Much of the computer security advice we get from banks, browsers and password-protected web sites is a waste of the user's time.
Last year, Microsoft researcher Cormac Herley confirmed what many of us already knew or suspected: managing dozens of passwords is a colossal pain and of dubious benefit. Do I feel more secure that my bank knows the name of my first dog? Not really.
Herley is not casting all security advice to the wind, but questions the value of all the time we collectively put into it. From his report:
"Users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right."
What Herley figured out is that the value of the time users spend managing passwords, SSL certificates warnings (Secure Sockets Layer which encrypts data between web server and your browser) and phishing site identification is far greater than the damage done by computer criminals. He describes the benefit from user education as "speculative and moot."
His findings defy conventional wisdom that you can't pay too much attention to computer security. The basis for his findings is that our time isn't free: indeed, he figured out that the time of 180 million adults online in the U.S. is worth about $2.6 billion an hour, far, far exceeding the losses from spam and phishing attacks.
"We find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population...," he wrote.
Over the years, computer security has irritated me. At one job, I was required to change my password every three months and if I didn't after repeated and annoying warnings, I was not permitted to send e-mails. How dumb is that? Ironically, this is a setting in Microsoft Exchange.
I simply used the same word and added 1, 2, 3 and so forth to them every three months. That way, I could easily change and remember them.
The report didn't directly address virus checkers which we blindly re-up for every year, but it reminded me of a story idea I discussed with an editor about 10 years ago. We posited that somehow the developers of viruses were in cahoots with the companies that wrote the software to protect us from them.
Alas, it would have been extremely difficult hypothesis to prove. Maybe there was a tad too much conspiracy tied up in the idea.