Present security advice as convenience advice

The key to getting people to take good security advice may be to couch it in terms of how to improve convenience.

The key to getting people to take good security advice may be to couch it in terms of how to improve convenience.

Michael Kassner asked, Are users right in rejecting security advice? The question raises the issue of how people are advised to secure themselves, and why such advice is not heeded. In summary, the problem boils down to a quick cost-benefit analysis based on the most accessible data users have on the subject: the lessons of their own experience.

When users are confronted with an ever-growing pile of advice that encourages them to undertake increasingly complex steps to defend themselves from the predations of security crackers, they naturally apply the filter of their own understanding of what will probably affect them directly before deciding whether to take any of the offered advice. Most users see no direct results of becoming the victims of failures in security other than an occasional bit of inconvenience in the form of cleaning up after a malware infection, while they see the task of learning from the constant stream of security advice and applying that advice to their daily lives as a similar annoyance that is constant rather than occasional.

Unfortunately, the answer to Michael's question is not a simple "yes" or "no". It is, in fact, both at the same time -- depending on how you look at it:

  1. Yes. Given their perspective, it is natural and right that users should reject the avalanche of security advice that constantly pours into their lives. A simplified approach to security is desperately needed, and without themselves becoming security experts they must simplify by ignoring many of the suggestions that present themselves on the basis of the cost to their own convenience.
  2. No. There is a lot of good advice that, as part of a comprehensive approach to acquiring good security habits, can actually help them achieve a significant improvement in the safety of their activities when using computers without significantly decreasing the convenience of those activities.

Unfortunately, the process of selecting what advice to follow, and of figuring out how to incorporate it into one's life effectively, requires a user to either learn enough about security principles to understand the consequences of one's choices in depth or to very fortuitously choose the right single advice source to trust to make such decisions for the user. Because the former option will almost never be the choice a typical user makes, the latter -- the option of selecting the right source of advice to trust -- must be addressed if we ever hope to help the typical end user achieve greater security in how they choose to secure their computing activities.

Many who have an interest in understanding the complexities of security principles deride organizations such as Microsoft for their approach to security, and lament the tendency of end users to simply trust such organizations without question. The approach taken by these organizations tends to suffer from severe conflicts of interest that guarantee end users will be significantly less secure than they could otherwise be. On the other hand, these organizations are successful in garnering the trust of end users because of a part of their approach to security that is often overlooked by security experts: offering simplified approaches to addressing the complexities of security.

End users want to believe that there is a silver bullet for security. The evidence of this fact is everywhere around us. Looking a bit more closely, it becomes obvious that people with a more intensive interest in security also want to believe in such a silver bullet, but whereas the common end user might come to a decision about what constitutes the One True Answer to security based on simple convenience, the rest of us tend to make that decision based on a deeper technical understanding of some aspect of our computing lives. Unfortunately for all of us, there is no silver bullet.

That does not stop software vendors from trying to offer an apparent silver bullet to slay the security beast, either as a product that can be sold individually for substantial profits or as a component or characteristic of a product that can, of course, be sold for substantial profits. It is in offering a "silver bullet" approach to security that organizations such as Microsoft display that, while their inherent conflicts of interest in the realm of offering strong end user security prevent them from being truly trustworthy sources of security advice, they understand something about security advice that many security experts do not: the importance of the convenience factor.

To counteract the facile approach of encouraging end users to just pick something and stop thinking about it taken by many software vendors, security experts need to adopt some methodology for offering security advice that improves convenience, rather than damaging it. A list of ten key factors in password security makes for an easy article to write, and it is good and accurate advice as far as it goes, but it does almost nothing to help the common computer user achieve greater security because such a person is not interested in trying to maintain a database of regularly changed complex passwords impervious to brute force attacks and rainbow tables in their heads, with a different password for each of a hundred different authentication contexts.

When considering a piece of technical advice to offer an end user, we must also consider the convenience cost. More to the point, we must consider how that technical advice can become part of a piece of advice in how to improve convenience. For example, telling people that they should use a different password for every Web site may be "good" advice in that it is accurate where security is concerned, it is "bad" advice in that it is highly impractical when taken in a vacuum. If someone's only choices are to memorize dozens of unique, strong passwords or to reuse one password across dozens of different authentication contexts, the latter option is the only real option.

On the other hand, the article, Five features of a good password manager, offers much more helpful advice that addresses both the importance of unique passwords and the needs of convenience, because it does not just suggest using unique passwords. Instead, it presents the need to use unique passwords for different authentication contexts as a reason to use a convenience enhancing tool.

A lot of the time, security experts forget to mention the convenience methods they know will work to make good security advice practicable. We know that password management systems work to improve both convenience and security at the same time, but when we see that a password database for some Web site has been compromised we only think, "I wonder how many of those people use the same password for everything." What we should be thinking instead is, "I wonder how many of those people are aware of the benefits of a good password manager, and how to select a good password manager."

To make a long story short (too late), advice should not be offered simply as key points for what makes for a secure system. Rather, it should be offered as key points for how to select a convenient system that offers improved security.