The cost of being scared safe

2012-11-01

Stephen Cobb

ESET, USA
Editor: Helen Martin

Abstract

‘The throttling effect of fear on consumer uptake of online shopping and banking is certainly real.' Stephen Cobb, ESET.


Is online banking a good thing? How about shopping online, or social networking, or plain old email? To what extent does society benefit from these activities? Members of the anti-virus community surely ponder these questions, and not just because participation in these activities is undermined by the malware that we are all working to defeat. What I want to ponder right now is the effect of the advice we give about protecting data and systems – be they consumer, corporate, governmental, non-profit or NGO – on society’s participation in those activities.

Defeating malware requires a combination of human and technical factors. Among the human factors are numerous behaviours that we would like to foster, like using strong passwords and keeping them secret (e.g. refusing to reveal them in exchange for the promise of a free laptop). This fostering may happen as part of a security awareness programme or through advice we give to clients. We may even give advice about security behaviour to the general public in response to media inquiries sparked by news of the latest security incident.

Increasingly, I worry that the way we frame our responses to security incidents, or the manner in which we seek to encourage safer computing behaviour, might have a negative impact on participation in online activities. Consider an awareness poster shared at the recent APWG conference by Tyler Moore of Southern Methodist University. It features a simple image: a young lady wearing a forlorn expression. The text says: ‘Yesterday, I verified my password for an email that said I’d won a free laptop. Today, I am an identity theft victim.’

This style of awareness-raising can be characterized as ‘scared safe’. The poster drives home the point that you can really mess up if you are not careful about what you do online, which is true, but you could argue that this style of messaging may discourage some people from online participation completely – including activities that could be beneficial to them. In fact, this argument has been made by Rainer Böhme and Tyler Moore in their APWG paper entitled ‘How Do Consumers React to Cybercrime?’

The paper argues that analysis of a collection of data on 18,000 Internet users in the EU shows that concern about cybercrime inhibits online participation more than direct experience with cybercrime does. Moore and Böhme interpret this finding in the light of data presented at VB2012 and published in the paper ‘Measuring the cost of cybercrime’ (Moore, Böhme, Anderson, Barton, Clayton, van Eeten, Levi and Savage). This impressive attempt to accurately categorize and quantify the costs of cybercrime found that loss of confidence in online transactions is the largest category of cost, estimated at $30 billion. In other words, security awareness efforts that increase the fear factor (thereby reducing online trust) can be very costly.

Who bears the cost? In the Moore/Böhme model, it appears that banks and retailers take the hit, in lost productivity and reduced revenue. The throttling effect of fear on consumer uptake of online shopping and banking is certainly real. In an ESET survey of American consumers conducted this summer, some 15 per cent of respondents said they were refraining from online banking because of fear and/or lack of trust. Moore and Böhme cite Eurostat’s 2010 ICT survey in which 14 per cent of UK consumers stated that they refrained from buying goods or services online because of security concerns.

Whether or not you think that fewer people shopping online and using online banking is bad for society depends on a range of cultural factors. Personally, I am concerned that mounting security issues affecting online fundamentals like email might reduce our ability to communicate reliably and conveniently in a manner that has become part of our social fabric. I also think that finding positive ways to encourage security-enhancing behaviours is a noble quest regardless of whether or not you value the ability to shop and bank online. The strategy of ‘scaring users safe’ might have worked for internal security awareness in the last century, but now that more or less everyone in society is a computer user, we need a different, more positive approach.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.