Replication: No One Can Hack My Mind Revisiting a Study on Expert and Non-Expert Security Practices and Advice


Karoline Busse and Julia Schäfer, University of Bonn; Matthew Smith, University of Bonn/Fraunhofer FKIE


A 2015 study by Iulia Ion, Rob Reeder, and Sunny Consolvo examined the self-reported security behavior of security experts and non-experts. They also analyzed what kind of security advice experts gave to non-experts and how realistic and effective they think typical advice is.

Now, roughly four years later, we aimed to replicate and extend this study with a similar set of non-experts and a different set of experts. For the non-experts, we recruited 288 MTurk participants, just as Ion et al. did. We also recruited 75 mostly European security experts, in contrast to the mostly US sample from Ion et al. Our findings show that despite the different samples and the four years that have passed, the most common pieces of expert advice are mostly unchanged, with one notable exception. In addition, we did see a fair amount of fluctuation in the long tail of advice. Non-expert self-reported behavior, however, is unchanged, meaning that the gap between experts and non-experts seen in Ion et al.'s work is still just as prominent in our study. To extend the work, we also conducted an A/B study to get a better understanding of one of the key questions concerning experts' recommendations, and we identified types of advice where research by the usable security community is most sorely needed.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238313,
author = {Karoline Busse and Julia Sch{\"a}fer and Matthew Smith},
title = {Replication: No One Can Hack My Mind Revisiting a Study on Expert and {Non-Expert} Security Practices and Advice},
booktitle = {Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)},
year = {2019},
isbn = {978-1-939133-05-2},
address = {Santa Clara, CA},
pages = {117--136},
url = {},
publisher = {USENIX Association},
month = aug,

Presentation Video