Via Schneier, a new paper by researchers at Google discussed the differences between the ways security experts and non-experts treat online security. Not surprising, experts have better habits.
When asked about the security practices that most matter to them, experts talked about multi-factor authentication, password safes, and getting the latest software patches, while non-experts worried about anti-virus software and changing passwords frequently:
The most common things-you-do responses from each group varied, with only one practice, using strong passwords, in common within each group’s top 5 responses. While most experts said they install software updates (35%), use unique passwords (25%), use two-factor authentication (20%), use strong passwords (19%), and use a password manager (12%), nonexperts mentioned using antivirus software (42%), using strong passwords (31%), changing passwords frequently (21%), visiting only known websites (21%), and not sharing personal information (17%).
The security practices mentioned by experts are consistent with experts’ rating of different pieces of advice, when we asked them to rank how good these are on a 5-point Likert scale. ...[M]ost experts considered installing OS (65%) and application (55%) updates, using unique (49%) and strong (48%) passwords, using a password manager (48%), and using two-factor authentication (47%) very good advice (the highest Likert-scale rating). Other advice that was not frequently mentioned by experts in the top three things they do, but ranked high in this multiple choice question of the advice they’d consider good, included turning on automatic updates (72%), being suspicious of links (60%), not entering passwords on links in emails (60%), and not opening email attachments from unknown people (55%).
Generally, non-experts favor convenience over security—which is consistent with human behavior in just about every situation in life. Just look at cash, for example: it's demonstrably the least-secure way of transmitting wealth generally available, but people still use it frequently because it's a lot more convenient (and—no small irony—private) than using more-secure methods like credit cards.
The authors suggest that making good security more convenient may be the answer. But until average users get burned enough, they'll still use the same dictionary-word password for OKCupid that they use for their bank's website, just as they'll still hand their credit card to the waiter rather than demanding table-side chip-and-pin readers like Europeans use. Defense in depth? Maybe later.