As we have now reviewed the costs and benefits independently, in this section, we will compare costs versus benefits for each piece of advice that we collected. We use an elementary scoring system that assigns positive scores for each benefit a piece of advice provides and subtracts points for each cost it incurs. Naturally, this method does not give a true insight into all nuances of the costs and benefits, and we discuss this throughout this section.
9.1 Scoring Costs
We begin by assigning points to each cost type using an ordinal scale. We assign 2 points to a major cost that reoccurs at each login, 1.5 to a major periodic cost, and 1 to a major one-time cost. A minor login cost is assigned 1, a minor periodic cost 0.75, and a minor one-time cost is 0.5. A positive cost can account for
\(-\) 2. Though this is a crude scoring system, it provides insight into both the most costly and least costly advice. Figures
4(a) and
4(b) depict the 12 most costly pieces of advice and the 6 least costly pieces of advice for the organisation and the end-user, respectively.
In Figure
4(a), most of the least costly pieces of advice to the organisation relate to the composition of passwords. For example, “Take initials of a phrase and use this as your password.” Advising this does not bring any costs to the organisation. Many of the most costly pieces of advice for the organisation involve back-end processes; for example, “Implement Defense in Depth,” “Monitor and Analyse intrusions,” and “apply access controls.” Introducing two-factor authentication shows up in both the user and the administrator’s most costly advice. Similarly, the advice to change passwords regularly occurs in both top 12 lists. Whereas, the advice “Don’t choose remember me on your computer” has high costs for users but low costs for the organisation. Most of the most difficult pieces of advice for users relate to password creation, memorising, and changing. For example, “Don’t use dictionary words in your password,” “Password hints should not be stored,” and “Store history to eliminate password reuse.” This last piece of advice specifically relates to when regular password changes are enforced. It ensures a user does not choose a previous password. The piece of advice “Don’t use dictionary words in your password” is particularly interesting. The advice was given by 16 different sources, yet we know from leaked password databases that users primarily choose word-based passwords [
49]. This depicts how impotent giving advice can be if the costs appear to not outweigh the benefits from a user’s point of view. Shay et al. find that the “use of dictionary words and names are still the most common strategies for creating passwords” [
42]. Notice that the last piece of advice in the user chart Figure
4(b) has a negative cost. This is because allowing users to use any ASCII characters actually makes their life easier. Of course, most security policies and rules will come at a cost. What will be interesting is to see whether the benefits outweigh these costs.
9.2 Scoring Benefits
For benefits, we use a similar ordinal scale: a large decrease in attack risk (
\(\color {green}{\mathbf {\Downarrow }}\) ) counts for 2 points, a minor decrease to attack risk (
\(\color {green}{\mathbf {\downarrow }}\) ) is 1 point. A small increase to risk (
\(\color {red}{{\bf \uparrow }}\) ) is
\(-\) 1 point, and a large increase of risk (
\(\color {red}{\mathbf {\Uparrow }}\) ) is
\(-\) 2 points. Note that a comparison of benefits alone can only provide limited meaning. Some attacks are more important to protect against than others, and advice can protect against attacks to varying degrees. However, for this analysis, a simple comparison of how many attacks a piece of advice protects against and whether it offers minor or major protection could be interesting. We, therefore, attempt a loose ranking of the advice according to the assigned benefits. “Security beneficial” is a simple indication of whether the advice protects against the different attacks from Table
6.
Using the above scoring methodology, Figure
5 shows the 12 most security-beneficial pieces of advice and the 6 least security-beneficial pieces of advice. The advice that this classification identifies as the most beneficial seems to be in line with what we might imagine. Also, notice that there is an overlap between the 12 most beneficial pieces of advice and the 12 pieces of advice that had high organisation costs. For example, “Apply access controls,” “Implement defense in depth,” and “Monitor and analyse intrusions” appear in both lists.
The 6 least beneficial pieces of advice actually result in negative benefits. This means they increase the likelihood of an attack occurring. Looking through the 6 pieces of advice, we can understand why. For three of these advice statements, rather than increasing security, their goal seems to be to create a better user experience. For example, “write [your password] down safely,” “offer to display password,” and “generated passwords must aid memory retention.” The other three pieces of advice have negative benefits, because they create a new attack vector or make an attack more likely. Distributing passwords by envelope means they can be physically intercepted. Enforcing a maximum length puts an upper bound on the length of passwords and makes guessing attacks easier. Finally, though storing backups is an important secure practice, it rarely actually protects against attacks, instead, it mitigates the harm done if an attack takes place. Therefore, purely in terms of protection from attacks, this ranks poorly. In addition, having both physical and digital copies creates extra data that must now be protected, and physical protection is now a factor. This is a good example of how our simple points system does not give the whole picture of whether a security practice should be employed.
