"Researchers have different ideas as to why people fail
to use security measures. Some feel that regardless of what
happens, users will only do the minimum required. Others believe
security tasks are rejected because users consider them to be a
pain. A third group maintains user education is not working.
"Herley offers a different viewpoint. He contends that user
rejection of security advice is based entirely on the economics of
the process. He offers the following as reasons why:
* Users understand, there is no assurance that heeding advice
will protect them from attacks.
* Users also know that each additional security measure adds
* Users perceive attacks to be rare. Not so with security advice;
it's a constant burden, thus costs more than an actual attack."