Online Security: How The Experts Keep Safe - InformationWeek
IoT
IoT
IT Life
News
7/27/2015
09:06 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Online Security: How The Experts Keep Safe

Google researchers have compared the security practices of experts to non-experts, and identified several ways that typical Internet users can improve their online security.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

In the 1976 thriller Marathon Man, Nazi war criminal Dr. Christian Szell tortures runner "Babe" Levy to find out whether it's safe for him to retrieve diamonds stored in a bank deposit box.

"Is it safe?" Szell asks repeatedly. Levy, who doesn't know, can't provide a satisfactory answer.

It isn't safe online, but many people try to achieve some measure of security by keeping their passwords safe in their heads.

"No one can hack my mind," explained one person responding to Google researchers about security practices.

Someone could beat you about the head, a technique euphemistically known as "rubber-hose cryptanalysis," to obtain your secrets. It didn't work in Marathon Man, but it can.

Fortunately, that's not a scenario likely to concern most Internet users. But it demonstrates one of several vulnerabilities that come with trying to remember passwords. There's another issue that may be more relevant: Memory doesn't scale. Trying to remember multiple passwords, if they're as complex as they should be, is a recipe for failure.

Google software engineer Iulia Ion, research scientist Rob Reeder, and user experience researcher Sunny Consolvo set out to explore the difference between security experts and the rest of us. They detailed their findings in the paper "Comparing Expert and Non-Expert Security Practices," which they presented at last week's Symposium on Usable Privacy and Security.

[ Are we our own worst enemies when it comes to security? Read Google: Your Password Security Questions Are Terrible. ]

The difference in security practices between the two groups is striking. The researchers conducted two surveys -- one polling 231 security experts and the other polling 294 Internet users who are not security experts. The latter group was recruited from Amazon's Mechanical Turk crowdsourcing platform.

Among respondents who are not security experts, 42% consider the use of antivirus software to be among the top three things one can do to stay safe online. Only 7% of the security experts polled believe that. Instead, experts prefer keeping software updated. "AV is simple to use, but less effective than installing updates," said one.

(Image: Google)

(Image: Google)

When it comes to passwords, only 24% of non-experts polled said they used password managers for at least some of their accounts, compared to 73% of experts. The research paper suggested that non-experts don't trust password management companies. That may not be an entirely unreasonable stance, given the recently reported breach of LastPass. However, experts observed that using a password manager allows people to have passwords that are both strong and unique.

Non-unique passwords present a risk, because attackers will often try passwords they obtain at other websites to find accounts they can hijack. If they're successful, further compromises may follow.

A third point of differentiation between security experts and non-experts is the use of two-factor authentication. Eighty-nine percent of security experts polled said they used two-factor authentication, compared to 69% of non-experts. Some 12% of non-experts said they didn't know whether they use two-factor authentication – which probably means they don't.

Security experts don't always follow their own advice – the report noted that 38% of security experts admitted to clicking on links in email messages from unknown senders, compared to only 12% of non-experts -- so perhaps each group can learn from the other.

The report's major shortcoming, beyond limitations identified in the study, is the absence of data on the results of these security practices. Is it safe if we patch, use a password manager, and employ two-factor authentication? We may think we know, but it's difficult to be certain.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
7/30/2015 | 3:33:49 PM
Sneakernet works great
Marathon Marn - Great movie and nice reference!  Personally, I employ good ol' sneakernet to maintain my passwords, i.e. spending $0.99 at the local discount store to buy a 6"x4" notepad to write down my 14 digit alpha-numeric-special-character passwords.  Works great. 100% guaranteed against hacking and/or social engineering.
impactnow
50%
50%
impactnow,
User Rank: Author
7/30/2015 | 2:07:06 PM
Re: Password manager

I know it would be useful as I constantly forget infrequently used passwords. I just can't bring myself to trust the password safe technology it just seems very risky. In the interim I wish there was a password standard in place the constant changing requirements for differing sites is a big problem. It makes remembering passwords close to impossible.

Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/28/2015 | 7:41:38 AM
Password manager
I've been using a password manager for a while and it's proved the only way to up my security across the board. Now everything has a unique, impossible to remember password, so I have upwards of 40 different ones. There's no way I could have recalled all of those and reuse would certainly have happened without it. 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
7/27/2015 | 3:55:00 PM
Re: Results
I think I know part of the answer on antivirus. To the non-expert, antivirus is often inaccurately seen as that single biggest component of computer safety. In their defense, it was 10-15 years ago. Today, however, it is just one piece of a very complex security portfolio. The security expert is going to be aware of all the other pieces that need to be in place.
impactnow
50%
50%
impactnow,
User Rank: Author
7/27/2015 | 3:49:21 PM
Re: Results
Surprising information some of it I would've expected the clicking on links in emails I was completely surprised by I never do that! also very surprised that so many people do not know what multilevel authentication was? Maybe it was the way the question was asked. I would like to know more about why they felt antivirus software was not as important as so many of us feel it is .
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
7/27/2015 | 12:56:11 PM
Results
This is interesting information, but agree that it isn't terribly useful without details supporting the premise that the experts are safer because of these practices.
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll