

The Rational Rejection of Security Advice by Users [pdf] - blasdel
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf#

======
blasdel
_Looking at various examples of security advice we find that the advice is
complex and growing, but the benefit is largely speculative or moot. For
example, much of the advice concerning passwords is outdated and does little
to address actual threats, and fully 100% of certificate error warnings appear
to be false positives. Further, if users spent even a minute a day reading
URLs to avoid phishing, the cost (in terms of user time) would be two orders
of magnitude greater than all phishing losses._

~~~
jrp
1) I do remember a post a while back where a Firefox user submitted a bug
report due to actually encountering a MITM attack, so not 100% are false
positives. (the post: <http://news.ycombinator.com/item?id=353376> )

2) A minute a day may outweigh the phishing losses, but who says you need to
spend a minute? My browser has warned me once in the past 4 months about a
possible phishing site, so I spent something like 1 minute in 120 days to
check it out.

