That, West wrote, is because the rewards of convenience are immediate and tangible, while those for security are abstract and intangible, even though the potential inconvenience and cost if a user is hacked is vastly greater.
Hall’s colleague at the CDT, Katharina Kopp, director of privacy and data, believes it is not simply a matter of delayed or abstract gratification. She believes it is because security is time consuming and complicated.
“I cannot think of many areas in our modern times where we ask so much of consumers,” she said. “In the automobile or pharmaceutical markets, for example, it is perfectly understood that we don't expect individual consumers to be experts and build in all the safeguards.”
Katharina Kopp, director, privacy and data, Center for Democracy & Technology
Hall agreed in part. While consumers don’t need to build their own security tools, he said those tools can be tough for the average consumer to use.
“I have decent control over my desktop browsing experience but it takes a lot of grooming, a lot of technical understanding, and it looks like I'm surfing in 1996, with black text on white background and few images.”
McDowell offered another example: “Many sites offer two-factor authentication as an option, but these options, such as one-time passwords from a physical security token or SMS sent to a specific mobile device in the user’s possession, are a hassle for users,” he said.
“Consumers don’t want to type in multiple passcodes to get into one account, so many either never opt-in or quickly opt-out.”
And Markus Jakobsson, security researcher, CTO and founder of ZapFraud, said another problem is that, “the connection between cause and effect is very vague to most people. What is safe to do? What is unsafe?”
He said users also tend to become fatalistic when they keep hearing of major breaches that had nothing to do with them. “When issues are outside of their control, people tend to throw up their hands, and say, ‘Why bother?’” he said.
Markus Jakobsson, security researcher, CTO and founder, ZapFraud
Kopp said online security is difficult enough that government should, as it does with many consumer products, set some “baseline requirements” for product vendors, “not just to protect individual well-being, but society as a whole.”
While not everybody agrees that government is the best entity to set standards, the somewhat good news is that there are moves in the industry toward making consumer security simpler – although it has a ways to go to reach critical mass.
Sign up for CIO Asia eNewsletters.