So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users

Cormac Herley

Abstract

The failure of users to follow security advice has often been noted. They chose weak passwords, ignore secu- rity warnings, and are oblivious to certificates. It is often suggested that users are hopelessly lazy and un- motivated on security questions. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. As with many activities, online crime generates direct losses and ex- ternalities. The advice offers to shield them from the direct costs of attacks, but burdens them with the in- direct costs, or externalities. Since the direct costs are generally small relative to the indirect ones, they reject this bargain. We examine three areas of user educa- tion: password rules, phishing site identification, and SSL certificates. In each we find that the advice is com- plex and growing, but the benefit is largely speculative or moot. In the cases where we can estimate benefit, it emerges that the burden of following the security advice is actually greater than the direct losses caused by the attack.

Details

Publication typeArticle
Published inNSPW
NumberMSR-TR-2009-46
PublisherAssociation for Computing Machinery, Inc.
> Publications > So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users