“A lot of advice makes sense only if we think user time has no value,” Herley explained. His back-of-the-envelope calculations suggest that if strict password requirements cost workers a minute of their time each day, that adds up to about $16 billion worth of lost time annually. Security recommendations, he reasons, should prevent at least that much in losses to be worth implementing.I have a couple of comments about Herley’s study. The first one is I can’t blame him for picking Well’s Fargo as an example. I believe that somewhere I have read a case study that they actually implemented a solution to reduce the number of password resets they were doing so they probably aren’t the best example but how would he know? Also, most companies nowadays have implemented some sort of self-service password reset solution so I am again not so sure about his theory. Anyway, while sitting here I figured I’d do the math on this problem:
For example, many U.S.banks reimburse customers who’ve been the victims of phishing attacks, but such payouts cost the entire industry only about $60 million a year. Herley estimates that if 10 percent of Wells Fargo’s customers need a customer service rep to help them reset a password, at $10 a reset, that costs the company $48 million – far more than its share of the industry total.
The answer, he says, is basing cost estimates on actual victimization rates, rather than worst-case-scenario projections, and prioritization accordingly.
- $48 million/year at $10/reset = 4.8 million password resets per year
- 4.8 million password resets/365 = 13,150 password resets per day
- 13,150 password resets per day/1440 = 9 password resets per minute (let’s round up to 10 resets per minute)
- Assume 3 shifts of 10 workers at a generous $50K/worker = $1,500,000
- Check your math – both ways to make sure things make sense.
- It may be cheaper not to put locks on your doors because you have insurance but is it really worth the hassle of having to spend so much time with the insurance people, the police and who knows who else every time you have something stolen from you?