure this news will come as a relief to many computer and Internet users out there: a recent study by a researcher at Microsoft has found that many IT security measures—those things we love to hate like having to change passwords every three months or having individual passwords for a dozen different work accounts—simply don’t provide good value for the time and effort they involve, not to mention the bad habits they often cause!
In the report, researcher Cormac Herley writes, “Most security advice simply offers a poor cost-benefit trade-off to users”.
It’s not that there’s no point in using passwords to protect users’ data. Rather, there is a gap between the people who develop and promote security measures and the users who must implement them. Security professionals have done their best to provide as much information to users as they can—about potential risks and the ways to avoid them—but consuming the information and putting it into practice takes more time than it’s worth, at least according to Herley’s report. Employees’ time is more valuable than the time it takes to perform all of the commonly required security measures. “A lot of advice makes sense only if we think user time has no value,” said Herley.
Phew! Now, when do you get to ditch all of those passwords? Well, I’m not holding my breath.
Of course, as you probably know, many users already ignore or bypass required security measures whenever possible. They will use the same password for every log-in; they’ll use common words or names as passwords; they’ll even write their user IDs and associated passwords on sticky notes and leave them on their monitors! And according to Herley, this behaviour is perfectly rational, because:
- Users understand, there is no assurance that heeding advice will protect them from attacks.
- Users also know that each additional security measure adds cost (e.g., in time and effort).
- Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.
You can take from that what you will. To address the issue of security-fatigue, Herley recommends closing the gap between security measures and users by helping users understand specific risks without drowning them in general information and instruction, and by making sure that the cost of implementing a security measure is commensurate with the potential benefit of protection as well as the users’ time it will involve, among other measures.
At the same time, Herley offers several general IT security measures that take little time and work very well to close security gaps. These include installing (and activating!) a firewall, and updating software on users’ computers; it can help to allow authorized software to update automatically.
A thorough policy could cover both the back- and front-ends of an organization’s IT security, making sure that security processes are strong, functional, easy to use and efficient. This should make it clearer for security designers in developing security measures and for end-users in their day-to-day tasks. There are numerous other advantages to having a clear policy, as well: users can refer to it when they are unsure of what to do; IT staff can have a clear guide to troubleshoot problems or in the event of or a security emergency; and everyone can know whom to contact when they need help. Together, all of these things will certainly make an organization more secure and confident in its security.
Is IT security a burden or a breeze at your workplace? And do workers put up with it or rebel?
You can read all about IT controls in Information Technology PolicyPro from First Reference’s Internal Controls Library. ITPP features chapters on physical and systems security, data security, network security, user responsibilities, data and systems management, training and support and much more.
First Reference, Human Resources and Compliance Editor