SOUPS is the Symposium On Usable Privacy and Security, which in conjunctions with Usenix puts on an event each year where papers are presented. The 2015 event caught my eye because of a paper entitled “…no one can hack my mind”: Comparing Expert and Non-Expert Security Practices, by three researchers from Google: Iulia Ion, Rob Reeder, and sunny Consolvo. This paper was summarized by Dan Goodin in Ars Technica and I wanted to know more, so I looked up the original paper. As it happens, they found surprisingly little overlap between the two groups, and that has some interesting implications for protecting your privacy and ensuring your security. And they start off with a very important point, usually overlooked by corporate security departments, which is that the efforts you can reasonably expect people to make are somewhat limited, and if you need to push people to make an effort, it is a good idea to first ascertain that the measure has a commensurate payoff:
“Even if users accept some responsibility for protecting their data and want to put in some effort, we should be thoughtful about what we ask them to do and only offer advice that is effective and realistic to be followed.”
They go one to list 4 characteristics of good advice:
“Existing literature on giving good advice suggests that for recipients to follow it, the advice should be (a) useful, comprehensible and relevant, (b) effective at addressing the problem, (c) likely to be accomplished by the recipient, and (d) not possess too many limitations and drawbacks.”
This is an excellent start, and since one of the first things to be assessed is whether the advice is effective in addressing the problem, they surveyed security professionals on what advice they would give to non-professionals to improve privacy and security. This was a preliminary survey to help identify areas of interest, and gave them a laundry list of topics to use in the paired surveys that followed. In many cases this matched what the professionals did for themselves, but not in every, so understand this is advice meant for a “layperson”, so to speak.
In order of frequency, the recommended measures were:
- keep systems and software up-to-date
- use unique passwords
- use strong passwords
- use two-factor authentication
- use antivirus software
- use a password manager
Good advice indeed, and pretty similar to what I have said previously in Passwords, Entropy, and Good Password Practices.
The next step was to do 2 surveys to compare what non-professionals actually believed was true, compared to what a group of professionals would recommend. The non-professionals numbered 294 and were recruited from Amazon’s Mechanical Turk crowd-sourcing platform, and they were compared with 231 professionals recruited through an online blog. For each group a series of questions was asked, and from the answers a picture was built up of just how well ordinary users did in following what the professionals would consider best practices. Now the paper which I gave you a link to has a lot of detailed information on the methodology which you can consult if you want to go into more depth than I will here. It is essentially an academic paper, while I am writing for a more casual audience. But I think we can extract some useful information from even this more casual look at their results.
First let’s look at Dan Goodin’s summary. He lists the top measures of the professionals as:
- Install Software Updates
- Use Unique Passwords
- Use Two-Factor Authentication
- Use Strong Passwords
- Use a Password Manager
Contrast with the non-professionals:
- Use Anti-Virus Software
- Use Strong Passwords
- Change Passwords Frequently
- Only Visit Web Sites They Know
- Don’t share Personal Information
The only item found on both lists is Use Strong Passwords, which is worth doing to be sure, but what of the others? Changing passwords frequently is something that makes no sense at all, as the CTO of the Federal Trade Commission recently pointed out ( http://dailycaller.com/2016/08/03/thought-changing-your-password-kept-you-safe-youre-wrong/ ). But let’s forgive them that one because they probably get that from, among other places, their corporate IT department that insists on doing it despite its lack of utility. (At best, it is useless. I think it actually reduces security.) And what is the point of the Internet if you only go to places you know? And why on earth would that be any safer? Do we really believe the people running CNN.com have any idea what they are doing? But there is obviously a problem here, so what did the researchers discover when they probed some of these?
This was the top recommendation of the security professionals, and it also had the biggest gap between the experts and non-experts. 35% of experts put this on their list vs. only 2% of non-experts. The researchers identified several factors at work here. First, many non-experts were concerned that a software update might contain malicious software. Others were concerned that the update might be buggy. Given the experience many people have had with Microsoft updates, for instance, this may be understandable. And it is not clear how easy it is to distinguish between security updates and feature updates, which should receive different levels of attention. But against this we have to weigh the known cost of not fixing known security holes. I know we all get tired of continually patching Adobe software, but not patching exposes us to worse. On balance, this makes me think that automatically rolling out updates without the user knowing is probably the best way to make computing safer.
