Anna-Marie Ortloff, University of Bonn; Jenny Tang, Carnegie Mellon University; Arthi Arumugam, Daniel Huschina, Lisa Geierhaas, and Florin Martius, University of Bonn; Luisa Jansen, University of Bern; Kolja von der Twer and Lilly Jungbluth, University of Bonn; Matthew Smith, University of Bonn and Fraunhofer FKIE
In 2015, Ion, Reeder, and Consolvo studied IT security advice and self-reported security behavior of experts and non-experts. In 2019, Busse et al. replicated this study and found only minor changes in expert advice and non-expert behavior, with persisting differences between the two groups. Now, 10 years later, we replicated the study with an updated survey and compared our results to both prior studies. Additionally, we interviewed security experts and asked them for their views on the past and future of IT security advice. We report the current state of security behavior and advice based on two survey samples: one non-expert (N=990), and one expert sample (N=75) and an additional expert interview sample (N=35). We identified notable changes in reported security behavior for both experts and non-experts, including that experts and non-experts are beginning to adopt new security practices in authentication. The expert interviews show a path forward, with experts hoping for more improvements to usability and targeted advice for specific user and device-contexts.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Anna-Marie Ortloff and Jenny Tang and Arthi Arumugam and Daniel Huschina and Lisa Geierhaas and Florin Martius and Luisa Jansen and Kolja von der Twer and Lilly Jungbluth and Matthew Smith},
title = {Replication: {{\textquotedblleft}No} one can hack my {mind{\textquotedblright}} - 10 years later: An update and outlook on {experts{\textquoteright}} and {non-experts{\textquoteright}} security practices and advice},
booktitle = {Twenty-First Symposium on Usable Privacy and Security (SOUPS 2025)},
year = {2025},
isbn = {978-1-939133-51-9},
address = {Seattle, WA},
pages = {435--454},
url = {https://www.usenix.org/conference/soups2025/presentation/ortloff},
publisher = {USENIX Association},
month = aug
}
