Technology

72484 readers

3193 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

Why Is Computer Security Advice So Confusing? (scitechdaily.com)

submitted 2 years ago by [email protected] to c/[email protected]

1 comments fedilink hide all child comments

The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.

In other words, the guideline writers are compiling security information, rather than curating security information for their readers.

Drawing on what they learned from the interviews, the researchers developed two recommendations for improving future security guidelines.

First, guideline writers need a clear set of best practices on how to curate information so that security guidelines tell users both what they need to know and how to prioritize that information.

Second, writers – and the computer security community as a whole – need key messages that will make sense to audiences with varying levels of technical competence.

“Look, computer security is complicated,” Reaves says. “But medicine is even more complicated. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of contracting COVID. We need to be able to do the same thing for computer security.”

top 1 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 2 years ago* (last edited 2 years ago)

One problem is that a great deal of correct security advice contradicts "common knowledge" security practices. Password character classes -- "must include capitals, lowercase, numbers, and symbols" -- are a standard example. That idea got rooted in security requirements for banks and such, and it was a bad idea even then.

But getting rid of that idiocy looks, to the casual observer, like "weakening password requirements".

Another problem is that the biggest security vulnerability that many businesses have is obedience to authority. If you can "social-engineer" someone into thinking you're the big boss, then of course they'll turn off all the security for you. And the scarier the big boss is, the more eager the underlings are to please them by doing exactly what the email from [email protected] says.

Resistance to phishing is questioning claims of authority; it requires being willing to tell the big boss that no you won't take the security down in response to an email, even a really convincing one. Which means that the worker has to be safe in doing so.