Iulia Ion, Rob Reeder, and Sunny Consolvo, craft the best summary of a thirty (30) page research paper I have seen in: New research: Comparing how security experts and non-experts stay safe online.
The paper reported the results of a survey of expert and non-experts to discover their security practices online. The gist of the paper was summarized as follows:
Experts’ and non-experts’ top 5 security practices
Here are experts’ and non-experts’ top security practices, according to our study. We asked each participant to list 3 practices:
The full paper is quite good and worth your time to read.
If the behavior of experts influences your software security policies, consider the difference in software updates versus antivirus software:
35% of experts and only 2% of non-experts said that installing software updates was one of their top security practices. Experts recognize the benefits of updates—“Patch, patch, patch,” said one expert—while non-experts not only aren’t clear on them, but are concerned about the potential risks of software updates. A non-expert told us: “I don’t know if updating software is always safe. What [if] you download malicious software?” and “Automatic software updates are not safe in my opinion, since it can be abused to update malicious content.”
Meanwhile, 42% of non-experts vs. only 7% of experts said that running antivirus software was one of the top three three things they do to stay safe online. Experts acknowledged the benefits of antivirus software, but expressed concern that it might give users a false sense of security since it’s not a bulletproof solution.
I would summarize that difference as choosing between repairing broken software and adding more broken software to your IT stack.
Which one is a higher priority for you?