Users…

Practitioners tend to be puzzled when users don’t behave in line with expectations. Surely if people are given a logical argument and shown the importance of security, then that will shape their behaviour? The counter-argument from Herley [1] is that the behaviour of users is perfectly rational; they reject security advice because it burdens them with additional effort for no apparent benefit.

The usual reaction from the security community is to add in more restrictive technology (thereby increasing the burden on the user) and in parallel, to “educate” the user through mandatory training. Typically, the approach is based on a model of knowledge, attitudes ...