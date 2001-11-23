Why Computer Security Advice Is More Confusing Than It Should Be:
If you find the computer security guidelines you get at work confusing and not very useful, you're not alone. A new study highlights a key problem with how these guidelines are created, and outlines simple steps that would improve them – and probably make your computer safer.
At issue are the computer security guidelines that organizations like businesses and government agencies provide their employees. These guidelines are generally designed to help employees protect personal and employer data and minimize risks associated with threats such as malware and phishing scams.
[...] "The key takeaway here is that the people writing these guidelines try to give as much information as possible," Reaves says. "That's great, in theory. But the writers don't prioritize the advice that's most important. Or, more specifically, they don't deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle."
The researchers found that one reason security guidelines can be so overwhelming is that guideline writers tend to incorporate every possible item from a wide variety of authoritative sources.
"In other words, the guideline writers are compiling security information, rather than curating security information for their readers," Reaves says.
Drawing on what they learned from the interviews, the researchers developed two recommendations for improving future security guidelines.
First, guideline writers need a clear set of best practices on how to curate information so that security guidelines tell users both what they need to know and how to prioritize that information.
Second, writers – and the computer security community as a whole – need key messages that will make sense to audiences with varying levels of technical competence.
[...] "I also want to stress that when there's a computer security incident, we shouldn't blame an employee because they didn't comply with one of a thousand security rules we expected them to follow. We need to do a better job of creating guidelines that are easy to understand and implement."
The study, "Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice," was presented at the USENIX Symposium on Usable Privacy and Security [video].
(Score: 3, Interesting) by Thexalon on Wednesday November 01, @08:07PM
It's not complicated:
1. If whoever writes the security guidelines includes something that's relatively minor and obscure in their security guidelines, and the user is confused and doesn't follow them, then the user is to blame and might get fired over the breach.
2. If whoever writes the security guidelines leaves out something that's relatively minor and obscure in their security guidelines, and the user doesn't follow them because they didn't know about them, then the security guideline writer is to blame and might get fired over the breach.
What's good for an organization may or may not be good for individuals within an organization. Never, ever, forget that.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by SomeRandomGeek on Wednesday November 01, @08:36PM
The problem is that security architectures expect too much from users. Trying to document these unreasonable expectations is like closing the barn door after the horse has already gotten out.
For example, password guidelines:
1. Use only "strong" passwords, which is a euphemism for impossible to remember.
2. Use a different password for each domain, and never re-use the same password.
3. Change your passwords frequently.
4. Never write your passwords down
Well, that's just stupid. There is a hundred percent chance that some of the users will screw it up. Consequently, it is not the users' fault for screwing it up, it is the security architects' fault.
A more reasonable system would issue each user a dongle, which would be a dedicated security device (no user managed apps, no superuser access for the end user), which required a fingerprint and a password to activate, and which managed separate access tokens for each app.
So, you have super strong three factor authentication (something you have, something you are, and something you know) which is easy and convenient for the users.
But are the security guys setting up such a system? No, they're too busy adding "Don't us a password manager" to their list of security guidelines.