Comparing Expert and Non-Expert Security Practices

I found this 2015 study interesting for pulling data on the difference between how security experts act online and how regular people act online.

The experts are way more likely to update their systems whereas the non-experts rely on antivirus software. I think that’s helpful to keep in mind when we’re meeting people where they are.

Did you read all 20 pages?! If so, kudos to you! Seems like a really good article though.

This is where I will admit to not reading the entire article.

I did what I learned in grad school: I read the abstract, the conclusion, the index, and the notes. Then I skimmed the charts and a few select passages that caught my eye, and posted it on the message board so that I could do my due diligence and fully absorb it later.


Thanks Carolyn! This was definitely an interesting read and I kept thinking back to our early discussions about “anything - even the smallest step - toward protecting yourself online is important.” It was promising to see that people do think about digital privacy and interesting to see what that actually manifests as in regular use. I also loved reading the comments from survey participants because they showed the contradictions between what people know they should be doing and actual practices and the thought process behind those practices.

As I am developing my talking points for privacy seminars at my library, I found the idea that “we should ensure that valuable user time is being spent on the things that would bring them the most benefit” (337) echoed my main concerns about presenting this information to patrons. I think the top three recommendations (installing updates, using a password manager, and using two-factor authentication) from this article are good, but four years later software has changed. My most recent experiences with a password manager and regular updates have been much more positive than in the past. Hopefully as an “authoritative” voice giving advice that these tactics work, I will be convincing to patrons.

Also interesting was that the top expert-recommended security practices were met with resistance from non-experts based on old threat models. I thought the best example was that non-experts do not trust password managers and a lot of this stems from stuff I heard growing up: “if stored or written down, passwords could be leaked” (334). Again, the software has changed and the threat models have changed: “As threat models are shifting from offline to online attacks and password reuse is becoming an increasing problem, using password managers or writing passwords down in a secure location seems to be a promising solution” (337). Being able to frame a conversation in a way that it starts with “what you’re doing is good, but here’s how to make it better” and using that as the jumping-off point for education will definitely be more well-received.


Fascinating stuff, thanks for sharing @CarolynGlauda!

It reaffirms a lot of the stuff I’ve learned from security experts over the years. Focusing on passwords and system updates above all else, eschewing antivirus clients (they’re scammy), checking for HTTPS. Generally “be suspicious/untrusting of software”.

1 Like