BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:So Long\, And No Thanks for the Externalities: The Rational Reject
 ion of Security Advice by Users - Cormac Herley\, Microsoft Research\, Red
 mond
DTSTART:20090915T151500Z
DTEND:20090915T161500Z
UID:TALK19711@talks.cam.ac.uk
CONTACT:Andrew Lewis
DESCRIPTION:The failure of users to follow security advice has often been 
 noted. They chose weak passwords\, ignore security warnings\, and are obli
 vious to certificates. It is often suggested that users are hopelessly laz
 y and unmotivated on security questions. We argue that users' rejection of
   the security advice they receive is entirely rational from an economic p
 erspective. As with many activities\, online crime generates direct losses
  and externalities. The advice offers to shield them from the direct costs
  of attacks\, but burdens them with the indirect costs\, or externalities.
  Since the direct costs are generally small relative to the indirect ones\
 , they reject this bargain. We examine three areas of user education: pass
 word rules\, phishing site identification\, and SSL certificates. In each 
 we find that the advice is  complex and growing\, but the benefit is large
 ly speculative or moot.  In the cases where we can estimate benefit\, it e
 merges that the burden of following the security advice is actually greate
 r than the direct losses caused by the attack.\n\nBio: \nCormac Herley is 
 a Principal Researcher at Microsoft Research.  His main current interests 
 are data and signal analysis problems that reduce complexity and help user
 s avoid harm.  He's been at MSR since 1999\, and before that was at HP whe
 re he headed the company's currency anti-counterfeiting efforts. Some of h
 is recent published work has focused on problems of passwords and authenti
 cation\, the  economics of cybercrime\, phishing prevention technologies a
 nd keylogger resistant access to existing web accounts.\n\nHe received the
  PhD degree from Columbia University\, the MSEE from Georgia Tech\, and th
 e BE(Elect) from the National University of Ireland.  He  is a former adju
 nct at UC Berkeley\, has authored more than 50 peer reviewed papers\, is i
 nventor of 70 or so US patents (issued or pending) and has shipped technol
 ogies used by tens of millions of users.\n\n"Web page":http://research.mic
 rosoft.com/en-us/people/cormac/\n
LOCATION:Lecture Theatre 2\, Computer Laboratory\, William Gates Building
END:VEVENT
END:VCALENDAR