As seen on Slashdot, researchers have different ideas as to why people fail to use security measures. Some believe that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is just not working.
Microsoft Research’s Cormac Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process. Here is Dr. Herley’s paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
My personal theory? -=[Caution – Unbiased Opinion may not be suitable for all audiences]=- Users reject security advice because accepting it would also involve accepting responsibility and accountability for errors, omissions, mistakes and breaches. Smells like liability. The populace is like water, happily taking the path of least resistance and the most shortcuts possible to get to where they would like to go. Fences, like rules and standards, are just obstacles to be overcome, especially if they keep the dedicated lemmings from quickly discovering the edge of the cliff and the bottom of the canyon. Now there’s a white paper. J
MadMark's Blog 