Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley
In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.
This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration. There is no dispute that security measures do decrease productivity to some extent. The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?
As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others. His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off. In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption." This trade-off analysis is a worthy exercise for any individual and for any organization.
