I was reading a paper recently, where I initially thought it is a joke (it looked scientifically, therefore I was not too scared). But as our research department did it, it is serious and really, really good – at least it definitely made me think. It is called So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users – you should read it!
Basically it focuses on the cost/benefit of advice to end-user from an end-user perspective. there are a few quotes from the paper (to tease you):
If you think it through – they are right. Then, they draw a few conclusions:
and then, please, read their final chapter on What Can We Do? – otherwise you will stay frustrated :-)