Normal users are usually not good at making decisions about cybersecurity, being easily attacked by hackers. Quite a few tools have been devised and implemented to help, but they can not balance security and usability well. To solve the problem, this paper explores the application of prospect theory to security recommendations. We conducted online surveys (n=61) and a between-subjects experiment (n=106) in six conditions to investigate the issues. In the experiment, we provided different security recommendations about two-factor-authentication (2FA) to participants in different conditions and recorded their decisions about enabling it. Results show that participants in the condition "Disadvantage" were willing to adopt 2FA the most. The findings indicate that showing disadvantages can be useful to persuade users into better security decisions.