Why rational users prefer cheap dancing pigs to expensive security snake oil

I have spent much of the last month listening to security scare stories from consultants and vendors bidding for attention and budgets. Many of the activities for which they are seeking support appear worse than useless. They distract attention from that which could and should be done to cut costs, improve service and win new business by removing vulnerabilities rather than adding new layers of sticking plaster over festering wounds. 

I have blogged before on the need to bring together the messages from Race On-line and Get Safe Online. The video used by Richard Thomas to the Institute of Chartered Accountants set me thinking along a different track. Please watch it before you read on. It’s a great piece of scareware but the day after watching it I received an e-mail drawing my attention to a Microsoft report on why “Given a choice between dancing pigs and security, users will pick dancing pigs every time.”


It is well worth reading in full but a summary is sufficient for my current argument. “While amusing, this is unfair: users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right. Security is not something users are offered and turn down. What they are offered and do turn down is crushingly complex security advice that promises little and delivers less … Users … are not irrational: exhaustive lists that seek to avoid all potential harms are not helpful to them and are ignored … we have implicitly valued user time and effort at zero.”


Then in the space of a week I attended presentations of the PWC 2011 Global State of Information Security Survey to  two very different audiences, chaired a combined meeting of the IT Livery Company’s Security Panel and the EURIM e-Crime Skills Panel and attended a CFSI round table on the need for a joined up approach to identity. The juxtaposition of events helped clarify my thinking.


HM Government spends about £600 million a year on information security, with a large part of it going on the production of customised processes for its various operations. That is less than a the annual electronic security budget of single global bank (and a fraction of what the banks spend collectively – but the banks spend most of their money on training and technology to support, monitor and police processes that are under much more sophisticated and sustained attack than those of government. Meanwhile the UK public sector bases its security on hierarchies of trust and struggles with protocols for exchanging information without acceptance of liability for failure. The banks have rings of trust with contractual liabilities for failure – wehther or not it was their fault.


After the hump of demand from Government for drafting processes (in response to the rash of reports into data leakages), there is glut of process consultants on the market looking for work. Meanwhile there are chronic and increasingly shortages of operational security staff with the technical competence to respond to incidents as they occur, let of those to remove vulnerabilities to prevent them occurring and of architects to apply the disciplines of security by design to reduce the likelihood of vulnerabilities in first place.


In this context the calls for joined up electronic identities look rather like answers in search of a question. Who actually wants them?  And are those who want them willing to pay for them – as opposed the expecting others to pay?


We can see why government wants them but who else does? 


Which banks or on-line retailers really want joined up identities when they make more money, let alone avoid shared vulnerabilities, by using different systems to lock-in their customers?


And who wants an identity service from a supplier who will not underwrite the cost of failure or compromise? 


Meanwhile the notaries and scriveners who see no reason to provide for free that which they have provided professionally for a thousand years, including over telegraph, telephone, telex, fax, EDI and Internet.


That leads me back to the video clip used by to introduce this years conference of Data Protection registrars. I do not believe that the Internet changes everything. What it does is make it much easier to mass market dancing pigs and snake-oil.