Consumerization of IT–How to address this
Bring Your Own Device or Consumerization of IT are fairly hot themes in a lot of customer organizations. When I talk to customers, there are typically different reactions, once we bring this up. Some tell us, that it is not part of their strategy; some tell us that they plan to do it but that they have a hard time figuring out, how to secure such an environment; very, very ...
10 Years of Trustworthy Computing at Microsoft
Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines: Oh, you are joining a desktop company? ...
10 Reasons to migrate off Windows XP
I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled very well by the industry. How you used technology, how you used the Internet, the ...
Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security
A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things: Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards. Office 365 is the first and only major ...
Why Today’s End-User Education Fails! By Roger Halbheer, on March 27th, 2010 I was reading a paper recently, where I initially thought it is a joke (it looked scientifically, therefore I was not too scared). But as our research department did it, it is serious and really, really good – at least it definitely made me think. It is called So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users – you should read it!
Basically it focuses on the cost/benefit of advice to end-user from an end-user perspective. there are a few quotes from the paper (to tease you):
- We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective.
- A study of pass-word habits in 2007 [26] found that users still choose the weakest they can get away with, much as they did three decades earlier [45].
- For example, it makes little sense to invest e ort in password strength requirements if phishing and keylogging are the main threats. It does not pay to learn URL reading rules to recognize phishing sites when the direct losses borne by users average less than a dollar a year. It’s hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives.
If you think it through – they are right. Then, they draw a few conclusions:
- Users Understand Risks better than We do
- Worst Case Harm and Actual Harm are not the Same
- User Effort is not Free
- Designing Security Advice is not an Unconstrained Optimization
- The Economic Harm of Security Advice
and then, please, read their final chapter on What Can We Do? – otherwise you will stay frustrated 
Roger
Related posts:
- User Account Control and What We Learned
- SDL and End to End Trust
- End-to-End Trust: The Internet – a safer place to work, play, learn and do business
Leave a Reply
|
|
|
