[dundee] Are Users Right In Rejecting Security Advice?
Rick Moynihan
rick.moynihan at gmail.com
Thu Mar 18 13:21:06 UTC 2010
On 18 March 2010 07:50, Robert Ladyman <it at file-away.co.uk> wrote:
> OK, I've read the paper and its main claim is that users are not being stupid
> in ignoring security advice, as the economic cost to them of complying with
> security advice (sum delta-benefit) is massively greater than the possible
> losses (sum delta-cost): unfortunately, this assumes that users actually
> calculate this (which is economist-nonsense) - the paper's phrase is "We argue
> that users’ rejection of the security advice they receive is entirely rational
> from an economic perspective." It might be mathematically rational ('scuse the
> pun) but I doubt that users are actively calculating this ratio (I have no
> evidence for that doubt, but I also see no evidence cited for the opposite
> claim).
People always make decisions on the basis of incomplete information,
and no matter how informed you are you could always be more so... So
in one regard the users perspective is rational (on the basis of their
existing limited/knowledge). YES, this is largely tantamount to
burying their heads in the sand, but users when presented with
security advice see it as an inconvenience to an unknown and
unquantifiable threat...
Anyway my point is that they may be informally making this calculation
and just seeing the 'considerable inconvenience' the proposed security
soluton brings... Merely doing the work to better understand the
threats to better calculate the trade-off is a lot to ask!
How we solve these issues, I don't know... I suspect the answer is in
building persausive systems, that encourage users to do the right
thing... How we can engineer them so it's hard for the bad guy to
trick them into doing the wrong thing is an open question. I can't
see us ever "educating users" on a broad enough scale, so this
responsibility must be adopted as much as possible elsewhere... within
the systems and interfaces themselves.
Anyway I've not read the article or paper (just your comments), so my
points are obviously "valid" ;-)
R.
More information about the dundee
mailing list