So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (Microsoft, PDF) — To make this concrete, consider an exploit that affects 1% of users annually, and they waste 10 hours clearing up when they become victims. Any security advice should place a daily burden of no more than 10/(365 * 100) hours or 0.98 seconds per user in order to reduce rather than increase the amount of user time consumed. This generated the profound irony that much security advice … does more harm than good. (via Greg Linden)