Why is Computer Security Advice So Confusing?

If you’ve ever found workplace-provided computer security instructions confusing, you’re not alone.

A recent study has highlighted a fundamental issue with crafting these guidelines and proposed direct measures to enhance computer security, potentially raising overall security levels.

Concerns revolve around computer security protocols offered by organizations like businesses and government agencies to guide employees in safeguarding personal and organizational data from threats such as malware and phishing attacks.

“As a computer security researcher, I’ve noticed that some computer security advice I read online can be confusing, misleading, or downright incorrect,” said Brad Reaves, Assistant Professor of Computer Science at Harvard University and the lead author of this new study. “In some cases, I didn’t even know where these recommendations were coming from or what they were based on. That’s what motivated this study. Who’s writing these guidelines? What are their recommendations based on? What’s their process? Can we do better?”

In this study, researchers conducted 21 in-depth interviews with professionals responsible for crafting computer security guidelines for large companies, universities, government institutions, and other organizations.

“The key point here is that those writing these guidelines are trying to provide as much information as possible,” Reaves explained. “In theory, that’s great. However, authors don’t prioritize the most critical recommendations, or more specifically, they don’t deprioritize the less important points. Due to the sheer number of security recommendations to include, the guidelines can become overwhelming, and the most critical points can get lost in the chaos.”

Researchers found that one reason security guidelines are so hard to resist is that guideline authors tend to integrate all possible items from various authoritative sources.

“In other words, guideline authors are compiling security information rather than curating security information for the readers,” Reaves said.

Based on insights from the interviews, researchers proposed two improvements for future security guidelines. First, guideline authors need a clear set of best practices on how to manage information so that security guidelines tell users what they need to know and how to prioritize this information. Second, writers and the entire computer security community need critical information that makes sense to audiences with different levels of technical expertise.

“Look, computer security is complex,” Reaves said. “But medicine is even more complex. Yet, during a pandemic, public health experts were able to provide fairly simple, concise guidelines to the public on how to reduce the risk of getting infected with the novel coronavirus. We need to be able to do the same for computer security.”

Ultimately, researchers found that security advice authors need support.

“We need to be able to support these authors in the research, guideline, and practitioner communities because they play a critical role in translating computer security findings into real-world actionable recommendations,” Reaves said. “I also want to emphasize that when computer security incidents occur, we shouldn’t blame employees for not adhering to one of a thousand security rules we expect them to follow. We need better guidelines that are easy to understand and implement.”