Hello, Andy Steingruebl here.
As a security team we find that we have several constituencies all of whom require a different form of communication. In general we spend most of our time communicating internally with project managers, product managers, developers, and operations staff. We generally know how to reach out to these folks and our main formal communication vehicle is the policy or standard.
Sometimes we're called upon to communicate directly with our users. Usually this takes the form of a blog posting on the PayPal blog, or we review marketing materials, or even the information that goes into the PayPal Security Center.
One of the groups that is hard to reach however is the technically savvy user. We can't share our internal policies and standards, but the information in our security center isn't really targeted towards this type of user either. Recently I was reading a post to Risks Digest wherein there was a comment/complaint about a Treasury Department website and their web security policies/practices.
I spoke with the poster and we came to the conclusion that:
- The Treasury Department had been using a different threat model than he had when analysing their security measures.
- the Treasury Department had no way of communicating their threat model and security policy to the end user of their service.
As a result of these two situations, the user was in a position of believing that the Treasury Department had a faulty security model, when in fact my guess is that their model is actually entirely reasonable and just designed to protect against a different threat.
If a site like PayPal wants to reach out to a broad audience, and clear up some of the doubts, misconceptions, and so on that arise over time, we need to find a way to safely but openly discuss our security policy assumptions with our end users. We need to explain that we believe Phishing, Malware, and Operating System weaknesses are some of the issues we're protecting against, or that we believe are our biggest threats.
We don't want everyone to need to sort through these sorts of messages, but we think it might be useful to have some form of communication on the site about these policies.
In discussing this with the original Risks poster, he suggested that in their case perhaps a simply statement such as "This special method of entering your password is designed to protect against the possibility that malicious software is installed on your computer and eavesdropping on your
keystrokes."
I like this element of simplicity, and in the future I'll be trying to craft exactly these sorts of statements for a broader audience.