Passwords, security protocols cost more than they save, says Microsoft researcher

In a cost/benefit analysis, a researcher says the amount of time users are tied up with security protocols may outweigh time saved in stopping malicious hacks and code.
Written by Joe McKendrick, Contributing Writer

It’s common sense that strong passwords and awareness of malicious URLs are the best line of defense for applications and data. However, one IT researcher has done a cost/benefit analysis of such efforts, and questions whether the costs of strong password management outweighs the benefits.

Credit: James Martin/CNET News

Credit: James Martin/CNET News

That’s the gist of a recent study by Microsoft researcher Cormac Herley that's been roiling across the blogosphere in recent weeks. Herley questions the advantages of strong password rules, which “shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.”

He applied a cold, hard cost/benefit analysis to password and other security protocols, and determined that having end-users spend time fussing with these protocols is not a rational act in strict economic terms. That's because requiring each and every user to spend x amount of time creating strong passwords and being trained on avoiding hack Websites may, in the end, cost far more than the time and cost saved from a security incident.

"In trying to defend everything, we end up defending nothing," Herley warns.

Time is what is at issue with most security incidents, Herley reasons. The bottom line is the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code. As Herley explains:

“We need better understanding of the actual harms endured by users. There has been insu?cient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them.”

Herley also points out that while “user education is a cost borne by the whole population,” the benefits may only be seen by the small percentage of users that fall victim to security attacks. “The cost of any security advice should be in proportion to the victimization rate,” he says. For example, the cost of having all working adults spending one minute a day fussing with security protocols will add up to about $15.9 billion a year. This may exceed the money saved for the small percentage that are impacted by security events.

In the words of Herley:

“Security advice is a daily burden, applied to the whole population, while an upper bound on the bene?t is the harm su?ered by the fraction that become victims annually. When that fraction is small, designing security advice that is bene?cial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.”

Nevertheless, security experts say there's no reason to shy away from robust security protocols in this day and age. Niel Rubenking, who surfaced Herley's paper at his blogsite, advises companies and end users to stick to strong password creation and security awareness.  Complex, non-guessable passwords are still an important security protocol that needs to be kept in place. He recommends automating the process as much as possible for end users with a password manager that generates strong passwords.

This is where service oriented architecture helps as well. Single sign-on and federated identity, for example, will save a lot of the time and cost for enterprise end-users to access multiple services or applications across networks. In addition, a security services layer as part of SOA will ensure a consistent, highly automated process embedded behind the scenes. This may not protect users accessing sites in the open Web, however, and this is where the benefits of training and vigilence need to be weighed.

Is the time and cost of requiring everyone to address security protocols worth the potential time and cost saved among users who need to get back to work after an incident?

Editorial standards