Cybersecurity Instructions: A Call for Clarity and Simplicity
In a recent study examining cybersecurity instructions provided to employees, researchers have found that these guidelines often leave workers confused and overwhelmed. The study, conducted by experts in computer security, recommends simple measures to improve the clarity and effectiveness of these manuals.
The focus of concern revolves around the cybersecurity protocols distributed by institutions, ranging from businesses to government agencies, to ensure the protection of personal and corporate data. These protocols aim to educate and equip employees with the necessary knowledge and skills to defend against threats such as malicious programs and social engineering attacks.
Brad Reeves, the corresponding author of the study and assistant professor of computer sciences at the University of North Carolina, expressed his perplexity, stating, “In some cases, I don’t even know where the advice comes from or what it is based on. Who writes these guidelines? What are they based on in their advice?”.
The study involved in-depth interviews with 21 professionals responsible for crafting cybersecurity instructions for large corporations, universities, and government entities. One key finding was that while the authors aimed to provide comprehensive information, the essential points often became lost in the overload of information.
One reason for the overwhelming nature of these instructions is the authors’ attempt to incorporate all possible recommendations from various authoritative sources, rather than selecting the most relevant ones. The researchers propose two key improvements based on their findings. Firstly, authors need a set of best practices for selecting essential information. Secondly, the cybersecurity community must develop key messages that are easily understandable to individuals with varying levels of technical expertise.
Reeves emphasizes the importance of creating guidelines that are easy to understand and implement, stating, “We need to create guidelines that are easy to understand and apply.” He also highlights the significance of supporting the authors of these recommendations, as they play a critical role in translating cybersecurity research into practical tips.
Furthermore, Reeves emphasizes that in the event of a security incident, blame should not be placed solely on employees for failing to follow one of the countless safety rules. Instead, greater focus should be placed on improving the clarity and accessibility of the