Use Anti-Virus Software
This is just the opposite case to installing updates. Non-experts are far more likely to employ this strategy. It looks like some of the experts may recommend this for average users, but not do it themselves, and that might be rational if experts are significantly less likely to be tricked by scams. Still there are some issues here. One thing is that anti-virus software needs to be kept up-to-date with the latest security updates to be at all effective. One of the positives here for non-experts is that they can install it once and not think about it again, but if they don’t update it it becomes useless.
Use A Password Manager
Another big difference shows up here. Experts recommend this highly because it lets you have both strong and unique passwords, while non-experts mention things like writing them down or reusing them. The main issue stopping many non-experts is that they do not trust password managers. One participant said remembering was better “because no one can hack my mind.” Others point to hacks and object to putting control over passwords in the “hands” of software. Another factor may be that password managers can be complicated to use for a relatively inexpert user.
Writing Down or Remembering Passwords
Writing down passwords is a strategy many non-experts use, and it was not considered a big problem by the expert users. The only concern the experts expressed was how secure the paper was that held the passwords. But on the positive side, written passwords is something everyone understands, and as one expert pointed out malware can’t read a piece of paper. Remembering passwords is something that is popular among non-experts, but most experts see the problem here. When you investigate behavior, you discover that non-experts who use the remember method are also highly likely to use one password for most or all accounts. For others, they have a small number of passwords they cycle through and use trial-and-error to figure out which one was used on any given site. Another tactic commonly used is simple algorithm like adding a number on the end. (Just add a “1” and it is a brand new password!”) They frequently forget passwords and go through a reset process each time. This can be a problem because it conditions sites to expect frequent resets and makes them less vigilant when a password reset request comes in, and we have seen how that aids malicious people in identity theft and account theft.
Frequent Password Changes
Non-experts think this is very helpful, but very few experts agree. Non-experts are probably conditioned to think this is helpful because corporate IT departments insist they do it, but there is no evidence it does anything good, and we are hearing more from people who say it actually reduces security. First of all, having an old password frequently gets you most of the way because you can try adding a number at the end or some other simple transformation. Second, people cannot remember many long, random passwords. They are likely to find ways to make this bearable such as writing it on a sticky note attached to the monitor. And what does it actually accomplish? If I have to change my password every 60 days, then on average any bad guy who gets it (from a phishing scam or whatever) has 30 days to use it before I change it. I think trying to get security from enforcing frequent password changes is like trying to teach a pig to sing: It won’t work, and it annoys the pig.
This was rated very highly by the experts, and while non-experts thought it was a good thing to do, they don’t actually use it very much. The problem is that it requires a little knowledge to employ, and of course it adds a speed bump to using online resources. Experts acknowledge that this approach is not appropriate for every site, but certainly for higher value sites it should be used. My guess is that places like banks will eventually force customers to do it if they want their accounts protected from malicious users.
Visit Only Known Web Sites
Non-experts thought this was a good idea, but very few experts thought this made any sense. As one of the experts pointed out, in this modern age of advertising and cross-site requests it makes no sense. And why should anyone assume that just because you have heard of a site it has not been hacked in some way?
Check if HTTPS
Both groups think this is a good idea, but in practice very people actually do it, both among experts and non-experts. This may change with things like Let’s Encrypt offering free certificates, and Google down-grading the rank of any site that is not HTTPS. This may need to be a default to be effective.
The commonly heard advice includes things like not clicking links in e-mail and not opening attachments. Sometimes the key is to not do this if the e-mail comes from someone you don’t know, which implies that if it comes from someone you know it is safe. But we know that malicious scammers have gotten very good at getting the e-mail to come from an account or to appear to come from an account of someone you know. They hack that person’s e-mail and then send the malware to everyone in the address book, for instance. One of the experts admitted he does not follow this advice himself, but recommends it to his mother.
So this is a good look at the practice of online security in these two groups, and I think it shows that non-experts frequently put effort into useless measures while ignoring ones with a real payoff for security and privacy.