Security theater online

By Felix Salmon
April 13, 2010
Mark Pothier has a well-written and compelling write-up of a great paper by Cormac Herley of Microsoft, which demonstrates that most of the things we do on the instruction of various IT departments are a waste of time. My favorite datapoint is that fully 100% of certificate error warnings -- those roadblocks you get sometimes when you try to visit a secure website -- are false positives.

" data-share-img="" data-share="twitter,facebook,linkedin,reddit,google" data-share-count="true">

Mark Pothier has a well-written and compelling write-up of a great paper by Cormac Herley of Microsoft, which demonstrates that most of the things we do on the instruction of various IT departments are a waste of time. My favorite datapoint is that fully 100% of certificate error warnings — those roadblocks you get sometimes when you try to visit a secure website — are false positives.

Next time I log in to my computer at Reuters, I’m going to have to change my password — again. But as Pothier says, that won’t do any good to anybody:

Users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

The biggest losers here are actually companies like Reuters itself, which pays its employees to spend thousands of hours jumping through silly hoops set by IT people, despite the fact that there’s no real evidence that jumping through those hoops does any good at all.

For instance, I’ve had an email address since 1993, when storage space cost $2,000 per gigabyte; it now costs about 5 cents per gigabyte. In those 17 years, I’ve never deleted a non-spam email: I haven’t felt the need. But now Reuters is telling me that I can’t have more than half a gigabyte of storage space for my email (about 3 cents’ worth) unless I spend a very significant amount of time deleting at least 100MB of email per week. No matter how little my time is worth, it’s certain that the value of 100MB of freed-up disk space is lower than the value of the time I’m going to spend doing the deleting. (Not to mention the value of the time of the people I asked about raising my email quota.) But still the rules persist: maybe they were put in place back in 1993, and have never been changed.

It’s not just my time which is being wasted, either. Last night I spent about half an hour on the phone to First Direct, my bank in England, trying to navigate their incomprehensible online banking security system. I talked to two real people, who walked me through all the various steps, and who had information I didn’t and therefore could tell me that when the system seemed as though it was telling me that my password was wrong but the answer to my personal question was right, in fact it was the other way around. The cost to First Direct of its employees’ time was vastly greater than any benefit to the bank, as Pothier explains using a US example:

For banks, the greater potential for damages comes not from a phishing attack itself, but indirect expenses. Herley used Wells Fargo as an example. He wrote that if a mere 10 percent of its 48 million customers needed the assistance of a company agent to reset their passwords — at about $10 per reset — it would cost $48 million, far surpassing Wells Fargo’s share of the $60 million in collective losses.

The bigger picture is simple:

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.

I think it’s reasonable to assume that the idiotic practice of masking passwords by turning them into dots takes up a good minute of people’s time each day, and saves much less than $16 billion a year if it saves anything at all. (In fact, there’s a strong case to be made that it actually costs companies money, rather than saving them anything.) But it’s all part of the greater apparatus of security theater now, and a lot of people think that it’s making them safer somehow, even when it isn’t. So our time will continue to be wasted, and at some point in the next few weeks I’m going to spend $50 worth of my own time to save a couple of pennies in email storage costs. But hey, at least I got a blog post out of it.


We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

Felix–It’s not about you, the rules set about IT are set to reduce IT costs (less storage) and improve (?) IT security.

While I agree the storage thing is way off base–even if Reuters has a gazillion employees–security does, in fact, cost money–both in IT costs and employee costs. The question is whether the additional security costs exceed the IT risk reduction.

…and a security professional will ALWAYS error on the most risk-averse side.

Posted by Lilguy | Report as abusive

Corporate email storage limits are about risk management of a different kind – the fewer emails you’re allowed to keep indefinitely, the less they have to worry about what’s still around when the litigation discovery request comes in.

Posted by souhaite | Report as abusive

Lilguy – that’s because security professionals are paid to think about risks, not costs. The actual costs of the risks really do seldom reach the costs of avoiding the risks. It’s like terrorism prevention – enormous sums are spent by the US, on the order of 100s of millions per life saved, because of focusing on a specific risk without much thought about the cost.

Souhaite – storage limits can be enforced differently though, by simply deleting emails that are older than a certain date and that haven’t been saved to a non-expiring folder.

Posted by BarryKelly | Report as abusive

“Users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote”

I’m no security expert, but it seems to me that the real problem with regularly changed passwords (my company forces a change at least once a month) is that it makes users much less likely to use a “strong” password, because they’re difficult to remember. It’s bad enough having dozens of different passwords for all the various internet services, without having to remember a new strong password every month for work – without which you’re locked out of your computer.

Posted by GingerYellow | Report as abusive

While I agree with your larger point about security theater, I have to take issue with your example of email storage.

The “5 cents per gigabyte” number is for raw disk drive space, which is *entirely different* from the cost of maintaining the highly available storage arrays that are required for enterprise services like corporate email. Can you go to Best Buy and buy a terabyte drive for 70 bucks? Sure. However, that example doesn’t even remotely apply when you’re talking about maintaining and expanding disk space in a multi-server Exchange environment.

