End User Security: Why Bother?

According to some new research, that's precisely the reason end users don't trouble themselves with strong passwords and safe surfing practices. The risks they believe they're exposed to just don't outweigh the annoyances security imposes.The sure to be controversial research charging that users don't feel any safer when being secure than when not, comes from Cormac Herley, whose day job is as a Microsoft researcher, but who stresses that these findings are his own, and not the company's.

The insights Herley offers certainly seem to ring true -- for all of the buzz and media excitement/hype over security risks, most users simply haven't experienced the sorts of breaches or exploits that reinforce the value of the sorts of practices IT security (and security bloggers and consultants!) argue for.

Herley's point -- not that there's no good reason for strong passwords, say, but that the user doesn't perceive the good reason -- is compelling and a reminder, once more, of what a poor job has been done when it comes to explaining not only security practices but also the reason for them.

Herley's excellent paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users can be found here, and is well worth reading.