Most computer users are aware of online security threats, but their lack of expertise in computer security leads them to rely on advice. This advice can vary greatly, causing confusion among the general public regarding how they should best protect themselves online. Additionally, users often ignore or circumvent these safeguards if they are time-consuming or require a great deal of effort, which leaves them vulnerable to attack.
Ion et al. studied this issue by conducting a survey of security experts and non-experts to determine the security practices that they follow and deem effective. While most users take precautions to protect themselves from attackers, the practices they employ might not be effective and don’t match the practices used by experts who understand computer security in greater detail. Furthermore, while experts may consider some practices more effective than others, there is still a question of whether users will actually comply with them.
A two-stage survey was conducted to determine the security practices that are deemed most effective and to investigate whether these practices are actually followed. In the first stage, researchers interviewed security experts who each have at least 5 years of experience working in computer security. These interviews determined the top 3 pieces of security advice they would give to a non-tech-savvy user and the responses were used to generate questions for the second stage. An online survey was then conducted of 231 security experts and 294 non-experts, posing the question: “What are the 3 most important things you do to protect your security online?“ A variety of additional questions were also asked to determine their views on common security practices and whether they employ these practices in their everyday computer usage.
While both groups agree that using strong passwords is an effective security practice, results show that there is a significant difference between their views on other practices. The most commonly mentioned practices by experts were the least common among non-experts and vice versa. The discord between the security practices of experts and non-experts suggests that there is significant room for improvement when providing security advice and that most users are not as safe against online attacks as they may think, despite their precautions.
Top Security Practices from Experts | Top Security Practices from Non-Experts | ||
Practice |
Non-Expert View of Practice |
Practice |
Expert View of Practice |
Install updates |
Distrust in update mechanism; Reluctance to introduce changes |
Use antivirus |
Simple to use; |
Use password manager |
Distrust in password software |
Visit only known websites |
Not realistic |
Organizations and experts who are trusted to provide sound security advice need to ensure that their advice is up-to-date and effective against current malware. It is important to consider the benefit vs. effort ratio to ensure that their recommendations provide the most security benefits without requiring great effort on the part of the user. Security practices are not practical if users do not trust them or do not find them usable. In addition, those creating security tools need to account for usability and user trust when designing their software to increase adoption by the general public.
Security experts need to better identify practical best practices for their users and the general public.