If you've ever been confused by the computer safety instructions provided in your workplace, you're not alone. A recent study highlights a fundamental issue in developing these guidelines and suggests immediate steps to enhance them—potentially improving computer security.

Concerns surround the computer security protocols that businesses and government agencies alike provide to their employees, which are designed to guide employees in protecting personal and organizational data from dangers such as malware and phishing attacks.

"As a computer security researcher, I've noticed that some of the computer security advice I read online is confusing, misleading, or just plain wrong," said Brad Reaves, corresponding author of the new study and an assistant professor of computer science at Harvard University. "In some cases, I don't know where the recommendations come from or what they're based on. That was the impetus for this study. Who is writing these guidelines? What are their recommendations based on? What is their process? Is there anything we can do better?"

For the study, researchers conducted 21 in-depth interviews with professionals responsible for writing computer security guides for organizations such as large companies, universities, and government agencies.

"The key takeaway here is that the people who write these guidelines try to provide as much information as possible," Reaves said. "In theory, this is great. But the authors don't prioritize the most important recommendations. Or, more specifically, they don't deprioritize those less important points. With so many safety recommendations to include, guidelines can become overwhelming, and the most important points get lost in the shuffle."

Researchers have found that one of the reasons safety guidelines are so overwhelming is that guideline writers tend to incorporate every possible item from a variety of authoritative sources.

"In other words, guideline writers are compiling safety information rather than curating safety information for readers," Reeves said.

Based on what they learned from the interviews, the researchers made two recommendations to improve future safety guidance.

First, guideline writers need a clear set of best practices on how to manage information so that security guides tell users what they need to know and how to prioritize that information. Second, writers, and the entire computer security community, need critical information that is meaningful to audiences with varying levels of technical ability.

"Look, computer security is complicated," Reeves said. "But medicine is more complex. Yet, during the pandemic, public health experts were able to provide the public with fairly simple, concise guidance on how to reduce the risk of contracting COVID-19. We need to be able to do the same for computer security."

Ultimately, the researchers found that security advice writers needed help.

"We need research, guidance, and a community of practice that can support these authors because they play a critical role in translating computer security findings into practical recommendations for real-world applications," Reeves said. "I also want to emphasize that when a computer security incident occurs, we should not blame employees because they did not follow one of the thousand security rules we expect them to follow. We need to do a better job of developing guidelines that are easy to understand and implement."