9.3 Costs versus Benefits Tradeoff
We are interested in the tradeoffs between the costs and the benefits. Is high-cost advice balanced by high benefits? Or are users paying high usability costs for small increases to security? To analyse costs versus benefits, we plot each piece of advice on a graph. This allows us to visualise how benefits compare to costs. The benefit score is shown on the
x-axis, and the cost score is on the
y-axis. Advice that falls in the bottom right quadrant (green area) is high-benefit and low-cost advice. Similarly, the advice that falls in the upper left quadrant (red area) is low-benefit and high-cost advice. The worst advice will have low benefits and high costs. Figure
6 shows the results of this plot for a selection of advice.
2High-cost and low-benefit advice. Let us look first at the high-cost and low-benefit advice. Reassuringly there is not too much advice in this quadrant. The only piece of advice that falls in the red area is “change your passwords regularly.” This was high-cost advice for both the end-user and the organisation. Research has also shown that regular password changes have few security benefits and that they can do more harm than good [
9,
51]. The NIST advice explicitly states that regular password changes should not be enforced [
19]. One user in our user study wrote “I hate this! The only solution I’ve come up with is to increment a number in the password each time. So inconvenient and frustrating, especially when combined with other bad password advice.”
The next piece of advice closest to the top left (high-cost and low-benefit) quadrant is the advice “Use SMS or call-based 2-factor authentication.” While we have generally come to accept that
two factor authentication (2FA) offers security benefits, SMS text and call-based authentication have security flaws. Text and phone calls are not protected by encryption, and phone numbers can be easily spoofed. In the initial version of the NIST Digital Guidelines, SMS-based two-factor authentication was to be deprecated [
18]. However, this decision was overturned [
19]. Susceptibility to spoofing explains why this advice receives a lower security ranking than 2FA using an app or specialised device in our plot. However, the low ranking of 2FA in general reflects a limitation of our model. Despite offering major decreases in attack probability in the important areas of phishing and online guessing, 2FA using a phone introduces four new attack vectors: physical theft, eavesdropping, side channel attack, and endpoint compromise. Since our model does not have probabilities or more graded weightings, it thinks that these new attack vectors outweigh the benefits. This is only an issue for the 10 pieces of advice that have both positive and negative security impacts, however, it is important to keep in mind.
Low-cost and low-benefit advice. In the bottom left quadrant, we can see low-cost and low-benefit advice. Enforcing a maximum password length falls directly into this category. This advice had no positive security value. It is an example of advice that compromises usability for no increase in security. Unfortunately, this practice is still enforced by organisations. In 2014, Saini assessed the policies of 23 different websites and 8 enforced maximum lengths of 40 characters or less on passwords [
40]. Three of these limited the length to just 16 characters and one limited it at 12 characters. In the course of our study, we found that some websites only reveal their limit on password length after the user had attempted to use a longer password [
33].
High-benefit advice. “Administrator accounts should have extra protection,” “Every user in an organisation must have their own account,” and “Implement technical defenses” all fall solidly within the bottom right quadrant. “Apply access control systems” comes at a higher cost but offers the strongest benefits of any advice. All the advice in this quadrant is shown in Table
8 under
Good advice. Notice that most of the high-benefit advice is under the control of the organisation and not the end-user. It seems that if an organisation can put proper controls and secure systems in place, then they can ensure a much higher level of security more effectively than placing the burden on the user.
Some benefit and some cost advice. The advice in the blue diagonal is more difficult for us to form conclusions about. Anything on the positive x-axis offers security benefits but inevitably comes at a cost. For this advice, a more detailed quantitative analysis would be necessary to determine whether the benefits outweigh the costs.
For example, one expensive piece of advice is “Use 2-factor authentication using an app or special device.” However, it offers increases in security against online guessing and phishing attacks, two of the most common attack types. It is likely that ensuring the benefits outweigh the costs will depend on its implementation and the needs of the specific organisation and users. These nuances are something our current model ca not uncover. Similarly, the piece of advice “Use a Password manager” lies at (benefits=4,costs=2). It was well-regarded by users in our study. It can protect against three attack types, and most of the costs it incurs are to the organisation. A password manager greatly reduces the users’ memory load and by extension, a user can use as long, random, and complex of a password as they wish. However, as with many of the pieces of advice, the value of a password manager will lie in how users utilise it. If a user uses a password manager and continues to reuse a common password choice across multiple sites, then many of the potential benefits will not materialise.
In summary, we see that, in many cases, it is difficult to distinguish whether the costs outweigh the benefits of security advice at a glance. Most advice had some negative impact on users or the organisation. This difficulty in assessing the tradeoff could be evidence of one reason why users and organisations often follow advice that researchers have shown ineffective. It seems, an “at a glance” observation, even by a security professional, might not always be possible for many of the pieces of advice we collected. Interestingly, we would have expected the high-benefit advice to correlate with high costs. However, when we plotted a trend line for the full scatter plot of advice, this was not the case. The trend line had a negative slope of \(m=-0.0373\) . The fact that the high-cost advice does not map to high benefits implies that the advice we force users and organisations to follow does not necessarily result in positive returns for their effort. Interestingly, if we restrict to organisation costs, then the trend line has a positive slope, while restricting to user costs gives a negative slope. This reinforces our earlier observation that organisational efforts seem to result in a better cost/benefit tradeoff.