The continual news of security hacks over the past couple years has made information security a hot topic even outside of the infosec industry. Internet users who may have previously had weak or obvious passwords have now become conscious of their responsibility to use strong passwords—whether or not they are prompted by a website to do so. This newfound consciousness of security has undoubtedly made many people more cautious of their security practices, but that doesn’t mean that these people are implementing the right security practices.
Experts vs. Non-experts
A recent Google study titled “…no one can hack my mind”: Comparing Expert and Non-Expert Security Practices indicates just how big the gap is between the practices of security experts and non-expert Internet users. The results of the study prove that while average Internet users are more cautious, they are still not doing the right things to protect their information.
This knowledge gap between experts and non-experts does not suggest carelessness on the part of the non-expert. However, it does suggest that the ever-evolving security practices that experts develop and implement are not sufficiently trickled down to average Internet users. In a blog following the study, Google writes, “There is clearly room to improve how security best practices are prioritized and communicated to the vast majority of (non expert) users. We’re looking forward to tackling that challenge.”
Although experts and non-experts differed greatly on many security practices, it should first be noted that both parties prioritized strong passwords. But even with this common priority, the approach that experts and non-experts used to create strong passwords differed greatly.
When it comes to setting and keeping passwords, experts use password managers. Password managers allow users to set randomly generated passwords for each website. In a cloud-based application the password manager remembers the randomly generated password, eliminating the human error of setting weak passwords or forgetting the password altogether.
According to the Google blog post, only 24% of non-experts use password managers, whereas 73% of experts use them. The research suggests that the reason for this large gap in use of password managers is because non-experts are either unaware of them or are afraid of the supposed risk in using them.
Software Updates vs. Antivirus Software
Another part of the research illuminates a large gap in the way that security experts and non-experts view software updates and antivirus software.
The study reveals that 42% of non-experts prioritize antivirus software as a part of their security strategy, compared to only 7% of experts. While trusted antivirus software will not necessarily create risk for users, the illusion of infallible security that users may have because of the software could have some impact on security risk.
Experts, on the other hand, rely heavily on software updates for optimal security. A reported 35% of experts put software updates in their top three priorities for good security, while only 2% of non-experts prioritize these updates. Surprisingly, the research revealed that on top of not prioritizing updates, non-experts are actually afraid that updates create additional risk.
This misunderstanding of the security advantage behind software updates deserves attention and remediation.
Closing the Gap
While this research does not illustrate that the practices of non-experts are malpractices leading to immediate exploitation, it does reveal a significant gap that warrants our consideration.
One take-away from this research could be: all Internet users should download password managers today and immediately update all their software (and yes, we think that’s a good idea). But perhaps a more important take-away should be: how can we ensure that the knowledge and expertise in the infosec industry is properly delivered to average Internet users?
Improving this communication between experts and non-experts is not a process that will not change overnight, but it is a process that DigiCert is committed to participating in.
If you have an idea of how we could better convey best security practices to you, send us a tweet.