Security experts and users follow a drastically different set of best practices to protect their security online, according to a new report from Google.
The company, which surveyed 231 security experts and 294 web users, found that the experts—defined as working five or more years in computer security—placed software updates, unique passwords and two-factor authentication atop their list of online security best practices.
Users, however, prioritized their top security measures differently: They listed antivirus software, strong passwords and frequent password changes. Users also admitted to delaying the installation of software updates and expressed a lack of trust in password managers.
“To improve security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people,” the report said. “The experts’ practices are rated as good advice by experts, while those employed by non-experts received mixed ratings."
Here’s a look at where security experts and users differed the most.
Average users don’t prioritize software updates
Installing software updates was the security practice that differed the most between security experts and users, according to the report. Thirty-five percent of experts mentioned it as a top security tactic, compared to just 2 percent of non-experts. This was the No. 1 security action the surveyed experts took, while it didn’t crack the top five for average users.
Users’ behavior toward software updates mirrored their attitudes toward them as well: While 39 percent of experts reported automatically installing security updates, 29 percent reported doing the same. Less than half of the users surveyed considered advice to update applications very effective, yet two-thirds said they were very likely to follow it.
[ ALSO ON CSO: 9 reasons why users still struggle with online security ]
“Our results suggest that one reason some non-experts don’t install updates might be the lack of awareness on how effective updates are,” the report said. It cited examples from respondents who worried that updates could be abused to spread malicious content and the possibility that they contained bugs. Other respondents called the process of updating software “cumbersome.”
Average users trust antivirus software the most
While average users don’t prioritize software updates, they do value antivirus software, which they ranked No.1. Forty-two percent listed running antivirus software on their personal computers, and 90 percent said they considered it either very effective or effective. Meanwhile, antivirus software made the list on just 7 percent of experts’ top priorities.
“The high adoption of antivirus software among non-experts and their high willingness to follow this advice might be due to the good usability of the install-once type of solution that antivirus software offers,”the report said.
Firewalls also ranked high among users, which 17 percent mentioned in their top-three security actions, often in conjunction with antivirus software. Just 3 percent of experts prioritized firewalls as high. Experts cautioned against antivirus software and firewalls, calling them “simple, but less effective than installing updates,”and “less sophisticated.”
Users value strong passwords, but rarely use password managers
Though both groups listed using strong passwords in their top security priorities (experts: 18 percent; users: 30 percent), they differed on other password specifics. Experts, for example, prioritized unique passwords over users (25 percent vs. 15 percent), while users spoke more often of changing passwords frequently than experts did (21 percent vs. 2 percent).
Despite their attention to password specifics, users placed very little value in password managers, the report found. Meanwhile, four-times more experts said it is one of the most important things they do to stay safe online.
“While more experts said they use a password manager to keep track of their passwords, more non-experts said they write down passwords, remember or reuse them,” the report said. “The low adoption rate of password managers among non-experts might stem from a lack of understanding of its security benefits.”
The disconnect between the groups’ views of password managers was reinforced when users were asked to rate the tools’ effectiveness: Just 32 percent rated them as very effective or effective, while only 40 percent said they would follow advice to use them. Average users called password managers “complicated for non-technical users.”
While password managers ranked low among average users, they rated the use of two-factor authentication considerably higher, both in terms of effectiveness (83 percent) and likelihood of following advice (74 percent). Experts, however, expressed concerns that two-factor authentication is still too difficult for many users and is not widely enough available.
Users only visit known websites
Average users care about a website’s familiarity and reputation more than experts do, though they don’t always heed their own advice, the report found. Users ranked visiting only known websites fourth to using antivirus software, strong passwords and changing passwords frequently, at 21 percent compared to just 4 percent of experts, according to the report.
Experts polled by Google pointed out problems with this advice: “Visiting only known websites is great, but paralyzing,” one respondent commented, while another said, “Visiting websites you’ve heard of makes no difference in a modern web full of ads and cross-site requests.”
While this tactic ranked high on average users’ lists, not all of them adhere to it: Just 7 percent said they do not visit unknown websites, while 19 percent said they rarely do. “This finding might suggest that ‘Visit only known websites' is not always practical,” the report said.