By Michael Martinez and Lori Cameron
Worried about your online security? A Google team asked experts on its Google Online Security Blog for their top three pieces of advice for non-tech-savvy users.
After 231 security experts responded, the Google team concluded what many average users have long known: Our digital world is downright confusing at times.
To come up with a fast checklist for online safety is “no small task,” the Google researchers concluded.
So, in an effort to make the world a digitally safer place, the Google authors developed for the IEEE Computer Society, the world’s premier association of computing professionals, a list of “152 Simple Steps to Stay Safe Online.”
If a Top-152 list sounds a bit much, the Google analysts agreed. They hope their fellow experts will pare down the list to something concise over time.
“It’s understandable if users are confused about what to do; even experts, as a field, don’t seem to agree,” wrote senior user experience researcher Robert W. Reeder, software engineer Iulia Ion, and security and privacy user-experience team leader Sunny Consolvo, all of Google.
“Given our finding of a diverse range of advice, all of which is considered important by at least some experts, it might be the case that the security space is simply too complex for a small set of consistent advice to adequately protect the general user population. Perhaps advice communication efforts should focus not on communicating the same advice consistently to everyone, but on identifying particular audiences and customizing advice for each audience,” they wrote in a new study in the September/October 2017 issue of IEEE Security & Privacy.
The reason for such a huge list is that experts couldn’t agree on exactly how a security measure should be carried out—such as writing down passwords versus not writing them down, not clicking on certain email links vs not clicking any at all.
“Although almost all of the thoughtful advice we received makes sense in isolation, the security expert community isn’t in agreement on how to prioritize the set of advice as a whole or on how to resolve confusing variants in the set,” say the authors.
In the end, the researchers found two things the general public needs: they need to know what to do, and they need to know how—in simple terms.
Out of 837 pieces of advice, they found 152 to be unique. Each unique piece of advice was assigned a number based on how many experts mentioned it. This produced a list of 45 tips that at least four experts mentioned. From this list, the researchers culled a list of top 10 tips for general users.
The researchers then established four criteria for communicating these tips in a way non-experts can use:
It should be effective.
Good advice, if followed by a user, should actually improve the user’s security situation and lead to better security outcomes.
It should be actionable.
Good advice should be easy for a user to remember and apply when needed, and it shouldn’t overly interfere with a user’s primary goals.
It should be consistent.
Good advice should be both internally consistent—in that it shouldn’t cause confusion with or subsume other advice in the whole set of advice—and presented consistently—in that it should be phrased similarly each time a user hears it and should change as little as possible over time (as long as it remains effective).
It should be concise.
The set of advice as a whole should be as small as possible. Less advice is easier for users to remember than more advice, and less advice to follow means it’s easier to follow all of it.
The goal is simple: Make online security simple.
“We seek to alert the usability and security communities to some of the difficulties users might have following the advice on offer today. Through data-informed debate, the communities can pare the set down, prioritize it, standardize the way it is phrased, and package it for more effective dissemination to non-tech-savvy users,” the authors say.
Here’s Google team’s 10 most mentioned pieces of expert advice:
Here’s Google team’s next advice: The 45 pieces of advice that at least four experts mentioned
Here’s Google team’s examples of less common advice provided by experts:
Research related to user security in the Computer Society Digital Library: