[dundee] Are Users Right In Rejecting Security Advice?

Robert Ladyman it at file-away.co.uk
Thu Mar 18 07:50:34 UTC 2010 

OK, I've read the paper and its main claim is that users are not being stupid 
in ignoring security advice, as the economic cost to them of complying with 
security advice (sum delta-benefit) is massively greater than the possible 
losses (sum delta-cost): unfortunately, this assumes that users actually 
calculate this (which is economist-nonsense) - the paper's phrase is "We argue 
that users’ rejection of the security advice they receive is entirely rational 
from an economic perspective." It might be mathematically rational ('scuse the 
pun) but I doubt that users are actively calculating this ratio (I have no 
evidence for that doubt, but I also see no evidence cited for the opposite 
claim).

The paper also takes the route of dividing the total individual losses by the 
user population and coming up with (for example) the average loss being 33 
U.S. cents so that any advice taking more that 2.6 minutes annually (the loss 
using minimum wages, etc.) is uneconomic. By that calculation, I suppose none 
of us should bother with locks on our doors (as the cost of an individual 
break-in divided by the population approaches zero). 

The report is U.S.-focussed and hence ignores things like DP Act compliance 
(all right, sound of my high horse galloping, I know). 

The general observation that Harry Home-owner doesn't understand many of the 
security issues is undeniable: my irony-senses were tingling, though, based on 
the source of the paper and some of the described vectors.


> I have just come across, an interesting and perhaps controversial, article
> on computer security and mainstream users. There is a podcast and a paper
> that can be downloaded on the subject by Cormac Hereley (Microsoft). I have
> downloaded but not yet read the paper yet ( a thousand other things to do),
> so I will leave it to the Ethical Hackers on what their opinion about the
> article is (as it is their specialist  subject). I think the author of the
> article is proposing that new ways in implementing computer security and
> ways for educating mainstream users should be changed.
> 
> http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
> 
> Gordon
> 

-- 

Robert Ladyman
File-Away Limited, 32 Church Street, Newtyle
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number SC222086
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
http://www.file-away.co.uk

More information about the dundee mailing list