Brilliant. Measuring how well typical users understand/implement security measures has long been overdue.
Personally, I find Figure 2 (on Page 5) of the paper most interesting: it shows the difference between expert and non-expert mentioning certain practices -- which to me seems roughly equal to how under-/overappreciated that practice is.
The top contenders for underrated (i.e. used more frequently by experts compared to non-experts) are: System updates, 2-factor-auth, password managers, unique passwords and checking for https. Most overrated: antivirus, password changes, only visiting known sites and using strong passwords.
As a security community, we appear to have gotten the point across when it comes to antivirus and strong passwords. Anyone giving general advice should consider this and emphasize the "underrated" measures.
Personally, I find Figure 2 (on Page 5) of the paper most interesting: it shows the difference between expert and non-expert mentioning certain practices -- which to me seems roughly equal to how under-/overappreciated that practice is.
The top contenders for underrated (i.e. used more frequently by experts compared to non-experts) are: System updates, 2-factor-auth, password managers, unique passwords and checking for https. Most overrated: antivirus, password changes, only visiting known sites and using strong passwords.
As a security community, we appear to have gotten the point across when it comes to antivirus and strong passwords. Anyone giving general advice should consider this and emphasize the "underrated" measures.