Prioritizing computer security controls for home users

Hundreds of thousands of home users are victimized by cyber-attacks every year. Most experts agree that average home users are not doing enough to protect their computers and their information from cyber-attacks. Improperly managed home computers can lead to individuals losing data, systems performing slowly, loss of identity, and ransom payments; en masse attacks can act in concert to infect personal computers in business and government. Currently, home users receive conflicting guidance for a complicated terrain, often in the form of anecdotal 'Top 10' lists, that is not appropriate for their specific needs, and in many instances, users ignore all guidance. Often, these popular ‘Top 10’ lists appear to be based solely on opinion. Ultimately, we asked ourselves the following: how can we provide home users with better guidance for determining and applying appropriate security controls that meet their needs and can be verified by the cyber security community? In this paper, we propose a methodology for determining and prioritizing the most appropriate security controls for home computing. Using Multi Criteria Decision Making (MCDM) and subject matter expertise, we identify, analyze and prioritize security controls used by government and industry to determine which controls can substantively improve home computing security. We apply our methodology using examples to demonstrate its benefits.