Why Computer Security Advice Is More Confusing Than It Should Be
For Immediate Release
If you find the computer security guidelines you get at work confusing and not very useful, you’re not alone. A new study highlights a key problem with how these guidelines are created, and outlines simple steps that would improve them – and probably make your computer safer.
At issue are the computer security guidelines that organizations like businesses and government agencies provide their employees. These guidelines are generally designed to help employees protect personal and employer data and minimize risks associated with threats such as malware and phishing scams.
“As a computer security researcher, I’ve noticed that some of the computer security advice I read online is confusing, misleading or just plain wrong,” says Brad Reaves, corresponding author of the new study and an assistant professor of computer science at North Carolina State University. “In some cases, I don’t know where the advice is coming from or what it’s based on. That was the impetus for this research. Who’s writing these guidelines? What are they basing their advice on? What’s their process? Is there any way we could do better?”
For the study, researchers conducted 21 in-depth interviews with professionals who are responsible for writing computer security guidelines for organizations including large corporations, universities and government agencies.
“The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.”
The researchers found that one reason security guidelines can be so overwhelming is that guideline writers tend to incorporate every possible item from a wide variety of authoritative sources.
“In other words, the guideline writers are compiling security information, rather than curating security information for their readers,” Reaves says.
Drawing on what they learned from the interviews, the researchers developed two recommendations for improving future security guidelines.
First, guideline writers need a clear set of best practices on how to curate information so that security guidelines tell users both what they need to know and how to prioritize that information.
Second, writers – and the computer security community as a whole – need key messages that will make sense to audiences with varying levels of technical competence.
“Look, computer security is complicated,” Reaves says. “But medicine is even more complicated. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of contracting COVID. We need to be able to do the same thing for computer security.”
Ultimately, the researchers find that security advice writers need help.
“We need research, guidelines and communities of practice that can support these writers, because they play a key role in turning computer security discoveries into practical advice for real world application,” Reaves says.
“I also want to stress that when there’s a computer security incident, we shouldn’t blame an employee because they didn’t comply with one of a thousand security rules we expected them to follow. We need to do a better job of creating guidelines that are easy to understand and implement.”
The study, “Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice,” will be presented at the USENIX Symposium on Usable Privacy and Security, being held Aug. 6-8 in Anaheim, Calif. First author of the study is Lorenzo Neil, a Ph.D. student at NC State. The paper was co-authored by Harshini Sri Ramulu of George Washington University and by Yasemin Acar of Paderborn University and George Washington University.
Note to Editors: The study abstract follows.
“Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice”
Authors: Lorenzo Neil and Bradley Reaves, North Carolina State University; Harshini Sri Ramulu, George Washington University; and Yasemin Acar, Paderborn University and George Washington University
Presented: Aug. 8, USENIX Symposium on Usable Privacy and Security, Anaheim, Calif.
Abstract: Users have a wealth of available security advice – far too much, according to prior work. Experts and users alike struggle to prioritize and practice advised behaviours, negating both the advice’s purpose and potentially their security. While the problem is clear, no rigorous studies have established the root causes of overproduction, lack of prioritization, or other problems with security advice. Without understanding the causes, we cannot hope to remedy their effects. In this paper, we investigate the processes that authors follow to develop published security advice. In a semi-structured interview study with 21 advice writers, we asked about the authors’ backgrounds, advice creation processes in their organizations, the parties involved, and how they decide to review, update, or publish new content. Among the 17 themes we identified from our interviews, we learned that authors seek to cover as much content as possible, leverage multiple diverse external sources for content, typically only review or update content after major security events, and make few if any conscious attempts to deprioritize or curate less essential content. We recommend that researchers develop methods for curating security advice and guidance on messaging for technically diverse user bases and that authors then judiciously identify key messaging ideas and schedule periodic proactive content reviews. If implemented, these actionable recommendations would help authors and users both reduce the burden of advice overproduction while improving compliance with secure computing practices.