Cormac Herley on the Cost of User Effort in Applying Security Policies

Excellent insight from Microsoft research Cormac Herley in his analysis of security advice So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF):

7.3 User Effort is not Free

In addition to overestimating benefits, advice almost always ignores the cost of user effort. The incremental cost of forcing users to choose an 8-character strong password, as opposed to allowing a 6-digit PIN, is hard to measure, but is certainly not zero. And ignoring it leads to a failure to understand the rational and predictable nature of user response.

There are about 180 million online adults in the US. At twice the US minimum wage one hour of user time is then worth $7.25×2×180e6 = $2.6 billion. A minute of user time per day is a $7.25 × 2 × 180e6 × 365/60 = $15.9 billion per year proposition. This places things in an entirely new light. We suggest that the main reason security advice is ignored is that it makes an enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour. It’s not uncommon to regard users as lazy or reluctant. A better understanding of the situation might ensue if we viewed the user as a professional who bills at $2.6 billion per hour, and whose time is far too valuable to be wasted on unnecessary detail. Echoing Adams and Sasse [21] we might say: the user is your boss’s boss’s boss. This would help ensure that we ask for a minute of user time (the boss’s) only when absolutely necessary.