I must say that I completely agree with you on this one. I think that the rationality assumption is core to economics the same way as, for instance, conservation laws are core to physics. If there is some matter or energy missing from the balance, it doesn't challenge the conservation law but our model. Similarly, if people's behavior (on a large scale) seems to defy rationality, it does not challenge the rationality assumption but rather the model that has been applied.
I would argue with Schneier's repeated assertion that our cave-man psychology is not rational in today's world: People regularly make very rational decisions based on gut feeling, which seems irrational at first glance, but is actually not. The fact that humans do not understand what and why they are doing does not meen that it is irrational. If we were regularly and predictably irrational, we wouldn't be the most populous mammal on the planet (with rats being a distant second: there are about 2 billion of them, despite their fertility rates)

It's a tough one, isn't it!?!

On the one hand, the Internet as a body rejected most of the major security models for one reason or another, and about the only one that survived in mass usage was the application-controlled username + password. Opportunistic methods (SSH, Skype) coming a very distant second.

On the other hand there is this huge list of excuses to get through: the users are irrational, they aren't trained, they don't take security seriously, the GUI people aren't cooperating, the CAs aren't doing checks properly, we should make the vendors liable, the developers don't understand... all of which turn out to be bogus when examined closely.

The users were right, and (Ir)rationality is just the latest excuse in a long line of them. Studying history would show that. Psychology may help us to understand why the users got it right and the security world got it wrong, but I doubt that such can be learnt without addressing the basic flaw: "we woz wrong!"

It's "Akerlof", not "Akerlov".

thanks, fixed.

@Daniel:

Ah yes. Homo Economicus.

With advances in brain imaging and our understanding of the neurophysiology behind perceptions of risk, etc, we may be seeing the leading edge of an effective theoretical attack on some classical assumptions.

I suspect that so-called "neural economics" may induce involuntary muscular twitching among many economists (much as the research of, say, Thaler, Kahneman, or Tversky did back in the day), but the fact that this stuff is being picked up by Bruce is telling, I think.

The lack of insurance jobs relates to an overlay of regulatory efforts to limit competition and I suggest the same applies to security over all. The standards are created to limit competition and protect vested interest of those in the security industry, just like they protect those in the insurance industry. Security is a feeling and not a fact because the user as is the case in insurance has no venue to contest the claims and premiums other than a contrived manipulated regulatory over lay called the government at large. The issue is the inability of governmental entities to understand the complex nature of placing their foot in the pool of commerce. This total ignorance does not prevent their interest and efforts to do so. The NSA prohibition on the exportation of crypto did nothing to actually stop it. The oversight by interested governmental entities is a blind effort to placate the security industries influence over them. This myopic relationship has real consequences that will result in the demise of private efforts at first and the general publics ability to have confidence in uses that would advance their services and desires. So who gets served by governmental entities? The constituents of the Government are highly specific and serve not purpose to governance. The simple fact is no objective review of products released for effectiveness has ever been successful. The governmental efforts in other areas falls far short, just look at the ability of the FDA to protect the public from poorly formulated uses of medicine. So we are faced with academic, governmental, and industry abuse of privilege that has been usurped using corrupt methods. How can it be secure when the purpose is designed to protect the industry rather than the public or user. The total corruption of the intent has brought us to a point where private efforts without governmental support is required and can only be vetted by private users. We are required to dis-intergrated with the institutions that where previously relied upon, this includes the corrupted academic efforts that are funding by governmental entities of corporate interest in whole or part.

This episode of Financial Cryptography has been truly entertaining. Men talking about feelings is somewhat rare. Men correlating those feelings to mathematical formulae is priceless. As a woman I feel obligated to clear this up. Feeling secure is like being in love, you are until you're not.