Table of Contents
- What Is Information Security?
- Common Body of Knowledge (CBK) Definitions
- A Functional Definition of Security
- Security Web Site Favorites
- The Complexity of Hacking
- The Ten Commandments of Information Security
- Evangelizing IT Security: Why is There a Need?
- Three Reasons Why Users Won't Buy Into Security
- What Should Security Look Like?
- Eight Controversial Myths of Personal Computer Security
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Three Reasons Why Users Won't Buy Into Security
Last updated May 23, 2003.
In this series we are looking at the subject of computer security and how we as an industry can do a better job convincing the general public that security does matter. Last week we opened up with a look into the problem, and highlighted several really big problems that the security community has to overcome. This week we continue our analysis of the obstacles to illustrate that we have some major problems that need to be addressed and understood before we as a community can effectively change how security is viewed.
Security is Expensive and Hard to Quantify
According to NPD, the average desktop PC costs about $550 retail. In order to protect this software from malware and attackers, a user is then expected to spend an extra $69.99 PER YEAR. Given the average lifespan of a desktop can easily be five years, at current costs the price of security the $550 PC would be $350 — almost 2/3 of it price. No wonder consumers despise the security community.
Unfortunately, the above example is only the tip of the iceberg when it comes to securing the end user. Spam solutions, WAFs, firewalls, IDS, IPS, AV, VPNs, encryption solutions, compliance requirements, and more take a serious toll on IT budgets. Ironically, for as much as it costs, what can the security industry really show?
For example, imagine you are a security systems engineer who is trying to convince a CFO to hand over $25,000 to upgrade your old stateless firewall with an integrated stateful firewall/WAF/VPN/filtering solution. You go through your spiel and attempt to describe why this product is so great and the CFO returns with one statement — "The old firewall is working fine, I can’t see we need a new one. How will this firewall save us money?" Unfortunately, the honest answer is that it may not save the company money. A firewall is a protective barrier between the internal network/host and the external world. While a stateless firewall is currently about the most basic kind of firewall you can install, it may be all you really "need" — at least until your network is successfully hacked.
In addition to financial costs, the security process as a solution is painful to accept. While there can be many added benefits related to keeping data and systems intact, it costs users in time and energy. To illustrate, let’s examine the costs associated with the implementation of a policy that specifies a password can not be used more than 60 days. In a company of 1,000 people, the implementation of this policy will have the indirect affect of causing 1,000 people to spend at least one minute every two months going through the password change procedure. This equates to about 17 hours of lost productivity — just for a password. In addition to this, there will be a small number of users who will forget their password or will have a problem trying to update the password, which will require a systems administrator’s attention. Even if issues are reduced to 5% of the employee workforce, and each problem can be resolved in 10 minutes, we are looking at an additional 8 hours. Financially, these hours add up to be a significant sum. Even at $15/hr as an average wage, the cost every two months is $375 — just for a password change policy.
Security is about FUD
Since the previous scenario about selling security to management is all to well known to most security professionals, any attempt to encourage an upgrade will come along with a carefully constructed illustration and/or demonstration. Incidentally, InformIT.com has such a "constructed" story that was used just for this type of encouragement titled How to Steal 80,000 Identities in One Day.
While these kinds of scare tactics do get the attention of our users and managers, using these techniques repeatedly have turned the security industry into something most people are terrified to interact with. Ironically, the malware industry has also used the same techniques to trick people into downloading their malware. To illustrate, the following are a series of pop-ups and screens that are designed to convince a user they are infected with malware:
Figure 1: Initial popup - Warning
Figure 2: Second popup - Salvation
Figure 3: Third popup – Disaster Eminent
In case you aren’t aware of these types of pop-ups, none of them are valid. They are generated by a malware company that is attempting to trick the victim into downloading a software solution that will "clean" up the problem. However, should the user fall prey to this convincing scare tactic, they will only find themselves the victim of a very successful spyware campaign.
As if to bolster the viewpoint that the security community only has fear to offer their users, when was the last time you every heard anything good about a security solution or process. For example, have you ever seen the headline "XYZ Firewall Prevent Hackers from Blowing Up a Power Plant!?" Unlikely. Instead, security related news that does make it to the general community deals with viruses, malicious hackers, and scary scenarios that paint a really bad picture of the digital world. The following headline might be a spoof, but it does a good job illustrating the kind of information the typical user is exposed to with regard to computer security.
Figure 4: Turn Your Computer into a Bomb
Ultimately, it is fairly obvious that FUD tactics are the primary method by which the security industry obtains and maintains their consumers. In fact, in a recent post a member of the security community itself put it best:
“...I'm not poo-poo'ing our own, believe me I think we are making tremendous strides but we need to step up, and offer solutions. Real ones. Ones companies on a budget, and playing the "what's the least I can do" game can get behind. We need to stop being the fear-mongers and become the "fix it" people. Well, someone had to say it."
Security is about Breaking Stuff
Ironically, for as much as the security industry tries to provide solutions that attempt to fix problems and address bugs, a large portion of the public facing security community has long promoted the message that "Security is about Breaking Stuff."
Where did this message come from? And why does it exist?
First, as one who has been required to break software solutions and web applications on a regular basis, I can tell you first hand that it is fun. If you ask the security community as a whole how they got into the field, chances are a large majority will describe the excitement involved with finding a bug in an application or discovering a way past a security mechanism. For myself, the challenge of a digital puzzle that is designed to keep me out is incredible attractive — and when I defeat that challenge, the reward is immediate, often intense, and incredibly exciting.
Ironically, for as much fun as there is to be found in breaking security, the fixing of it can be very difficult to the point of impossible. In other words, security much easier to break than it is to fix. As a result, the number of people in the security community that are breaking stuff is much greater than the number of people who have devoted their lives to fixing the problems.
This issue is compounded by the fact that we as a community have created an environment that is conducive to the "breakers." In the current security landscape, a professional’s reputation can be created in a matter of months with a few well placed and timely disclosures. The end result is that this person is often headlined on security sites and will be able to turn their disclosures of insecurity into profit. On the flipside, there are few people in the current security community who have created a reputation based on solutions.
The end result is that the security community is self-defeating in many ways. Why fix something when it is fun, more lucrative, and more rewarding to break stuff?
The End Result
Is it no wonder that the security industry and community are having a difficult time trying to encourage users to believe in security as a valuable part of the process? We talk in code, change our focus regularly, make each issue sound like it is the end of the world, and then compound the problem by finding bugs faster than they are fixed.
In next week's update, we are going to provide you with a look at the message we should be spreading to the user community and give a few tips and ideas on how to effectively evangelize IT security.
InformIT Articles and Sample Chapters
Perception of Security Risk: Fear, Uncertainty, and Doubt — I spent some time discussing the use of FUD to push security products. While I am pretty sure you got the idea, the psychology behind the use of fear to promote a message is hardly new. In this article, you get a much deeper look into how fear can be used to influence behavior and why it works.
Geekonomics: The Real Cost of Insecure Software — There is no doubt that security is a hard sell. It takes a lot more time upfront to build security into a software program, and this time equals money. So, how can you justify the extra time — and thus money? Well, this book provides just that argument. (Read in Safari Books Online)