‘Confusing, misleading or just plain wrong’: Researchers explain why cybersecurity is needlessly complex

RALEIGH, N.C. — If you’ve ever felt overwhelmed by all of the cybersecurity rules, verbiage, and instructions you should be keeping up with, you’re not alone. Countless people don’t understand the guidelines they receive at work to keep their computers and data safe. Luckily, researchers from North Carolina State University are calling attention to a key problem with how these instructions are created, and outlining a series of simple steps that could improve upon current cybersecurity practices – and help keep your computer safer too.

Specifically, this project focused on the computer security guidelines that organizations like businesses and government agencies provide to their employees. These guidelines are generally designed and intended to help employees protect their personal and employer data, as well as minimize risks associated with threats like malware and phishing scams.

“As a computer security researcher, I’ve noticed that some of the computer security advice I read online is confusing, misleading or just plain wrong,” says Brad Reaves, corresponding author of the new study and an assistant professor of computer science at NC State, in a university release. “In some cases, I don’t know where the advice is coming from or what it’s based on. That was the impetus for this research. Who’s writing these guidelines? What are they basing their advice on? What’s their process? Is there any way we could do better?”

Online privacy, cyber security
Cybersecurity (© Urupong – stock.adobe.com)

To research this topic, the team conducted 21 in-depth interviews with professionals responsible for writing the computer security guidelines used by organizations including large corporations, universities, and government agencies.

“The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Prof. Reaves adds. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.”

Researchers report one prevalent reason security guidelines tend to be so overwhelming is that the writers often incorporate every possible item from a wide assortment of authoritative sources.

“In other words, the guideline writers are compiling security information, rather than curating security information for their readers,” Prof. Reaves explains.

Drawing on what they learned from their interviews, study authors developed two recommendations for improving future security guidelines:

  • To start, guideline writers need a clear set of best practices on how to curate information so that security guidelines will inform users on what they need to know and how best to prioritize that information.
  • Secondly, writers, as well as the computer security community as a whole, need “key messages” that will make sense to all audiences, regardless of technical competence level.

“Look, computer security is complicated,” Reaves says. “But medicine is even more complicated. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of contracting COVID. We need to be able to do the same thing for computer security.”

In conclusion, researchers say that security advice writers need help.

“We need research, guidelines and communities of practice that can support these writers, because they play a key role in turning computer security discoveries into practical advice for real world application,” Prof. Reaves concludes.

“I also want to stress that when there’s a computer security incident, we shouldn’t blame an employee because they didn’t comply with one of a thousand security rules we expected them to follow. We need to do a better job of creating guidelines that are easy to understand and implement.”

Researchers presented their findings at the USENIX Symposium on Usable Privacy and Security in Anaheim, California.

YouTube video

Follow on Google News

About the Author

John Anderer

Born blue in the face, John has been writing professionally for over a decade and covering the latest scientific research for StudyFinds since 2019. His work has been featured by Business Insider, Eat This Not That!, MSN, Ladders, and Yahoo!

Studies and abstracts can be confusing and awkwardly worded. He prides himself on making such content easy to read, understand, and apply to one’s everyday life.

The contents of this website do not constitute advice and are provided for informational purposes only. See our full disclaimer


  1. What planet do these people live on?
    “… public health experts were able to give the public fairly simple, concise guidelines … ”
    Yes, and the advice was worthless and mainly completely 100% wrong, just like the security nonsense.
    Working at the bank, I had to have 4 passwords for different applications. These were not aligned for timing, had to be changed every 30, 45, 60 days, had to be complex and simple passwords were rejected, could not ever re-use passwords, and according to rules could not be written down and stuck next to the screen or anywhere else.
    Telling security they were full of crap and made the system less secure and more vulnerable resulted in complaints to management and being told (like the medical ) that they were the experts and to just comply.

    1. Another Republican Trump bootlicker trying to stupify readers.
      Almost all of the information that came out during the pandemic was fine.
      The issue was implementing policies that were compromised over issues like how complicated it would make like for not so smart people, or the fact that there was limited protection gear and they wanted health care workers to be safe.
      Can’t fulfil the requirements of you job – find a new one.

Comments are closed.