So long, and no thanks for the externalities: The rational rejection of security advice by users

Principal Microsoft Researcher Cormac Herley argues users’ rejection of security procedures is often entirely rational as the expected benefits of following security advice are often outweighed by the expected costs.