Associate Professor of Computer Science, University of Maryland
Security experts and the advice fiasco
Michelle Mazurek is an Associate Professor in the Computer Science Department and the Institute for Advanced Computer Studies at the University of Maryland, College Park, where she also directs the Maryland Cybersecurity Center.
Her research aims to understand and improve the human elements of security- and privacy-related decision making. Recent projects include examining how and why developers make security and privacy mistakes; examining how security and privacy information is distributed via YouTube influencers; and analyzing how users learn about and decide whether to adopt security advice.
She was Program Chair for the Symposium on Usable Privacy and Security (SOUPS) 2019-2020 as well as the Privacy Enhancing Technologies Symposium (PETS) 2022-2023. She has received a number of awards, including the NSF CAREER award, DARPA Young Faculty Award, the NSA’s Best Scientific Cybersecurity Paper award, and several distinguished paper awards. Dr. Mazurek received her PhD in Electrical and Computer Engineering from Carnegie Mellon University in 2014.
In an ideal world, automated tools and systems could manage security and privacy seamlessly and transparently with minimal human input. In the real world, we are nowhere close to that ideal. Instead, in order to achieve good security and privacy outcomes, people need to absorb and apply high-quality security and privacy information and advice.
This applies not only to end users, but also to software developers, product managers, and even security operations professionals. Sadly, the current state of the security advice and information ecosystem is in many respects a disaster. End users often get their advice from TV shows, movies, and even misleading influencer ads, while software developers take unvetted suggestions from Stack Overflow.
Much of the available guidance – whether from TV shows or directly from experts – is outdated, unimportant, contradictory, or simply impossible. It’s no wonder that people give up and conclude there’s nothing they can do to help themselves. This sad state of affairs is, in many ways, the fault of the security community. Security experts often refuse to prioritize, recommending maximum security without tailoring to specific situations.
Researchers evaluate tools and techniques in idealized rather than realistic use contexts, and have made little progress in accurately measuring the costs and benefits of any particular intervention. In this talk, I will review the many problems of the security and privacy information and advice ecosystem, and how we got here. I’ll outline our responsibility, as experts, practitioners, and researchers, to help improve the quality, availability, and usability of security and privacy information. Finally, I’ll discuss what we know (and what we need to find out) about how to make progress.