How experts stay safe online and what non-experts can learn from them

Google researchers have asked 231 security experts and 294 web-users who aren’t security experts about their security best practices, and the list of top ones for each group differs considerably:

“Experts recognize the benefits of updates—’Patch, patch, patch,’ said one expert—while non-experts not only aren’t clear on them, but are concerned about the potential risks of software updates,” Google researchers pointed out.

“A non-expert told us: ‘I don’t know if updating software is always safe. What [if] you download malicious software?’ and ‘Automatic software updates are not safe in my opinion, since it can be abused to update malicious content.'”

They also recognize the need to use unique and strong passwords, and how useful password managers are when it comes to that. Non-experts are less likely to use password managers: some find them difficult to use, some don’t realize how helpful they can be, and others are simply reluctant to (as they see it) “write” passwords down.

Another interesting thing to point out is that non-experts love and use antivirus software. Perhaps it’s because it gives them a simple, concrete, (seemingly) clear-cut answer regarding the security status of their computer? But security experts know that AVs are not a bulletproof solution, and are worried that a considerable number of non-experts consider it to be.

Non-experts seem to avoid sites that they are not familiar with, and keep visiting trusted sites in the belief that these sites are always secure. They are apparently not aware of the fact that most malware websites are not malicious attack sites, but compromised sites that are used to spread malware.

Finally, one big difference between the two groups is that experts are much more likely to use two-factor authentication where available. Non-tech-savvy users are apparently still not clear on how it works and its benefits, but are also unclear on how to use the option and, therefore, are still reluctant to use it.

“No practice on either list—expert or non-expert—makes users less secure,” the researchers pointed out. “But, there is clearly room to improve how security best practices are prioritized and communicated to the vast majority of (non expert) users.”

More details about the researcher can be found in this paper.