Why the Overwhelming Complexity of Computer Security Advice is Undermining User Protection

The Problem with Computer Security Guidelines

A recent study conducted by researchers at North Carolina State University highlights a key problem with computer security guidelines provided by organizations: they are often confusing, overwhelming, and not very useful for employees. These guidelines are designed to help individuals protect personal and employer data and minimize risks associated with threats such as malware and phishing scams. However, the study reveals that the guidelines fail to prioritize the most important advice, leading to crucial information being lost in the shuffle.

In conducting the study, the researchers interviewed professionals responsible for writing computer security guidelines for various organizations. They discovered that guideline writers often compile security information from a wide range of sources without curating it for their readers. As a result, the guidelines become overwhelming, incorporating every possible item and making it difficult for users to identify the most critical points.

Improving Computer Security Guidelines

Based on their findings, the researchers propose two recommendations for improving future security guidelines:

1. Set clear best practices for curating information

Guideline writers need a clear set of best practices on how to curate information effectively. This involves selecting and presenting the most important advice in a way that helps users understand its significance and prioritize their actions accordingly. By focusing on the essential information, the guidelines can become more concise and user-friendly.

2. Create key messages for different audience levels

The computer security community, including guideline writers, should develop key messages that make sense to audiences with varying levels of technical competence. This ensures that the guidelines are accessible and understandable to all employees, irrespective of their computer literacy. By simplifying complex concepts, the guidelines can become more actionable and impactful.

Comparing Computer Security to Public Health Guidelines

Brad Reaves, the corresponding author of the study and an assistant professor of computer science at North Carolina State University, draws a comparison between computer security guidelines and public health guidelines during the pandemic. He argues that despite the complexity of medicine, public health experts managed to provide concise and straightforward guidelines to reduce the risk of contracting COVID-19. Reaves emphasizes the need for the computer security field to follow a similar approach, ensuring that guidelines are easy to understand and implement.

The Need for Support and Understanding

The study concludes by highlighting the critical role of guideline writers in translating computer security research into practical advice for real-world application. It emphasizes the importance of research, guidelines, and communities of practice that can support these writers in their efforts. The researchers also stress the need to avoid blaming employees in the event of a computer security incident, recognizing that complex and overwhelming guidelines can undermine compliance. Instead, efforts should be focused on creating guidelines that are clear, concise, and user-friendly.

The study, titled “Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice,” will be presented at the USENIX Symposium on Usable Privacy and Security. The research was conducted by Lorenzo Neil, a Ph.D. student at NC State, along with co-authors Harshini Sri Ramulu of George Washington University and Yasemin Acar of Paderborn University and George Washington University.