The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.
In other words, the guideline writers are compiling security information, rather than curating security information for their readers.
Drawing on what they learned from the interviews, the researchers developed two recommendations for improving future security guidelines.
First, guideline writers need a clear set of best practices on how to curate information so that security guidelines tell users both what they need to know and how to prioritize that information.
Second, writers – and the computer security community as a whole – need key messages that will make sense to audiences with varying levels of technical competence.
“Look, computer security is complicated,” Reaves says. “But medicine is even more complicated. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of contracting COVID. We need to be able to do the same thing for computer security.”
Covid advice was simple, people understood it but many didn’t comply because they didn’t find it convenient. There were also covid-deniers, and people who significantly underestimated it. There were people who found corporate cyber security measures inconvenient too in the places I worked, but ignorance was I think always the more important reason.
I also think it isn’t enough for the advice to be simple, it should be somewhat easy to apply. “Don’t fall into phishing emails”. Sure, but how? Then it lists a bunch of tricks and hints and people can rarely remember all, and apply while they go through tens of emails daily. I think this is the message from the article.
Advice against phishing emails can be reduced to, “1: Never click on a link, call a phone number, download an attachment, or follow instructions you found in an email unless you were already expecting this exact email from this exact sender. 2: If you really want to do those things, search up the organization’s website directly and use the contact info they provide there instead.”
imo it’s the ad-hungry articles stretching everything into 10+ pages that’s making advice so inaccessible to people. Super annoying because it dilutes the real, simple message that’s already there, it’s just locked behind an adwall.