Comparing the Security Practices of Experts and Non-Experts

New paper: "'...no one can hack my mind': Comparing Expert and Non-Expert Security Practices," by Iulia Ion, Rob Reeder, and Sunny Consolvo.

Abstract: The state of advice given to people today on how to stay safe online has plenty of room for improvement. Too many things are asked of them, which may be unrealistic, time consuming, or not really worth the effort. To improve the security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people. In this paper, we present the results of a study which aims to identify which practices people do that they consider most important at protecting their security on-line. We compare self-reported security practices of non-experts to those of security experts (i.e., participants who reported having five or more years of experience working in computer security). We report on the results of two online surveys -- ­one with 231 security experts and one with 294 MTurk participants­ -- on what the practices and attitudes of each group are. Our findings show a discrepancy between the security practices that experts and non-experts report taking. For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently.

Posted on July 30, 2015 at 2:21 PM • 25 Comments

Comments

DanielJuly 30, 2015 3:36 PM

This is good data yet it doesn't surprise me. I'd argue that the real difference between security experts and non-experts is that security experts think about security whereas non-experts do what they are told by security experts. After all, using antivirus software and changing passwords frequently are both security actions that security experts have beat into people's brains.

CumulonimbusJuly 30, 2015 4:30 PM

"expert" has become pejorative term.

The "scientists at the University of Rhode Island" that posited the idiotic hydrogen gas build-up explanation for the explosion at a beach in Rhode Island are an embarrassment. I'm convinced authorities there paid someone cash to conjure up this stupid explanation. Notice how they threw in something about "instruments" because it sounds so scientific.

It's almost as bad as the "expert" from a nearby Junior College explaining how sound waves bounce off the ionosphere and get amplified in the atmosphere... good grief.

But here is an intelligent retort of the Wi-Fi Sense garbage dozens of idiotic "experts" spewed the past 24hrs.
http://www.zdnet.com/article/no-windows-10s-wi-fi-sense-feature-is-not-a-security-risk/

Anything to do with popular media should be rejected outright. Anything you read in Yahoo for example, is garbage. And that's where anyone can write anything and be called an "expert." It's nauseating. Even Wired articles have become just a bunch of pretty pictures and the content approximating that of a middle school book report.

What does the media have to do with it? Because they decide who is an expert and not. Journalists are basically stupid and lazy. So once they find someone who likes to talk, they just keep calling them again and again and again.


rgaffJuly 30, 2015 6:59 PM

@ Cumulonimbus

What I want to know is exactly what are the steps I take to make sure that my wifi password (and other private data) isn't shuttled across the internet and stored in the cloud, legally as Microsoft's "business record" free for the taking of any law enforcement? I'm more concerned about such things than that my friends will park across the street using my wifi (for if they knocked on the door I'd freely give my friends the password anyway). Are they the same steps as making my friends actually knock on my door to get my wifi password, instead of just being in my contacts list?

winterJuly 30, 2015 9:32 PM

@rgaff
"(for if they knocked on the door I'd freely give my friends the password anyway)"

I would first try to find out how MS determines who are your friends. Their definition might not match your own.

David HendersonJuly 30, 2015 10:39 PM

Rgaff: Anyone with an android and a wifi portal probably has already given it to google.

Truly SkepticalJuly 31, 2015 12:13 AM

So 'experts' don't conflate privacy with security e.g. re: cookies and not bothering to clear them/store them in the first place?

Big mistake, since the two are obviously related - especially since the spooks piggyback on cookies and their unique UIDs (I C OVERREACH).

Anything which tracks, profiles, harvests data/protocols/uniques signatures, and follows you around like an electronic SWF stalker is a problem, since corporate databases are absorbed into the larger military-industrial-Stasi complex databases as per Snowden disclosures.

A bit like the latest algorithms which will identify you uniquely from 10 minutes of typing and your unique cadence on the keyboard.... where do the 'experts' sit on that one since it defeats VPNs, Tor and the like???

PTJuly 31, 2015 2:34 AM

@Truly Skeptical
"So 'experts' don't conflate privacy with security e.g. re: cookies and not bothering to clear them/store them in the first place?"

