Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice
Authors: Lorenzo Neil, Harshini Sri Ramulu, Yasemin Acar and Bradley Reaves.
Venue: Proceedings of the Symposium on Usable Privacy and Security
Abstract
Users have a wealth of available security advice — far too much, according to prior work. Experts and users alike struggle to prioritize and practice advised behaviours, negating both the advice’s purpose and potentially their security. While the problem is clear, no rigorous studies have established the root causes of overproduction, lack of prioritization, or other problems with security advice. Without understanding the causes, we cannot hope to remedy their effects.In this paper, we investigate the processes that authors follow to develop published security advice. In a semi-structured interview study with 21 advice writers, we asked about the authors’ backgrounds, advice creation processes in their organizations, the parties involved, and how they decide to review, update, or publish new content. Among the 17 themes we identified from our interviews, we learned that authors seek to cover as much content as possible, leverage multiple diverse external sources for content, typically only review or update content after major security events, and make few if any conscious attempts to deprioritize or curate less essential content. We recommend that researchers develop methods for curating security advice and guidance on messaging for technically diverse user bases and that authors then judiciously identify key messaging ideas and schedule periodic proactive content reviews. If implemented, these actionable recommendations would help authors and users both reduce the burden of advice overproduction while improving compliance with secure computing practices.
Bibtex
@inproceedings{nrar23, abstract = {Users have a wealth of available security advice --- far too much, according to prior work. Experts and users alike struggle to prioritize and practice advised behaviours, negating both the advice's purpose and potentially their security. While the problem is clear, no rigorous studies have established the root causes of overproduction, lack of prioritization, or other problems with security advice. Without understanding the causes, we cannot hope to remedy their effects.\n In this paper, we investigate the processes that authors follow to develop published security advice. In a semi-structured interview study with 21 advice writers, we asked about the authors' backgrounds, advice creation processes in their organizations, the parties involved, and how they decide to review, update, or publish new content. Among the 17 themes we identified from our interviews, we learned that authors seek to cover as much content as possible, leverage multiple diverse external sources for content, typically only review or update content after major security events, and make few if any conscious attempts to deprioritize or curate less essential content. We recommend that researchers develop methods for curating security advice and guidance on messaging for technically diverse user bases and that authors then judiciously identify key messaging ideas and schedule periodic proactive content reviews. If implemented, these actionable recommendations would help authors and users both reduce the burden of advice overproduction while improving compliance with secure computing practices.}, author = {Neil, Lorenzo and Ramulu, Harshini Sri and Acar, Yasemin and Reaves, Bradley}, location = {Anaheim, CA}, publisher = {USENIX Association}, booktitle = {Proceedings of the Symposium on Usable Privacy and Security}, date = {2023-08-08}, pages = {283--299}, title = {Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice}, }