Why is computer security advice more confusing than it should be?

If you find the computer security guidelines you find at work confusing and not very useful, you are not alone. A new study sheds light on a major problem with how these guidelines are created, and outlines simple steps that would improve them — and possibly make your computer safer.

At issue are the computer security guidelines that organizations such as businesses and government agencies provide to their employees. These guidelines are generally designed to help protect employees’ personal and employer data and mitigate risks associated with threats such as malware and phishing scams.

“As a computer security researcher, I’ve noticed that some of the computer security advice I read online is confusing, misleading, or just downright wrong,” says Brad Reeves, corresponding author of the new study and assistant professor of computer science at North Carolina State University. “In some cases, I don’t know where the advice is coming from or what it is based on. That was the inspiration for this research. Who is writing these guidelines? What are they basing their advice on? What is their process? Is there any way we can do better?”

For the study, the researchers conducted 21 in-depth interviews with professionals who are responsible for writing computer security guidelines for organizations including large corporations, universities and government agencies.

“The key thing here is that the people who write these guidelines try to provide as much information as possible,” says Reeves. “This is great in theory. But the authors don’t prioritize the advice that’s most important. Or, more specifically, they don’t prioritize the points that are significantly less important. And because there’s so much safety advice to include, the guidelines can become overwhelming — and the most important points get lost in the shuffle.”

The researchers found that one reason why security guidelines are so overwhelming is that guideline authors tend to include everything possible from a variety of authoritative sources.

“In other words, the guideline authors are compiling safety information for their readers, rather than prescribing it,” Reeves says.

Based on what they learned from the interviews, the researchers developed two recommendations for improving future safety guidelines.

First, guideline authors need a clear set of the best ways to organize information so that security guidelines tell users what they need to know and how to prioritize that information.

Second, writers and the computer security community as a whole need important messages that are meaningful to audiences of varying levels of technical ability.

“Look, computer security is complicated,” says Reeves. “But medicine is even more complex. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of COVID infection. We need to be able to do the same for computer security.”

Ultimately, the researchers found that security advice writers needed help.

“We need research, guidelines, and communities of practice that can support these authors, because they play a vital role in turning computer security discoveries into practical advice for real-world application,” says Reeves.

“I also want to emphasize that when a computer security incident occurs, we shouldn’t blame an employee because they didn’t follow one of the thousands of security rules we expected them to follow. We need to do a better job of creating guidelines that are easy to understand and apply.”

The study, “Who comes up with this stuff? Interviewing authors to understand how they prepare security advice,” will be presented. USENIX Symposium on Privacy and SecurityIt is being held August 6-8 in Anaheim, California.