Security advice doesn't offer security. It offers to reduce, by an unknown amount, the unknown risk of harm.

The cost side of the ledger is the clearer: Choose strong passwords, pay attention to incomprehensible security warnings, read URLs etc.

Worse, the burden is growing. There are many threats and there's just too much stuff to do. What of the benefits? The worst-case analysis that security excels at says nothing about the questions that users care about. What are my chances of being hacked, and how much do they improve if I choose a stronger password? If I ignore this popup how likely is it that something bad happens? How much of this stuff is happening anyway?

We ask a lot of users, but on these perfectly reasonable questions we are silent. Thus, the effort is definite and ongoing, but the benefit is uncertain.

That the benefit is greater than the cost has been asserted or assumed rather than shown. This is our failure, not theirs.

– Cormac Herley, principal researcher, Microsoft


I'd argue the primary reason users, especially those in corporate environments, don't follow security advice is because of an underlying belief that IT security shouldn't be their job. I've commented before that security advice suffers from ‘user-friendliness' issues: It's too technical, boring, overhyped and so on. But given a choice, I suspect users don't want more or better security education. Instead, they'd want programs with security seamlessly and unobtrusively incorporated, so that users aren't distracted from their primary task.

Unfortunately, users are often forced (by availability or workplace policies) to depend on insecure programs, despite knowing that doing so leaves them vulnerable. To add insult to injury, security advice tends to foist the burden of maintaining security on the (already overtaxed) user, which is perceived as “passing the buck.” And like most unwelcome obligations, it's not always handled well. I'd say this isn't a failing in the user's behavior. It's a failing in IT security to meet the user's needs.

– Alia Hilyati, technical writer/editor, F-Secure Labs