Great post from rsnake; pointing out a Microsoft Research paper (So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users ) on how security advice often does more harm than good. http://ha.ckers.org/blog/20100317/effectiveness-of-user-training-and-security-products-in-general/
I have always disagreed with password policies. There is no gain to most strict password policies over a passphrase, with lots of negative effects (usually because the user can’t remember them) and having a password on a home computer that doesn’t need to be protected from physical access is a total waste.
But I didn’t hear anything about deterrence. Following security advice, or even the fact that some of us do, prevents many attacks from happening because they wouldn’t work, might not work, or the attacker isn’t willing to risk a small chance they won’t work. If we drop our guard, (browsers didn’t warn for invalid certs, people didn’t look for phishing emails…) it would idiotic to assume that the attacks would not increase. How much would they increase? That’s the real question to be answered.