Sally Smoczynski, a contributing writer for this website, recently read a story about a Google sponsored survey report which attempted to compare and contrast responses from security experts and non-security expert Internet users regarding what they do to stay safe online.
Given that you can find more online security tips in a few seconds than you could use in a lifetime, and, given that security hacks and breaches continue to be a security threat for everyone using the Internet, Smoczynski was convinced that perhaps the results of this survey would be helpful to both her clients and the readers of this website.
At the heart of a new paper called, “…no one can hack my mind”: Comparing Expert and Non-Expert Security Practices”, Smoczynski states that you will find the results of two Google sponsored surveys – in which 231 security experts and 294 web-users who aren’t security experts – which sought to compare and contrast responses from the two groups, and better understand differences and why they may exist.
This information was posted recently on the Google On-Line Security Blog by the authors of that new paper, Iulia Ion, Software Engineer, Rob Reeder, Research Scientist, and Sunny Consolvo, User Experience Researcher at Google.
Experts’ and non-experts’ top 5 security practices
As a partial summary, here are experts’ and non-experts’ top security practices, according to that study.
Common ground: careful password management
Clearly, careful password management is a priority for both groups. But, they differ on their approaches.
Security experts rely heavily on password managers, services that store and protect all of a user’s passwords in one place. Experts reported using password managers, for at least some of their accounts, three-times more frequently than non-experts. As one expert said, “Password managers change the whole calculus because they make it possible to have both strong and unique passwords.”
On the other hand, only 24% of non-experts reported using password managers for at least some of their accounts, compared to 73% of experts. Our findings suggested this was due to lack of education about the benefits of password managers and/or a perceived lack of trust in these programs. “I try to remember my passwords because no one can hack my mind,” one non-expert told us.
Key differences: software updates and antivirus software
Despite some overlap, experts’ and non-experts’ top answers were remarkably different.
35% of experts and only 2% of non-experts said that installing software updates was one of their top security practices.
Experts recognize the benefits of updates—“Patch, patch, patch,” said one expert—while non-experts not only aren’t clear on them, but are concerned about the potential risks of software updates.
A non-expert told us: “I don’t know if updating software is always safe. What [if] you download malicious software?” and “Automatic software updates are not safe in my opinion, since it can be abused to update malicious content.”
Meanwhile, 42% of non-experts vs. only 7% of experts said that running antivirus software was one of the top three things they do to stay safe online.
Experts acknowledged the benefits of antivirus software, but expressed concern that it might give users a false sense of security since it’s not a bulletproof solution.
In the immediate term, the authors (listed above), “… encourage everyone to read the full research paper, borrow experts’ top practices, and also check out our tips for keeping your information safe on Google.
More broadly, they also go on to state, “… our findings highlight fundamental misunderstandings about basic online security practices. Software updates, for example, are the seatbelts of online security; they make you safer, period. And yet, many non-experts not only overlook these as a best practice, but also mistakenly worry that software updates are a security risk.
No practice on either list—expert or non-expert—makes users less secure. But, there is clearly room to improve how security best practices are prioritized and communicated to the vast majority of (non-expert) users. We’re looking forward to tackling that challenge.”
Our staff agrees with both the authors of this paper, and, thanks Sally Smoczynski for bringing this information and risk management sensitive topic to the attention of our readers.
Click here to read the full research paper.