I was reading a paper recently, where I initially thought it is a joke (it looked scientifically, therefore I was not too scared). But as our research department did it, it is serious and really, really good – at least it definitely made me think. It is called So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users – you should read it!

Basically it focuses on the cost/benefit of advice to end-user from an end-user perspective. there are a few quotes from the paper (to tease you):

  • We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective.
  • A study of pass-word habits in 2007 [26] found that users still choose the weakest they can get away with, much as they did three decades earlier [45].
  • For example, it makes little sense to invest e ort in password strength requirements if phishing and keylogging are the main threats. It does not pay to learn URL reading rules to recognize phishing sites when the direct losses borne by users average less than a dollar a year. It's hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives.

If you think it through – they are right. Then, they draw a few conclusions:

  • Users Understand Risks better than We do
  • Worst Case Harm and Actual Harm are not the Same
  • User Effort is not Free
  • Designing Security Advice is not an Unconstrained Optimization
  • The Economic Harm of Security Advice

and then, please, read their final chapter on What Can We Do? – otherwise you will stay frustrated :-)

Roger