Interesting People mailing list archives
good read: Please do not change your password
From: Dave Farber <dfarber () me com>
Date: Fri, 16 Apr 2010 14:15:18 -0400
Begin forwarded message:
From: "Jonathan S. Shapiro" <shap () eros-os org> Date: April 16, 2010 12:27:18 PM EDT To: dave () farber net Subject: Re: [IP] good read: Please do not change your password
[For IP] Cormac Herley's research paper is not being correctly evaluated here (or elsewhere). Herley's paper compares the combined dollar cost of all users of following all of these security policies vs. the combined cost to the users of all successful attacks. It then divides both numbers by the number of users, and concludes that the cost **to any given user** does not justify the pain **to any given user**. He then points out that **from the perspective of a given user**, the cost of security measures doesn't make sense. The user acts rationally by resisting invasive security measures. As a defense of the user, the paper is fine, but some of the conclusions being drawn from the paper are quite worrisome. The problem is that no user, and no organization, ever experiences an "average" break-in. Either you experience none at all, or you experience a very high cost - and usually not against just one user at a time. Under Herley's argument, rational actors should also dispense with home insurance, life insurance, and automobile insurance. Indeed we should dispense with *any* insurance. Insurance policies do not insure in areas where they will lose money. Therefore, if insurance exists, the expected cost to the buyer is higher than the expected loss. The real eye-opener in Herley's paper is the *disparity* in cost and benefit, which is often a factor of a thousand. What this number reveals is the social cost of allowing software insecurity and malfunction to be protected from liability. Users are paying - at great cost - for the insecurity of the products they use. But even that must be viewed cautiously. Herley's numbers (like all quantitative numbers in this space) are problematic because data on losses is rarely made public. His assessment of costs could well be a factor of 100 smaller than reality. The problem is that we don't know. This is a paper that should have been reviewed by someone with an actuarial background, and wasn't. Thought-provoking work, but hard to draw actionable conclusions from it. Jonthan Shapiro
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- good read: Please do not change your password Dave Farber (Apr 16)
- <Possible follow-ups>
- Re: good read: Please do not change your password Dave Farber (Apr 16)
- good read: Please do not change your password Dave Farber (Apr 16)
- good read: Please do not change your password Dave Farber (Apr 17)