A study by Cormac Herley, a principal researcher for Microsoft Research, has found that popular advice on how to spare users from computer attacks often cost more when one takes into account the user effort and time expended.

“Most security advice simply offers a poor cost-benefit trade-off to users,” said Herley.

Particularly dubious are the standard rules for creating and protecting website passwords. Redoing them is not an effective preventive step against online infiltration for the simple reason that no criminal waits around – once the password is obtained the breach occurs in short order.

Herley also looked at the validity of other advice for blocking security threats and, as with passwords, the benefits of these procedures are usually outweighed by what users must do to carry them out, he said.

The real problem is that users’ time is not being valued properly. Herley argues for advice that incorporates more information, and less hyperbole, with advice based on an estimate of the victimization rate for a particular security issue, not a worst-case scenario risk analysis.

What to do? Herley’s advice is to start with bullet-proof passwords, then go with other one-time measures that offer ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically update), as well as activating a firewall, which “functions like a moat around a castle.” Combined, such measures shouldn’t take more than 30 minutes, he said, and offer insulation from what is perhaps the biggest security menace of all: users.