Posted by downdb | Report as abusive

60 seconds a day? Really? I’m not sure I even spend that much time a day entering passwords — and I do enter a lot of passwords in a day — and I doubt masking costs me any time whatsoever on most days. Suppose I mistype a password twice a week, and suppose I would notice it before mechanically hitting “enter” if I could read it in plain text, then maybe I would save a minute every month and a half. Password masking might not have a huge benefit, but I can’t imagine its cost is nearly as high as you’re portraying.

Incidentally, I agree with GingerYellow — the worst thing about regularly changing passwords is that people don’t bother to come up with good ones if they have to do it and relearn it every two months.

Posted by dWj | Report as abusive

Remember who you’re dealing with: it was IT guys that decided it would save money to erase and record over the master tapes of At Last The 1948 Show.

Posted by HBC | Report as abusive

As others have mentioned, disk space is irrelevant to the cost of Email storage.

Maintenance of the server(s) and especially backups are the big cost sinks. Any IT group worth its salt is keeping off-site backups of all data going back several years. The time, media, and labor of providing such backups is orders of magnitude more than 5 cents per gigabyte.

What is your problem with the “mask password with dots” thing? If I have ever mis-typed my password, I cannot remember it, and it is nice to know that nobody can get my password just by walking past my screen while I happen to be typing it.

Agree re: changing passwords regularly. That is just stupid.

Posted by NemoP | Report as abusive

I can’t stand how many times I have to change my blackberry password

Posted by Story_Burn | Report as abusive

That economic analysis isn’t crude, it is simply wrong.
There is no cost to the customer’s time.
It is a cost to their employer, if and only if they can’t fit in calling the bank around doing their normal job.
Obviously they can.
So there is no cost.
Felix’s value is easier to calculate since presumably blog posts = money. For most people that isn’t the case. They will simply use their “free” time calling the bank rather than updating their Facebook status or commenting on financial blogs…

Posted by TinyTim1 | Report as abusive

I think for the mail box size, it’s a limitation of Microsoft Exchange Server: the technology behind it is way out-dated (at least up to the 2003 version) and cannot handle large mailboxes. But would IT take the risk of using anything but Microsoft? It would require too much expertise… So we’re stuck.

Posted by MatNYC | Report as abusive

As others have said, there are things to agree with here and things to disagree with. I’m an IT professional myself and my company is currently going through the process of a data center consolidation. Let me tell you, we’re learning first hand the true cost of email retention. Bandwidth is a massive cost that you’re forgetting about and not just for moving the servers around but also for offsite backups which occur daily.

Also, how can you possibly complain about password box characters?? Think about that the next time you have to enter your password while you’re giving a presentation or are sharing your desktop for IT troubleshooting.

Finally, I do agree with you about revolving passwords. They’re a nuisance in the best case and a security risk in the worst. Another problem is the fact that strong passwords are not standardized. Some companies want a password that is 8-12 characters. Some > 12. Some want alpha-numeric, some want symbol-alpha-numeric, some want capital letters-symbol-alpha-numeric.

Posted by spectre855 | Report as abusive

I believe the password-changing trend dates back to when passwords were stolen by brute force (Attempting to log in with a computer program going through a dictionary). Since most secure sites lock access after 3 failed attempts, that’s not much of a concern anymore.

Posted by drewbie | Report as abusive

What is it that we are hiding ?

Is this cyber terrorist a hacker or a cracker ?

My password is : “Password123″

You are correct, it is a theatre, are you smoking crack ?

Posted by Ghandiolfini | Report as abusive

I had a terrible, life-changing experience with passwords. My firm required capitalized and lower case letters, plus a number. They had to be changed once a month. As part of my job as the firm’s “expert” on complex tax issues, I had about 8-10 subscriptions to publications that also had varying rules so that I couldn’t use the same password everywhere.

Needless to say, one weekend IT shut down the whole system, and required multiple logins with two different passwords to access our computers on Monday morning. I don’t know what went wrong with me mentally, but I had to call IT three times to get new passwords. We were not permitted to write them down on threat of termination.

Repeatedly frustrated, and with a crucial report due that afternoon, I gave my passwords to a little-known co-worker, so I would not be embarrassed by having to call IT again. The passwords were a random string of letters and numbers.

She forgot the passwords, and I had a panic attack in the office which led to me being terminated and sent to a psychiatic institute for treatment. Granted, I should have gathered my wits, and proceeded calmly, but I had worked myself into an irrational panic by that point.

The incident was the most embarrassing and traumatic that I had ever experienced. I was led away in handuffs for running around the office like a nut-case. No damage came from the event, it was just an uncontrolled panic attack.

Now, I simply will not sign up for ANY website that deems my password “inadequate” by their standards. My password is 10 lower case letters, and I refuse to cause myself such stress ever again. Nothing like that had ever happened before, and I still wonder why I reacted the way I did. The whole experience had life-changing consequences for me. Feel free to share this traumatic description with any interested readers.

Posted by TaxLawyer | Report as abusive

Its a brilliant write up , at Reuters best you can observe and blog it, its great analysis and thank you for such a compelling study.

Posted by Ismailtaimur | Report as abusive