From the introduction, explaining the colourful title:<p>> Prior work has proposed two simplified theories of the human in the loop: a rational actor who chooses to ignore security behaviors because the costs always outweigh the potential losses, and an irrational actor who chooses “dancing pigs over security every time” because they neither understand nor care about security risks [Herley, 2009]. While these simplified models of user behavior can help to provide high-level insights, our aim is to define a more realistic medium between these two extremes: <i>a semi (or boundedly) rational security actor with predictable, but not always utility-optimal, behavior based on risks and costs.</i>