Users Rationally Reject Security Advice

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot.

From "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" by Cormac Herley, Microsoft Research. (HT:Slashdot)