I would assume that "experts" would use expendable VMs by default so deleting cookies wouldn't even occur to them ;)

WinterJuly 31, 2015 2:45 AM

@PT
"I would assume that "experts" would use expendable VMs by default so deleting cookies wouldn't even occur to them ;)"

Too much work.

Firefox settings and a few extensions will clean almost all cookies. And there are NoScript, Ghostery and extensions for referrers and randomizing browser strings. If you want to be more clean, use Torbrowser with fixed browser setting.

That would be enough for the day-to-day non sensitive computer work. For the real opsec, you can go VMs with specialist stuff.

Clive RobinsonJuly 31, 2015 6:12 AM

@ Truely Skeptical,

A bit like the latest algorithms which will identify you uniquely from 10 minutes of typing and your unique cadence on the keyboard.... where do the 'experts' sit on that one since it defeats VPNs, Tor and the like???

It's a "lesser fleas" problem.

The solution is to go to the bottom of the computing stack and see at what point the attack vector ocupies and mittigate appropriatly.

The "what you are" signiture identification attacks occure because the computer is transparent below certain frequencies ( ie it's a TEMPEST type issue).

Thus the solution is control the bandwidth of the input, in this case the keyboard. There are two ways to do this,

1, Buffer the input and then send the buffer not the individual key strokes thus key interval timing is lost.
2, Clock the inputs, so they have no cadence.

The second one does not work well with humans, thus the first is the first step to take. However unless you clock the time the buffer is sent, when it's sent it will leake cadence information on the last key stroke and fine grained information on the response (thinking) time which is another "what you are" signiture.

The transparancy of the system arises due to a problem I've banged on about for years which is "Security -v- Efficiency".

Put simply the more efficient you make a system the more susceptable it is to time based side channels. In this case it's made way to wide the bandwidth between input and output, thus the typing cadence is well within it.

In the old multiuser Comand Line days, to get efficience and ease of programing the OS bufered up the input via the "line disipline" to the application, unless the programer jumped through hoops to make it otherwise. C was fine wih this but C++ was not so the OS sends the individual charecters to the OS by default and the bandwidth opened up as well.

Does that answer the question?

Dirk PraetJuly 31, 2015 6:27 AM

@ Winter

For the real opsec, you can go VMs with specialist stuff.

Most intelligent spyware/malware nowadays is VM-aware, and you can still be compromised by hypervisor leaks and exploits. I recommend going with a specialised OS-on-a-stick like TAILS or Whonix. You can do persistent (encrypted) volumes containing configuration settings and data if required, and even hide the presence of your AnonOS in an xCrypt volume, firing it up through e.g. VirtualBox. You can (persistently) customise your TAILS with additional packages if you need any. Plenty of good HOW-TO's out there.

Get a (decent quality) flash drive disguised as something else, e.g. an ordinary keychain. Preferably use with an aging laptop stuffed with RAM, a dead battery and wifi, bluetooth and soundchip disabled (or removed). All usual hardware restrictions apply: if your BIOS/UEFI or other components are compromised, it's still game over.

WinterJuly 31, 2015 6:38 AM

@Dirk
"Get a (decent quality) flash drive disguised as something else, e.g. an ordinary keychain."

I know about the VM ware leakage. But it is another, easy to throw up hurdle.

And for storage, buy a card reader and a micro-SD card. That micro-SD card can even be hidden inside a button on your trousers if you want. Better, also have a bunch of decoy SD cards and thumb drives lying around.

Dirk PraetJuly 31, 2015 7:18 AM

@ Winter

That micro-SD card can even be hidden inside a button on your trousers if you want

True, but the thing is I just keep losing those pesky little things. And carrying around a card reader all the time doesn't quite work for me either.

But I totally get the idea of the decoy cards and thumb drives. Over where I live, parking your car not only is a nightmare, but also a quite expensive one. You need to buy tickets from machines in the streets to put on your dashboard behind the windshield. Many people like to pester the parking guards by displaying their entire collection of dozens, if not hundreds of old tickets together with the new one so they lose a lot of time checking whether or not someone has paid up. It's beautiful.

boomslangJuly 31, 2015 8:21 AM

One odd discrepancy is that 47% of the experts were located in the USA, while a requirement of the non-expert group was that they be located in the USA.

Also, the phrasing in the paper is a bit ambiguous, but it seems that the experts received a different set of survey questions than the non-experts.

