This article does a fantastic job of quantifying the somewhat nebulous idea of why end users generally tend to make decisions about security that seem poor. Looking at the cost analysis comparing the price of end user time to the actual losses, it’s clear that many of the basic traditional wisdoms surrounding daily web usage are a huge hassle with little payoff.
In other words, the average user would spend far more time attempting to maintain strong passwords and check every URL and SSL certificate than he/she is likely to lose by failing to do so. The article goes much deeper into the math leading to those conclusions, but it’s not necessary to whip out a calculator to know he’s right.
In my opinion, this solidifies the fact that much of the burden of end user protection is shifted up the chain. While one user may only see a few pennies per year of realized risk, the organizations serving all of those end users will see substantially more loss, as it is all aggregated. By the same token, organizations serving end users are in a position to much more economically deploy countermeasures, and have access to more data which allows them to do so effectively.
The other angle on this is that the more transparent security controls become to end users, the more effective they’ll be. This paper covers directly the effort needed to validate SSL and read URLs. Other controls like virus scanning at the perimeter, IPS, and well-implemented least-access principal (while not without issues of their own) are considerably less likely to require end user effort to be effective, and therefore be a better answer in that regard than any amount of awareness training.
A Cost-Based Analysis of User Effort in Security
This article does a fantastic job of quantifying the somewhat nebulous idea of why end users generally tend to make decisions about security that seem poor. Looking at the cost analysis comparing the price of end user time to the actual losses, it’s clear that many of the basic traditional wisdoms surrounding daily web usage are a huge hassle with little payoff.
In other words, the average user would spend far more time attempting to maintain strong passwords and check every URL and SSL certificate than he/she is likely to lose by failing to do so. The article goes much deeper into the math leading to those conclusions, but it’s not necessary to whip out a calculator to know he’s right.
In my opinion, this solidifies the fact that much of the burden of end user protection is shifted up the chain. While one user may only see a few pennies per year of realized risk, the organizations serving all of those end users will see substantially more loss, as it is all aggregated. By the same token, organizations serving end users are in a position to much more economically deploy countermeasures, and have access to more data which allows them to do so effectively.
The other angle on this is that the more transparent security controls become to end users, the more effective they’ll be. This paper covers directly the effort needed to validate SSL and read URLs. Other controls like virus scanning at the perimeter, IPS, and well-implemented least-access principal (while not without issues of their own) are considerably less likely to require end user effort to be effective, and therefore be a better answer in that regard than any amount of awareness training.