Rational Rejection of Security Advice

In researching content for an update of my organization’s Information Security policy, I am across some very poignant research from MS titled “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users“.

The crux of the document is that most everyone agrees there are security vulnerabilities out there for the end user that we could protect ourselves from, but the effort expended exceeds the exposure of the risk; i.e., the cure is worse than the disease. This theme is born out through examination of three common security deficiencies of users that are “hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificate errors.”

The author, Cormac Herley, comes up with some really insightful conclusions that us IT managers, Infosec personnel, and auditors whould do well to remember:  Users’ rejection of security advice is entirely rational from an economic perspective, because …

  • Users understand risks better than we do
  • Worst-case harm and actual harm are not the same
  • User effort is not free