Users Rejecting Security Advice Considered Rational
WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
Yes. Yes they are.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
They feel they're not a valuable enough target, but are they right? Maybe - it's hard to say for sure. But what's the cost of being wrong? For a smallish salon, almost definitely enough to put them entirely out of business.
How the heck do you figure that? My bank, MY GODDAMN BANK, got hacked and lost thousands of MasterCard numbers to the web. They issued new cards and sent a letter reminding everyone how they weren't liable for debit transactions made on stolen numbers.
This falls under the advice of TFA, you need to back up your claims with real data.
Security people are a bit like doctors. It's not really up to the patient to tell the doctor how to do their job, in most cases.
Amen. Security people are like doctors - charging way too much for things people can mostly do for themselves. "That's a virus, go home and wait it out: $125, please." And it is absolutely the patient's job to manage their own care and control their own costs.
Your opinion is EXACTLY what's wrong with healthcare today.
Witness the whole autism-vaccine BS.
My six year old son is autistic. You have no idea what you're saying. You have no idea what causes autism and have no idea how desperate a parent is for answers, solutions, or even a little respite care. I'd rather my son get measles than continue to have autism, and you are absolutely not qualified to opine on his quality of life with zero education or information on this matter. If you want to know more, you can ask for it, but the level of ignorance you're displaying is repugnant, you insensitive clod.
In both professions, the customer can override the professional advice, but it's not a good idea.
Carrying the analogy a bit further: Reasonable security is a bit like a prostate exam. It's easy and straightforward, a little unpleasant, and entirely unnecessary until it saves your life. Is it rational to forgo a prostate exam because "why would I need a prostate exam? I don't have cancer"
That's a good example. Please look up the recent study as to how breast cancer exams are costing billions of unnecessary dollars annually. It was determined that the costs for all the exams outweigh the costs of treating the disease in nearly all cases. Look it up.
You're only "Insightful" cause you're on Slashdot. In the real world, they'd point out all the stuff you can't do on Linux, like print a photo. And somebody like me would point out that I've never had to reinstall Windows on this computer and the only security measure I took was getting rid of Norton and installing a real antivirus. And that alone is going to get me modded away again. But you know I'm right.
We've done the experiment on a massive scale and the results continually come back (and are even repeated here on slashdot with depressing frequency, as it really shouldn't be news any more.) with high confidence:
Bullshit! There's no way you gave one group a placebo, another the vaccine, and induced autism in a third group. There's no way, NO WAY, you have reached any kind of repeatable experimental certainty in human beings.
You're lying already, either to prop yourself up or shore up a weak argument, but either way I'm done reading what you have to say.