Even if users do not read security directives, their behavior is not so catastrophic.