You, too, can protect your computers and online accounts like an expert! But you probably don’t, according to a study from researchers at Google presented at the Symposium on Usable Privacy and Security last week. The researchers conducted online surveys of 231 security “experts” (defined as people with at least five years of experience working in the field) and 294 non-experts, recruited through Amazon Mechanical Turk, to find out how the two groups’ security practices differed. The results showed several discrepancies in how the expert and non-expert groups protected themselves online. More strikingly, the study also suggested that protecting yourself like an expert actually requires very little expertise at all.
In an attempt to winnow down the massive amount of computer security advice out there, the survey asked respondents the open-ended question “What are the 3 most important things you do to protect your security online?” The top five responses in the expert group were: installing software updates (35 percent), using unique passwords (25 percent), using two-factor authentication (20 percent), using strong passwords (19 percent), and using a password manager (12 percent). For non-experts, the top five responses were: using anti-virus software (42 percent), using strong passwords (31 percent), changing passwords frequently (21 percent), visiting only known websites (21 percent), and not sharing personal information (17 percent). (Strong passwords are those that are difficult to guess because of their length or complexity; unique passwords are those that are used for only one account and not repeated across multiple sites.)
Let’s set aside the question of how it’s possible that one-fifth of the non-expert computer-using population is visiting only known websites. One of the most interesting things about these findings is the implication that expert-level protection requires very little technical know-how. The practices that experts are most likely to endorse—and implement themselves—do not require an intimate knowledge of computer networking, or traffic monitoring, or malicious code. You don’t need any training in computer science or security to figure out how to install software updates or choose unique passwords. Even the slightly more sophisticated practices—two-factor authentication (i.e., using a one-time code texted to your cellphone or other credential in addition to a password to login to an account) and password managers—are fairly straightforward and easily available even to users with relatively little tech savvy.
To protect yourself online like an expert, in other words, you don’t need to understand the Internet’s architecture or inner workings—you just need to branch out from anti-virus software. The survey suggests non-expert users are wary about programs like password managers or new software updates. But they lean heavily on anti-virus software, which 85 percent of non-experts said they used on their personal computers, compared with only 63 percent of expert respondents. Only 7 percent of experts said they considered anti-virus to be one of the top three things they do to stay safe online, compared with 42 percent of non-experts.
But when it came to installing software updates and using password managers, non-experts were much more hesitant than experts. For instance, 73 percent of experts said they used a password manager program to store their credentials for at least some of their accounts, compared with 24 percent of non-experts. And some of the non-experts said in the survey that they did not think password managers were safe and might result in their passwords being leaked. “I wouldn’t use a password manager even if it helps because I don’t trust it,” one wrote. Those fears aren’t entirely unfounded—password manager LastPass announced it had been hacked earlier this summer—but dedicated password managers are still probably more trustworthy and reliable than the alternatives (or so many of the surveyed experts seemed to feel).
Other non-experts expressed concern about downloading software updates, with one writing, “I don’t know if updating software is always safe. What if you download malicious software?” Another noted that “there are often bugs in these updates initially, that must be worked out by the software vendor.” This suspicion of new updates may be part of the reason that 25 percent of experts said they installed updates “immediately,” compared with 9 percent of non-expert respondents.
People who work in computer security (and security more generally) tend to have a reputation for being paranoid about every possible risk, so it’s striking that the non-expert population actually seems to exhibit greater paranoia around some issues—being more suspicious about the trustworthiness of a password manager, or the reliability or a new update, or the threats presented by an unknown website.
It’s possible, of course, that the expert population is less fearful of new programs and updates and websites because they have greater faith in their own ability to identify threats. For instance, though the researchers found that the advice experts offered to less tech-savvy users mostly mirrored their own practices, there were some exceptions. For instance, many experts considered it to be good security advice to not click on links or open emails from unknown people. Yet 38 percent of expert respondents said they often clicked on links from unknown senders, compared with only 12 percent of non-experts. (One expert admitted: “I do all the time … but I tell my mother not to.”)
Paranoid or not, the computer security experts seem, in some ways, to live in less fear of the dangers of the Internet than the non-expert population. In some cases this may just be an indication of how experts and non-experts fear different threats—perhaps the group of non-experts is more concerned about their old passwords being guessed or stolen and therefore change their passwords regularly, while the experts are worrying about having their passwords phished, and therefore are more likely to activate two-factor authentication.
Of course, non-expert opinions about security are probably shaped to a large extent by expert ones—someone probably told them that anti-virus software and regularly changing passwords and staying away from unknown websites are important safety measures. If anything, the most popular non-expert safety measures seem to reflect the messages that the security community has most effectively communicated (whether intentionally or otherwise) to the rest of the world. That may be partly a function of how long those messages have been around—after all, we’ve been hearing about anti-virus for much longer than we have two-factor authentication—as well as the inundation of security advice in recent years, as a growing number of breaches have made headlines, which has made it harder to know which measures to adopt.
Actually, it’s still hard to know which measures to adopt. The Google study largely sidesteps the question of which of these myriad suggestions actually lead to the best outcomes, or correlate with fewer malware infections or account compromises.
That doesn’t mean the expert suggestions from the survey aren’t good advice. Indeed, non-experts might do well to shift some of their practices to emulate those recommendations (especially if you’re one of the users out there studiously avoiding all unknown websites—as my favorite survey respondent said of this recommendation, “Why not hide under the bed too?”) It does mean, though, that protecting yourself online like an expert is, at least for now, more about doing things that the experts do—and less about doing things that are proven to work.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.