Security Experts and Average Users Think Differently

Google interviewed and/or surveyed hundreds of users and experts to see how they thought on security issues.  Not completely surprisingly, there were many differences.  Here are a few:

The #1 difference between experts and real people is in INSTALLING UPDATES.  Experts rated that as the most important thing to do to improve security.  35% of the experts and 2% of the average users ranked this as a top security priority.  For example, Adobe released two patches to Flash this week.  One is already being exploited in the wild.  Users who don’t install these patches quickly are more likely to be attacked.

Users often don’t install patches.  Often the process is complex and confusing – sometimes even to me.  In addition, software vendors sometimes bundle in non-related changes (for example, Microsoft bundled in Windows 10 update nag screens as a critical update recently), discouraging users from installing updates.

Number 2 is using a PASSWORD MANAGER.  73% of the experts but only 24% of the non-experts used a password manager.  Password managers allow users to use complex and different passwords in multiple web sites, thereby reducing the risk of account compromise.  Of course, even this does not fix the problem that I described yesterday of socially engineering AOL and Verizon – unfortunately.

Another difference is using TWO FACTOR AUTHENTICATION or 2FA.   2FA makes it more difficult for a hacker to compromise your account, even if they know your password.

On the other side, non-experts think that ANTI-VIRUS software will protect them.  42% of the non-experts but only 7% of the experts rank A-V software is in the top tier of security protections.  While A-V software will protect you from some malware, these days it really is a secondary protection due to the types of attacks.

For software updates, more software (browsers and Windows 10, for example) are automatically installing updates.  Assuming this is done securely, the users win with this strategy.

Ultimately, we have to get non-expert users to make changes to their daily practices in order to improve security.  Part of that is education; part of that is for the software vendors to make the process easier (like automatic updates).

For additional differences between the experts and non-experts, read the linked article below.

Information from this post came from Security Intelligence.

Leave a Reply

Your email address will not be published.