<i>[Non-experts] mistakenly worry that software updates are a security risk.</i><p>I think this betrays a lack of thought about the risks to non-experts. Tons of malware masquerades as legitimate updates, and non-experts don't always have the knowledge to distinguish legitimate updates from malicious ones. Therefore, to non-experts software updates <i>are</i> a security risk.<p>Edit: And this is why Chrome's policy of updating automatically and completely silently is the right thing to do, and everyone else (Adobe, Oracle, Microsoft, looking at you) is doing it wrong.
But are the security experts actually safer online?<p>The study seems to assume that they are. It may be a fair assumption, but it would be interesting to know if it actually is true or not. It would also help validate the security practices.<p>If it turns out that the security experts got infected just as much, or only slightly less than the non-experts, then following their practices might not be worth the effort...
The thing that software security people do that most normal people don't do is: browsing and accessing email in a virtual machine, not their actual machine.
I am personally concerned with the "patch, patch, patch" message. Stated that way, I completely agree with it. However, for many it is just "update, update, update."<p>I'm all for getting the latest security patches. Or any security patches, really. I'm growing tired of getting the latest possibly risky feature from a product because it is the only way I can get a security patch.
Brilliant. Measuring how well typical users understand/implement security measures has long been overdue.<p>Personally, I find Figure 2 (on Page 5) of the paper most interesting: it shows the difference between expert and non-expert mentioning certain practices -- which to me seems roughly equal to how under-/overappreciated that practice is.<p>The top contenders for underrated (i.e. used more frequently by experts compared to non-experts) are: System updates, 2-factor-auth, password managers, unique passwords and checking for https. Most overrated: antivirus, password changes, only visiting known sites and using strong passwords.<p>As a security community, we appear to have gotten the point across when it comes to antivirus and strong passwords. Anyone giving general advice should consider this and emphasize the "underrated" measures.
<p><pre><code> > The high adoption of antivirus software
> among non-experts ... might be due to the
> good usability of the install-once type of
> solution that antivirus software offers.
</code></pre>
Or due to the fact, that antivirus companies make money on selling antivirus software to non-experts and have a long history of advertising it to non-experts as a security solution.
One bit of advice that should be up there is to run an ad blocker and a flash blocker (not so relevant anymore now that FF started blocking by default). I know, I know, websites depend on ads for revenue. But ads are also a great way to deliver exploits, in addition to all the personal tracking ad networks do. Our number one priority is to protect ourselves, not to protect website revenue.
Do security experts place less emphasis on virus scans because they do their browsing on OS for which virus scanning is less important?<p>EDIT
This question is partly motivated by wondering if a Linux browsing user should be running a virus scanner?
Not entirely surprising the experts ranked "install software updates" #1, but it didn't even make the non-experts' top 5.<p>We, as an industry, still have a long way to go in making it easy and safe for consumers to keep their software up to date. Have you ever tried to explain to someone (outside the industry) which "click to install the latest version" messages are important to obey, and which are malicious?
This seems misleading. Good security jerks know that there isn't a rule that works for everything. This list might be a little misleading to the non-security jerks.<p>For example, 'software updates' are half the battle, but the other half of the battle is configuring your software to be more secure (browser sandboxing, NoScript, pop-up blockers, malware detectors, OS hardening).<p>All the rest of the security concerns are authentication-based, but there are very few accounts that are important enough to need a secure account. Banks and money transfer services, business accounts (taxes, professional services, ebay/etsy merchants, etc), followed e-mail accounts, are probably the only really critical accounts most people have. You can hack my Facebook or my Huffington Post account; it doesn't really threaten my safety.<p>I think the one thing <i>nobody</i> does that would actually matter to them eventually is keep offline backups. Facebook might lose all your pictures and FB messages tomorrow. They have <i>zero</i> responsibility to keep that crap for you. If you do get hacked and someone deletes all your pictures, don't go crying to Facebook; they have enough problems.<p>At the end of the day, the biggest threat to your online safety in general is malware. Once malware is on your device it's game over.
Something obvious seems missing:<p>Our systems can be hacked, expert or not. Minimize online footprint. Do not keep years and years of email and other stuff on Internet connected devices, back it up to external media.
A plug for our paper, also at the SOUPS conference. We tackled a similar topic, but with a different method and broader focus (how experts and non-experts in general conceptualize the internet as a system): <a href="https://www.usenix.org/system/files/conference/soups2015/soups15-paper-kang.pdf" rel="nofollow">https://www.usenix.org/system/files/conference/soups2015/sou...</a><p>It's great to see a large company like Google focusing on this kind of work though.
How do I apply my patch,patch,patches to TurboTax, Adobe Reader, and Skype?<p>I don't think we're talking about the same applications here when comparing security experts and non-experts.
I've had my mom use lastpass for a couple of years, and just recently enabled grid multifactor auth (free). The main thing about their multifactor options is you can optionally "trust" a computer and only do multifactor on it once. So she won't have to ever use multifactor, but it's mandatory elsewhere which essentially keeps everyone else out while not changing her workflow.
Seems like another attempt of google to get phone numbers from users. Experts are using two factor authentication, review your security settings and give us your phone number. Maybe I am a bit paranoid...
What kind of security experts are they talking to... My personal list of most important things to do:<p>1. Run a version of Linux ( Windows is simply insecure )<p>2. Use Firefox + NoScript and only ever temporarilly allow JS to run as needed. ( JS is -not- safe and at any point in time there are at least a handful of zero day exploits )<p>3. Use an offline password manager ( KeePass )<p>4. Use a secure anonymous non-logging VPN for all internet use<p>5. Use a paid private email account, not some free one<p>6. Use VMs for running software that may not be safe