CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Communications of the ACM
Password security: a case history
Communications of the ACM
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
The user non-acceptance paradigm: INFOSEC's dirty little secret
NSPW '04 Proceedings of the 2004 workshop on New security paradigms
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
User-Centered Security: Stepping Up to the Grand Challenge
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Democratizing content publication with coral
NSDI'04 Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation - Volume 1
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Examining the impact of website take-down on phishing
Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do strong web passwords accomplish anything?
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
IEEE Security and Privacy
Spamalytics: an empirical analysis of spam marketing conversion
Proceedings of the 15th ACM conference on Computer and communications security
The compliance budget: managing security behaviour in organisations
Proceedings of the 2008 workshop on New security paradigms
A profitless endeavor: phishing as tragedy of the commons
Proceedings of the 2008 workshop on New security paradigms
Security and usability: the gap in real-world online banking
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
A robust link-translating proxy server mirroring the whole web
Proceedings of the 2010 ACM Symposium on Applied Computing
An evaluation of extended validation and picture-in-picture phishing attacks
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
What instills trust? a qualitative study of phishing
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Crying wolf: an empirical study of SSL warning effectiveness
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
The true cost of unusable password policies: password use in the wild
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Encountering stronger password requirements: user attitudes and behaviors
Proceedings of the Sixth Symposium on Usable Privacy and Security
Where do security policies come from?
Proceedings of the Sixth Symposium on Usable Privacy and Security
Folk models of home computer security
Proceedings of the Sixth Symposium on Usable Privacy and Security
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
System security, platform security and usability
Proceedings of the fifth ACM workshop on Scalable trusted computing
Infringo ergo sum: when will software engineering support infringements?
Proceedings of the FSE/SDP workshop on Future of software engineering research
An analysis of rogue AV campaigns
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Proceedings of the 2010 workshop on New security paradigms
A billion keys, but few locks: the crisis of web single sign-on
Proceedings of the 2010 workshop on New security paradigms
Proceedings of the 2010 workshop on New security paradigms
A risk management process for consumers: the next step in information security
Proceedings of the 2010 workshop on New security paradigms
This is your data on drugs: lessons computer security can learn from the drug war
Proceedings of the 2010 workshop on New security paradigms
Information security governance: integrating security into the organizational culture
Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies
A field study of user behavior and perceptions in smartcard authentication
INTERACT'11 Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV
Improving computer security dialogs
INTERACT'11 Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV
Digital identity security architecture in Ethos
Proceedings of the 7th ACM workshop on Digital identity management
The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Applying problem-structuring methods to problems in computer security
Proceedings of the 2011 workshop on New security paradigms workshop
Influencing mental models of security: a research agenda
Proceedings of the 2011 workshop on New security paradigms workshop
The security cost of cheap user interaction
Proceedings of the 2011 workshop on New security paradigms workshop
What makes users refuse web single sign-on?: an empirical investigation of OpenID
Proceedings of the Seventh Symposium on Usable Privacy and Security
When information improves information security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
SignatureCheck: a protocol to detect man-in-the-middle attack in SSL
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
SP'11 Proceedings of the 19th international conference on Security Protocols
It's all about the benjamins: an empirical study on incentivizing users to ignore security advice
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Certified lies: detecting and defeating government interception attacks against SSL (short paper)
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Practical realisation and elimination of an ECC-Related software bug attack
CT-RSA'12 Proceedings of the 12th conference on Topics in Cryptology
Investigating the distribution of password choices
Proceedings of the 21st international conference on World Wide Web
Rational security: Modelling everyday password use
International Journal of Human-Computer Studies
Stories as informal lessons about security
Proceedings of the Eighth Symposium on Usable Privacy and Security
Exploration and field study of a password manager using icon-based passwords
FC'11 Proceedings of the 2011 international conference on Financial Cryptography and Data Security
How does your password measure up? the effect of strength meters on password creation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Why trust seals don't work: a study of user perceptions and behavior
TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
You only live twice or "the years we wasted caring about shoulder-surfing"
BCS-HCI '12 Proceedings of the 26th Annual BCS Interaction Specialist Group Conference on People and Computers
Short paper: smartphones: not smart enough?
Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Turtles all the way down: a clean-slate, ground-up, first-principles approach to secure systems
Proceedings of the 2012 workshop on New security paradigms
Tapas: design, implementation, and usability evaluation of a password manager
Proceedings of the 28th Annual Computer Security Applications Conference
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Attribute Decoration of Attack-Defense Trees
International Journal of Secure Software Engineering
Interleaving tasks to improve performance: Users maximise the marginal rate of return
International Journal of Human-Computer Studies
Exploring capturable everyday memory for autobiographical authentication
Proceedings of the 2013 ACM international joint conference on Pervasive and ubiquitous computing
CASA: context-aware scalable authentication
Proceedings of the Ninth Symposium on Usable Privacy and Security
Confused Johnny: when automatic encryption leads to confusion and mistakes
Proceedings of the Ninth Symposium on Usable Privacy and Security
Modifying smartphone user locking behavior
Proceedings of the Ninth Symposium on Usable Privacy and Security
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Proceedings of the 2013 workshop on New security paradigms workshop
Can we sell security like soap?: a new approach to behaviour change
Proceedings of the 2013 workshop on New security paradigms workshop
Hi-index | 0.00 |
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.