
Dancing Pigs or Externalities? Measuring Rationality of Security Decisions [pdf] - jaffee
https://arxiv.org/abs/1805.06542
======
JadeNB
From the introduction, explaining the colourful title:

> Prior work has proposed two simplified theories of the human in the loop: a
> rational actor who chooses to ignore security behaviors because the costs
> always outweigh the potential losses, and an irrational actor who chooses
> “dancing pigs over security every time” because they neither understand nor
> care about security risks [Herley, 2009]. While these simplified models of
> user behavior can help to provide high-level insights, our aim is to define
> a more realistic medium between these two extremes: _a semi (or boundedly)
> rational security actor with predictable, but not always utility-optimal,
> behavior based on risks and costs._

