

The Rational Rejection of Security Advice by Users - mrduncan
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

======
epochwolf
tl;dr ->

 _...The cost-benefit tradeoff for most security advice is simply unfavorable:
users are offered too little benefit for too much cost. Better advice might
produce a different outcome. This is better than the alternative hypothesis
that users are irrational._

------
fnid2
Every email I get with a url in it gets hovered over to examine the target of
the link in the status bar. I'll never click a link without examining where it
goes. This is why I very rarely click shortened urls, because I don't know
where they go. It is also one of my pet peeves with flash plugins, because I
can't right click on them and see where the content is coming from, of course
if it is in my browser, it's already too late.

It may not be in the best interest of my time, mathematically, but I won't
stop examining urls. For my internet databases behind websites, I always use
random strings for the name of the db, the usernames, and the passwords. I
never need to type them directly, so they can be extremely complicated, long,
and _nearly_ impossible to remember.

I want to reduce the risk that someone can associate www.somesite.com with the
database behind it. If they do that, then they also have to figure out the
weird username and pass. but if the database behind somesite.com is
somesite_db and the user is somesite_user, then I'm already in trouble.
Instead, somesite.com is backed by a database called 3ksxi32kkk329 with a
username of 2391kkxkw329049 and a password of
asdlkfjl2k3j2ol3iosioci923002309899
__*7232$!939120012klk3129x9d923lsd923lse923lll212--0342lsiii

~~~
epochwolf
I think you missed the point. I would assume most people on hacker news know
how to read urls and do it on a daily basis. For you the cost of finding where
a link goes is minimal.

Most people elsewhere do not know how to read urls. Their cost for learning to
read urls and remember how to find out where a link goes is higher than they
are willing to pay and statistical more expensive than not doing so despite
the risks!

~~~
mechanical_fish
_Most people elsewhere do not know how to read urls_

True, and probably an understatement. Many people, perhaps even most of them,
don't know what a URL is, let alone how to interpret its components.

These are the people whose ultimate means of navigating to something is to
type its name, or something like its name, into the browser search box.
Assuming they pay any attention to URLs at all, they presumably treat (e.g.)
the "www.mcdonalds.com" that they see on a print ad as a special magic keyword
that can be typed into Google. And so it is.

------
mrcharles
This is a very interesting whitepaper and makes a lot of sense. Worth reading,
especially around here.

The person to innovate in a way that capitalizes on this research is going to
make a lot of money.

~~~
eru
> The person to innovate in a way that capitalizes on this research is going
> to make a lot of money.

Isn't this the very definition of `capitalize'?

------
bediger
Does this paper represent one of those "Only Nixon could go to China" moments?

