The Opportunity Cost of Security

Choosing a password has become more and more of a burden than is realistically necessary in my view. In a lot of cases, I’m stuck with a set of rules that make the password virtually impossible to remember, e.g. 7Yule#gF. Though that example is extreme, it’s just insane to expect users to remember this sequence.

My bank is particularly egregious–at least one of them anyway–in that they require your account name be typed in and submitted, then bring you to a page with a security image and an inaccessible password form that is produced using javascript. The password must contain one uppercase letter, a number, and some other set of letters that bring the total number of characters within a certain range.

The most ridiculous part of the process, though, is if your cache has been cleared, you are required to answer the security questions they have you set up on all of these sites. The questions are never the same, and it is difficult to remember exactly how you’ve spelled the answers.

No, this isn’t something I think about on a consistent basis; in spite of my annoyance, what got me writing on the subject had to do with a report from Microsoft Research that I became interested in reading more than anything else. It pointed something out that is becoming increasingly obvious.

In effect, the benefit gained from following such stringent security standards might be more costly than the actual damage incurred from a security breach.1

The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot.1

In particular, the notion that the benefit is “largely speculative” certainly makes the user less likely to follow the advice and makes me even more annoyed; there really isn’t enough data to backup any of the claims of security experts.

But is this where it should end for users? In determining potential damage, shouldn’t simple security advice be followed?

Of course it can be difficult to trace or predict the portion of a reduction in losses that springs from a particular piece of security advice. However if the increase in externalities is greater than the total direct losses, then a piece of advice certainly represents a poor cost benefit tradeoff for the user population. For example, a piece of security advice that requires an hour per year for the average user to follow should reduce direct costs to the users by at least $180e6 x 2 x 7.25 = $2.6 bn (again using twice the minimum hourly wage of $7.25 and an online population of 180 million) to be worthwhile. We will find that this is almost never the case with the attacks that we examine. Instead we find the direct costs are small, or unquantifiable, or borne by the banks rather than users, or are theoretical, protecting users against potential rather than actual losses.1

Security advice is meant to protect users and networks from malicious use, but the benefit to most users is minimal. And considering the large number of places we’re likely to use passwords, complex rules governing their content, and advice suggesting you not write it down, it makes the burden hard to justify.

I don’t think we should abandon what security experts have been suggesting, but in order to improve security, perhaps we should be looking at the construction of the internet itself. Finding ways in which to secure users at the gates of the city rather than expecting them to be armed and vigilant themselves.

And I’ll still follow the advice, for now, as long as I must maintain my own online fortunes.

  1. Herley, Cormac. So Long, And No Thanks. <>. Accessed 3/17/2010.