Are We Really in Touch with Cost-Benefit Ratios for Controls?
The world of information is truly fascinating. At the same time, however, the amount of information security related-risk in this arena is so great that it is very possible to lose awareness of certain realities of which others, particularly those in executive-level management, IT, and other critical functions, are keenly aware.
Two days ago I delivered a presentation at the ISSA-Bay Area Chapter Meeting. I brought up and discussed a number of long-held preconceptions concerning password settings. I then suggested that a number widely recommended password-related settings on Windows and other systems need to be reexamined. Perhaps most importantly, however, I challenged those who attended to reexamine their conceptions of cost versus benefit ratios regarding passwords. We tend to think, for example, that a nine-character password is less resistant to password cracking than is an eight-character password, or that an eight-character password is less likely to be cracked than a seven-character password, and that the cost of a longer password is miniscule. Results of empirical research show that although there is some difference in resistance to cracking between a password consisting of eight characters and shorter passwords, there is no appreciable difference between an eight-character and nine-character (or even a ten- or eleven-character) password. At the same time, contemporary password crackers can easily crack passwords of any of these lengths, regardless of how superficially strong they may seem to be. Contemporary password crackers that use Rainbow Tables eventually succeed, regardless of password length (provided, of course, that the password is at least eight characters long). The question, then, is why we require a nine- instead of an eight-character password or a ten- instead of a nine-character password.
My views of cost-benefit ratios concerning password length and quality have recently been very much influenced by a white paper written by Cormac Herley of Microsoft Research. He presents an economic analysis that calculates the value of user time spent in what we consider to be menial computer interaction tasks. He argues that somewhere in the vicinity of 200 million adults in the US go online every day. If they were to earn twice the minimum wage in this country, a single minute of their time every day would amount to a yearly total of $16 billion. These sobering statistics should help us better understand the financial costs of the measures that we impose upon users, and in so doing help us better understand the costs versus benefits associated with information security measures.
A good area to examine is passwords, the ultra-legacy security authentication method that should justly have died out in the 1980s. According to Herley, if only 10 percent of Wells Fargo’s approximately 48 million customers were to require help from this bank’s help desk to reset their passwords, and if each reset were conservatively assumed to cost about $10 (a figure that strays far under real-world statistics), the total yearly cost would amount to $48 million, a sum that is not too far under the amount that this bank annually loses due to fraud (once the amount of loss that local and other banks and merchants must share is subtracted from the total). So the main point is that requiring a password that meets some requirement such as Microsoft’s password complexity policy requirements might not seem like a big deal to seasoned information security staff members, but there is a real financial cost to the business—a potentially big one—much of which is likely to be the cost of help desk services when users have trouble creating and/or remembering a more complex password. The “bottom line” is that we have to fight our battles very carefully. We should not, for example, be advocating a minimum password length of nine when eight would for all practical purposes serve the cause of security risk mitigation just as well.
The real message here is the old adage that we must continually weigh real costs versus benefits before we start saying that the sky is falling and that only solution “A” will adequately solve the problem. We need to be sufficiently objective to weigh the true costs associated with any control to the true benefit. And business-related costs should be weighted most heavily.