bTeam If you’ve ever found yourself puzzled by the computer security guidelines provided in your workplace, know that you’re not the only one. A recent study highlights a fundamental issue in how these guidelines are formulated and offers straightforward ways to improve them, ultimately leading to enhanced computer safety. The concern centers around the computer security protocols disseminated by institutions, including businesses and government entities, to their staff. These protocols are meant to guide employees in protecting both personal and organizational data from threats like malware and phishing attacks.
Brad Reaves, the corresponding author of the study and an assistant professor of computer science at North Carolina State University, shares, “As a computer security researcher, I’ve noticed that some of the computer security advice I read online is confusing, misleading, or just plain wrong. In some cases, I don’t know where the advice is coming from or what it’s based on. That was the motivation for this research. Who’s writing these guidelines? What is their basis for advice? What’s their process? Can we improve in any way?”
In the research, 21 in-depth interviews were conducted with professionals responsible for crafting computer security guidelines for various organizations, including large corporations, universities, and government agencies.
Reaves emphasizes, “The key insight here is that those drafting these guidelines attempt to provide a wealth of information, which is admirable in theory. However, they fail to prioritize the most crucial advice. Specifically, they don’t de-emphasize the significantly less important points. Due to the extensive security advice to be included, the guidelines become overwhelming, and the critical points are lost in the deluge.”
The researchers discovered that one contributing factor to the overwhelming nature of security guidelines is that guideline writers tend to incorporate every conceivable item from a wide range of authoritative sources. Reaves states, “In essence, the guideline writers are amassing security information rather than carefully selecting and presenting it for their readers.”
Drawing from insights gained through the interviews, the researchers propose two recommendations to enhance future security guidelines. Firstly, guideline writers need clear best practices on how to curate information, ensuring that security guidelines convey both essential knowledge and how to prioritize it. Secondly, writers, along with the broader computer security community, require key messages that resonate with audiences possessing varying levels of technical expertise.
Reaves notes, “Computer security is undeniably complex. However, medicine is even more intricate. Yet, during the pandemic, public health experts managed to provide the public with fairly simple, concise guidelines on how to reduce the risk of contracting COVID. We need to achieve the same simplicity in computer security.”
Ultimately, the researchers stress that security advice writers need support. Reaves emphasizes, “We require research, guidelines, and communities of practice that can assist these writers, as they play a pivotal role in translating computer security discoveries into actionable advice for real-world application. Additionally, when a computer security incident occurs, we should refrain from blaming an employee for not adhering to one of a thousand security rules we expected them to follow. Instead, we must improve in creating guidelines that are easily understandable and implementable.”
Reference: “Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice” by Lorenzo Neil, Harshini Sri Ramulu, Yasemin Acar, and Bradley Reaves, 6 August 2023, USENIX Symposium on Usable Privacy and Security.