Not great science, but I think you don't really need good science to reach the conclusion found in this 20-page research paper. It's like The Onion News Network video that discusses scientific research on the effect of multiple stab wounds on monkeys.

RoboticusJuly 31, 2015 8:51 AM

Something I find interesting, people on this blog are looking at VMs, sophisticated malware of various sorts, timing, TEMPEST, but from having run a computer repair shop myself I can tell you most non expert users get infected with really simple malware from downloading trojans disguised as video players or games. After working on over 10,000 work orders (not all malware related) I can only remember a handful of really sophisticated ones. One really mean one that survived a reinstall of the OS. Most however are installed as applications by the user, and have a few simple load points. The more advanced attacks are interesting, and may be how large corporate networks get compromised, but most day to day infections on home PC's and Mac's that I've seen were really simple ones that AV does provide some protection against.

Clive RobinsonJuly 31, 2015 8:52 AM

@ Dirk Praet, Winter,

Many people like to pester the parking guards by displaying their entire collection of dozens, if not hundreds of old tickets together with the new one so they lose a lot of time checking whether or not someone has paid up. It's beautiful. old tickets together with the new one so they lose a lot of time checking whether or not someone has paid up. It's beautifu

My favorite "denial of service on bureaucracy" happened in Paris over the "Denver Boot" wheel clamp.

Nearly every time one was put on a car a frenchman would come up and inject "super glue" in the lock.

The results were predictable especialy as there was a time penalty on the contractor. It was reported that a victim of the boot or others would phone friends etc who would then gather, and when the luckless contractor turned up he would face a crowd shouting the countdown at him and criticism on his performance.

If that was not enough they were photographed and rewards offered for their true identity.

Needless to say the number of contractors dwindled as they were not getting paid and their neighbors started avoiding them etc.

The scheme died a few weeks later, obviously the message was received loud and clear.

Then there was "The ring of flaming death" for GATSO cameras where a rubber tyre would be put around them and set on fire to "cook the contents". When the expensive electronics were moved into cabinets they got the same treatment.

Eventually they got to expensive and whilst not totally removed their use was not just to raise revenue. So another message sent.

And back in the Thatcher era the poll tax riots got the message across in a way even Maggie in her madness could not ignore.

Who?July 31, 2015 10:09 AM

This paper does not make sense to me. Some questions do not mean the same to experts and non-experts. Let us say, "use verified software". An expert will understand software whose source code has been audited; a non-expert understands software that "passes Windows logo test program". Nonsense.

Why choose only three things we do to stay safe online? It would be better choosing all these things sorted by importance, or at least those things we do to stay safe.

Of course experts delete cookies and use strong passwords. However, these things are possibly not the most important three tasks they do to stay safe. Why limiting information gathered from each participant to the three most important things instead of letting people sort these things by importance?

About using antivirus software... well... I would expect experts not using these tools either. I do not use antivirus software. Much better choice is using an operating system that has good protection against malware (BSDs, Linux, ...) than using weak operating systems where writing malware is a task that can be easily automated by means of commercial and freely available malware development tools while expecting software programs to protect against all these wrongdoers.

Just using common sense should be enough. Choose the right tools to your work. Instead of protecting against viruses choose tools that make viruses incredibly hard to deploy. Close any service you do not want to get running or, better, choose an operating system that is secure by default and open anything you really need. Firewall any service that does not need to be wide reachable (most of them). Upgrade your software (and firmware). Run software that has been audited ("certified" is a different beast, it usually depends more on money than a truly audit process, I do not trust on "certified anything"). Configure services in a sensible way, do not open obvious security holes. Check logs... as said, just use common sense.

Who?July 31, 2015 10:29 AM

Let us say, "use verified software". An expert will understand software whose source code has been audited; a non-expert understands software that "passes Windows logo test program".

