So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak
passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection
of the security advice they receive is entirely rational from an economic perspective. The advice offers to
shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we find that the advice is complex and growing, but the benefit
is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little
to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if
orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice
is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the
fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard.
For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.