A recent study has shed light on the problematic nature of computer security guidelines and proposed steps to improve them. These guidelines, provided by organizations such as businesses and government agencies, aim to assist employees in safeguarding personal and employer data while minimizing risks posed by threats like malware and phishing scams.
The study, conducted by researchers from North Carolina State University, involved in-depth interviews with professionals responsible for creating computer security guidelines for various organizations. Brad Reaves, the corresponding author of the study and an assistant professor of computer science, expressed concern over the confusing and misleading nature of many online security advice articles. This prompted the research team to question the basis and process behind these guidelines and explore avenues for improvement.
One of the key findings of the study is that guideline writers often fail to prioritize the most important advice. While they aim to provide as much information as possible, important points are diluted and overshadowed by less significant ones. The sheer volume of security advice included in these guidelines can also be overwhelming for users, undermining the effectiveness of the most critical recommendations.
The researchers identified the practice of compiling information rather than curating it as a major contributing factor to these overwhelming guidelines. Writers tend to amalgamate security information from various authoritative sources without considering the relevance or significance of each point. Consequently, users are inundated with a multitude of suggestions without proper guidance on prioritization.
Based on their interviews, the researchers propose two recommendations for improving future security guidelines. Firstly, guideline writers need a clear set of best practices that facilitate curating information in a way that presents users with both essential knowledge and guidance on prioritization. This would involve streamlining the information overload and ensuring that the most crucial points stand out. Secondly, writers and the wider computer security community should develop key messages that cater to audiences with varying levels of technical competence. The aim is to simplify complex concepts, similar to how public health experts provided concise guidelines during the pandemic to reduce the risk of contracting COVID.
Reaves emphasizes the need for support and resources to assist security advice writers, as they play a pivotal role in translating computer security discoveries into practical implementation. He also emphasizes the need to avoid blaming employees in the event of a security incident, noting that complex guidelines with numerous rules can make compliance challenging. Instead, the focus should be on creating guidelines that are easy to understand and implement.
The research findings will be presented at the USENIX Symposium on Usable Privacy and Security, a renowned conference in the field, where experts will have the opportunity to discuss and deliberate on ways to enhance the effectiveness and usability of computer security guidelines. The study’s first author is Lorenzo Neil, a Ph.D. student at North Carolina State University, and it was co-authored by Harshini Sri Ramulu of George Washington University and Yasemin Acar of Paderborn University and George Washington University.
In conclusion, this study highlights the need for improvement in computer security guidelines and proposes steps to address their current shortcomings. By curating information effectively, prioritizing essential points, and ensuring clarity for users of varying technical competence, these guidelines can become more user-friendly and enhance computer security measures. Support for security advice writers is also crucial to effectively translate research into practical advice for real-world application. Through these efforts, organizations can strive to create guidelines that are easily comprehensible and implementable, reducing the risk of security breaches.