Are users right in rejecting security advice?

[ Thanks to Golodh for this link. ]

"Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working.

"Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process. He offers the following as reasons why:

* Users understand, there is no assurance that heeding advice will protect them from attacks.
* Users also know that each additional security measure adds cost.
* Users perceive attacks to be rare. Not so with security advice; it's a constant burden, thus costs more than an actual attack."

Complete Story

Related Stories:

• The Perils of Sudo With User Passwords(Feb 26, 2010)
• GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission(Feb 25, 2010)
• Reeling in the hackers(Feb 22, 2010)
• Hacking Wi-Fi Password Using Ubuntu Linux(Feb 14, 2010)
• New Russian botnet tries to kill rival (Feb 10, 2010)
• Hacking for Fun and Profit in China’s Underworl(Feb 04, 2010)
• Is Your Password among the 20 Most Popular (and Hackable)?(Jan 26, 2010)
• The Role of Worst Practices in Insecurity(Dec 26, 2009)