We spend a lot of time talking about how to raise security awareness. We fill entire books, columns and conferences with it. However, anything that can go up must also go down. How about we turn the phrase on its head and ask what lowers security awareness? Just as there are behaviours that raise security awareness there are also some that lower security awareness. But what can we do about it? Name and shame was an important step in getting software vendors to deal with security vulnerabilities in their products. We should be equally critical when human vulnerabilities are created through the promotion of unsafe attitudes and behaviours. In this column I’m going to name and shame particularly egregious examples which I think reduces security awareness.
- Telling Users to Disable AV During Install. It’s simply astonishing that mainstream software vendors are telling users to disable their Anti-Virus in order to have a smooth install of software. For example, HTC includes this instruction when installing HTC Syc for Windows Android. Installing software is precisely when you need AV to be running. You’ve clicked install, you’ve said yes to the box asking about admin privileges without even thinking about it and now you’re going to disable your anti-virus? I’m not aware of any malware (unless you include HTC Syc) which includes a step asking the user to voluntarily disable their anti-virus but it can’t be long until this approach is exploited. The problem here is partly the economic incentives. HTC presumably want to reduce the rate of complications arising from the install of their product. Its not clear how many of their customers have had problems with anti-virus during the install of their product but all customers are being asked to disable their AV. However, the repercussions of this approach are an externality to HTC – they cost the customer when they suffer malware infections as a result. In the name of avoiding a few support calls they have put a lot of people at risk and are promoting the perception that AV needs to be disabled if you want software to install properly. Why does software need AV to be disabled? Is this shoddy programming? If so, would that be the fault of the AV or the software being installed? If anyone’s got some insight perhaps they could let me know.
- Exaggerated Warnings. “Failure to properly set up, use, and care for this product can increase the risk of serious injury or death”. This was written on the packet as I unwrapped it. What was it? A chain saw? An 88mm anti-aircraft gun? No, it was a Microsoft Wireless Mouse. Death by mouse. Sounds nasty. The problem here is that vendors want to manage their liability and need to demonstrate that they warned people of danger. Exaggeration is rewarded while common sense warnings could be punished (by courts awarding damages) so the incentive is to fantastically exaggerate for effect. When using hyperbolic language to describe such trivia it demeans the language of risk to the detriment of wider risk management efforts.
- Bundling Patches with unwanted system changes. I was visiting my mother in law and asked her why she hadn’t installed her Adobe Flash updates. “Last time I did”, she explained, “My system went haywire and it took days to get it working again so I’m not touching any more Adobe updates”. I established that what she meant was that her computer suddenly defaulted to Chrome as a browser. I checked and sure enough, when you update the default is to also make Google Chrome the default browser. It’s easy to miss if you’re clicking yes and aren’t expecting to change default browsers as part of an Adobe security update. If users have a poor experience with applying patches then they will learn not to apply them. Adobe aren’t alone in this – updating Java with the default settings also installs the Ask Toolbar.
Economists have an expression “Tragedy of the Commons” which describes how individuals and organisations acting in their individual best interest can result in a degradation of a shared resource – in this case security awareness. At the moment there is no apparent cost for organisations to push their bad advice on to consumers – this needs to change. As well as coming up with ways to raise security awareness, we also need to be more proactive as an industry in criticising examples of lowering security awareness. If you’ve got any examples that you’d like to share then please get in touch.