Of course, an expert may understand software that has been mathematically verified too. From the context I understand the former definition is good enough, it is possibly what "verified software" means in real world.

albertJuly 31, 2015 12:41 PM

@Clive,
Liquid nitrogen is used by bicycle thieves. It's fast and can't be foiled.
.
@Who?,
Use Linux/BSD, and be glad Windows is so ubiquitous, and holey. (Why we need Windows #1) I advise folks to keep a separate Linux machine (not wireless) for banking (and possibly online ordering) only. Even better is a Linux that boots fresh every time, without using the HD. Of course, no one listens.
.
..
.
..
o

TõnisJuly 31, 2015 1:10 PM

@Cumulonimbus, what actually caused the beach explosion in RI? (I live in RI, and I remember hearing this story when it happened, but it's not a story I followed ...)

Clive RobinsonJuly 31, 2015 7:45 PM

@ Albert,

Using liquid nitrogen to break the lock would due to the way many wheel clamps are made also damage the clamp as well as the lock, which would be a significant cost thus profit reduction. So the contractor would not be keen. Nor would the protestors, squirting super glue in the lock would arguably not be "criminal damage" because there are ways of removing it without physicaly damaging the lock, thus the police would not be interested in it. Effectivly it would be a civil / tort equating to nuisance, which would cost the contractor a lot to bring actio. But more importantly for the protestors it would not have the required "Denial of Service" asspect. If a contractor is tied down on sorting out a glued lock the clock may or may not run out on that job, but it would be dead time even if the clock did not run out. Thus it would reduce the number of other jobs he could do, like clamping other vehicles, thus push the cost of running the service to the point there was no profit.

Truly SkepticalAugust 1, 2015 5:00 AM

@ Clive et al.

"Does this answer your question?"

Yes - thank you. I love your replies and learn a lot, along with the associated other computer experts here.

So, I take from this discussion:

- use plug in and/or cut paste from O/S tools for browsers re: risk of cadence fingerprinting
- fresh VMs to tackle cookies and other assorted meta-data
- use bootable USB/CD (Linux) for reasonable security e.g. Whonix and the like. With or without persistent volumes, although the former poses security risks I gather

PS The spooks masquerading as citizens here always give me a good belly laugh. The best that taxpayer dollars and psychometric screening tools can manage LOL

Best hang out in town... ;-)

albertAugust 1, 2015 1:46 PM

@Clive,
I'm not suggesting that protesters (or anyone) use LN. It's scary, because there is no known defense against LN attacks.

Superglue or not, it's still 'damaging property'. As with graffiti, the owner of the boots would be allowed to assess the costs of 'repairing' the damage, AND the lost income resulting from the action of injecting the glue. They might conclude that it's cheaper(labor-wise) for them to replace the lock assembly, rather than repair it. Either way, they'll way overcharge if they can make the perps pay for it. I don't know French law or the court system, but this seems logical to me.
.
..
.
..
o

LancelotAugust 1, 2015 7:22 PM

@ Truly S
"So, I take from this discussion

Using all that might just make you a prime suspects, if anything else, pois.

Keyboards, I think it just means some ppl take "code signing" a bit too seriously.

Tamara BensonAugust 4, 2015 5:33 PM

I find this sad and pathetic---

"For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently."

Installing software updates is a "good thing", unless you have some reason to feel that the "update" is corrupt. "Two factor auth" is great, unless it's usurped so easily by other aspects of the situation that it's just a joke--like your phone is hacked or owned. My own use of 2 factor with gmail has shown me that the gmail implementation quits asking for the 2 factor after awhile, as if I couldn't IP spoof. If a bimbo can think of a work around....

Using a password manager sounds great, but what if Blur or any other "pw manager" is corrupted/hacked as we've seen happen so many times?

I'm honestly not sure at all that this study described two significantly different user style methods.

"Using antivirus sw, visiting only known sites, changing pw's" well, that's lame, but it's no more lame that what "experts" are doing.

I believe there are smart things we can do to try to protect ourselves, but it will require that the user try hard to learn and be aware of security issues as they arise, and adapt behaviors as it becomes necessary.

I have brilliant tech friends, and close family members, whom I do not trust to keep us all safe in our connections with regard to online things.
But I love them and need them more than my own lonely safety--what would you do? Cut your mother/husband/wife/daughter and your OS Guru off just because they make dumb assumptions and naive choices and sometimes endanger everyone?
Tough one. Try living alone with your computer. Oh, I mean, like forever. With no hope of human interaction.

Paranoid since I began learning software and hardware, and firmware.
Ultimately our network is our people, as dangerous as they can be,
T

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.