Why Is Computer Security Advice So Confusing?

If you’ve ever felt baffled by the computer security instructions provided at your workplace, you’re not alone. A recent study underscores a fundamental issue in the crafting of these guidelines and suggests straightforward measures to enhance them – likely leading to better computer safety.

The concern revolves around the computer security protocols given by institutions, including businesses and government bodies, to their staff. These protocols aim to guide employees in safeguarding both personal and organizational data against dangers like malware and phishing attacks.

“As a computer security researcher, I’ve noticed that some of the computer security advice I read online is confusing, misleading, or just plain wrong,” says Brad Reaves, corresponding author of the new study and an assistant professor of computer science at North Carolina State University. “In some cases, I don’t know where the advice is coming from or what it’s based on. That was the impetus for this research. Who’s writing these guidelines? What are they basing their advice on? What’s their process? Is there any way we could do better?”

For the study, researchers conducted 21 in-depth interviews with professionals who are responsible for writing computer security guidelines for organizations including large corporations, universities, and government agencies.

“The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.”

The researchers found that one reason security…