Security experts: ‘Pausing doesn’t improve cybersecurity, better system design will’

Cybersecurity experts Bruce Schneier and Arun Vishwanath reflect on an awareness campaign that was recently launched. Taking a nine second pause and thinking before you click hardly helps to improve our cybersecurity, they say.

Take9 is a public service campaign created by a coalition of top-notch cybersecurity organizations. Their advice to internet users is to pause for nine seconds before clicking on a URL or downloading files. A short pause goes a long way in improving our cybersecurity, the campaign suggests.

Despite all good intentions, the campaign won’t do much to improve cybersecurity, Bruce Schneier and Arun Vishwanath argue in an online essay.

For starters, they don’t think the advice is realistic. “A nine second pause is an eternity in something as routine as using your computer or phone. Then think about how many links you click on and how many things you forward or reply to,” the security experts write.

In addition, when should we pause for nine seconds? After every text message? Before we click any link in our web browser? Every time a page loads? “The logistics quickly become impossible. I doubt they tested the idea on actual users,” Schneier and Vishwanath wonder.

Secondly, the security experts refer to an online campaign that was launched almost a decade ago: the ‘Stop. Think. Connect’ campaign from 2016. The message was pretty much the same, but it didn’t work back then either.

Is the most recent online campaign a waste of our time? Not exactly, but we have to be realistic and realize that pausing only adds a little to improve our online security. The problem is that people aren’t able to differentiate between something legitimate and an attack.

Schneier’s and Vishwanath’s biggest concern, however, is that Take9 offers no guidance. “It presumes people have the cognitive tools to understand the myriad potential attacks and figure out which one of the thousands of Internet actions they take is harmful. If people don’t have the right knowledge, pausing for longer—even a minute—will do nothing to add knowledge,” they say.

Lastly, the industry should not try to ‘fix the user’ but rather come up with a better system design.“The problem is that we’ve designed these systems to be so insecure that regular, nontechnical people can’t use them with confidence. We’re using security awareness campaigns to cover up bad system design,” Schneier and Vishwanath conclude.