Cormac Herley of Microsoft Research recently published a paper titled, “So Long, and No Thanks for all the Externalities,” in which he argues that the common situation of users ignoring or bypassing computer security measures is economically rational, and that many of these security measures may hurt more than they help. He also suggests a calculus that can be used to find, if not a precise balance between policies that help and hurt’ at least the bounds for what options should be considered.

Herley makes several excellent points about how the economic cost of security policies is frequently ignored, and I believe that, within certain constraints, his suggested calculus is helpful for evaluating the benefits and costs of these policies. Further, I strongly suspect his broader conclusion is correct, and many security policies produce a net harm. Note, however, I said that the applicability of his calculus has constraints — Herley does not explicitly identify these constraints, and thus misapplies his own calculus. The examples Herley provides are faulty and cannot be used in support of his conclusion.

A quick summary of Herley’s calculus

Herley suggests all potential security policies be evaluated in terms of their cost compared to the maximum potential benefit they could possibly provide. He makes clear that the upper bound for this benefit is the total direct losses due to the particular type of attack that the security policy is supposed to mitigate. For example, the total losses a company suffers due to dictionary attacks on passwords may be $50 million. If this is the case, then a potential security policy intended to mitigate password attacks should have a total cost of no more than $50 million — even if you assume the policy is 100% effective, it would still be costing more than it saves.

The calculus works here. It assumes that implementing a proposed security policy will lower the total direct loss — in other words, if you are losing $50 million now to dictionary attacks, after putting the policy in place you will be losing somewhere between $0 and $50 million due to those attacks. $50 million is, thus, an effective upper bound for what a proposed policy could help.

Where Herley goes wrong

Herley makes his big mistake when he tries to work the other way, and discusses policies that are already in place. He claims that the economic cost of the extant policies should be less than the current losses in order to make sense. However, what was an upper bound when considering hypothetical policies becomes a lower bound for existing policies. Consider: If you are losing $50 million on dictionary attacks with your current password policies, making those policies more lax will increase your losses. It could be $100 million, or $1 billion, or more. $50 million is the minimum you lose when you loosen your security policies.

This is a critical mistake to make, and unfortunately Herley’s examples rely on it heavily. For example:

“However, the Paypal CISO [5] states that “Forty-one basis points is the total fraud number” on Paypal’s system. Thus 0.49% of Paypal’s Transaction Volume, or $290 million, would appear to upper bound all of the password related attacks. Given that Paypal had 70 million active users in 2008, all of the annual security advice should consume no more than $290/70 = $4.14
or about seventeen minutes of twice minimum wage time per year. But even this loose bound assumes that users are liable for the loss and can address it by following security advice.”

Ignore the transcription error here (it should be 0.41%, not 0.49%), as it’s beside the point. Herley argues that, since $290 million is the current amount of fraud, the current security measures should cost no more than that. However, that’s simply wrong. $290 million is the minimum PayPal loses despite all the security measures. Take away, say, the password complexity rules, and fraud may balloon into the billions. Herley’s calculus can only apply to new rules that PayPal is considering implementing but hasn’t yet.

How to salvage this

What I’ve said here doesn’t negate the usefulness of Herley’s calculus for proposed security policies. That still would work as Herley proposes. Evaluating extant security policies requires more work, however, and is fraught with its own difficulties. I’ll discuss those in a future post.